Author: Mind
Affected Versions: daily Group Buying System
Http://www.tttuangou.net/
Vulnerability Type: File Inclusion
Vulnerability description:
First, local inclusion
Ajax. php
Require_once MOD_PATH. $ this-> SetEvent ($ config ['default _ module']). '. mod. php ';
// Check SetEvent again.
Function SetEvent ()
{
$ Modss = array ('check' => 1, 'getseller '=> 1, 'member' => 1 );
$ Mod = (isset ($ _ POST ['mod'])? $ _ POST ['mod']: $ _ GET ['mod']);
If (! Isset ($ modss) {// The programmer is confused. It is estimated that the boss has not paid the salary.
Include (INCLUDE_PATH. 'error _ 4. php ');
Exit;
}
$ _ POST ['mod'] = $ _ GET ['mod'] = $ mod;
Return $ mod;
}
How can I end with mod. php?
The following are upload vulnerabilities:
View the modules \ admin \ tttuangou. mod. php // background file!
Class ModuleObject extends MasterObject {
Var $ city;
Function ModuleObject ($ config ){
$ This-> MasterObject ($ config); Load: logic ('product ');
$ This-> ProductLogic = new ProductLogic ();
Load: logic ('pay ');
$ This-> PayLogic = new PayLogic ();
Load: logic ('me ');
$ This-> MeLogic = new MeLogic ();
Load: logic ('order ');
$ This-> OrderLogic = new OrderLogic ();
$ This-> config = $ config;
$ This-> ID = (int) ($ this-> Post ['id']? $ This-> Post ['id']: $ this-> Get ['id']);
$ This-> Execute ();
}
// Fortunately, all the above user-defined functions have been defined.
Function Execute (){
Switch ($ this-> Code ){
Case 'varshow ':
$ This-> Varshow ();
Break;
Case 'varedit ':
// Ignore a bunch of things
Case 'dositelogo ':
$ This-> doSiteLogoManager ();
// Check doSiteLogoManager again.
Function doSiteLogoManager ()
{
// Ignore some useless items here
$ _ FILES ['uploads'] ['name'] = $ FILES_O ['uploads'] ['name'] [$ I];
// Continue to ignore
$ Default_type = array ('jpg ', 'pic', 'png ', 'jpeg', 'bmp ', 'gif'); $ imgary = explode ('. ', $ _ FILES ['uploads'] ['name']);
If (! In_array (strtolower ($ imgary [count ($ imgary)-1]), $ default_type )){
$ This-> Messager ('the format of images that cannot be uploaded! ');
}
// The suffix is limited here
$ Full_path = urldecode ($ this-> Get ['path']);
$ Fp_ary = explode ('/', $ full_path );
$ File = $ fp_ary [count ($ fp_ary)-1];
$ Dir = '';
For ($ I = 0; $ I <count ($ fp_ary)-1; $ I ++)
{
If ($ fp_ary [$ I]! = '.')
{
$ Dir. = $ fp_ary [$ I]. '/';
}
}
$ Dir = './'. $ dir; // o (character _ blank) o Haha tragedy path custom name can be uploaded directly JPG
Require_once LIB_PATH. 'upload. han. php ';
$ Upload_handler = new UploadHandler ($ _ FILES, $ dir, 'uploads', true );
At the same time, two useless include vulnerabilities are also found.
Modules \ me. mod. php
Function Readdmoney (){
$ Pay_code = (isset ($ _ POST ['pay'])? $ _ POST ['pae']: $ _ GET ['pae']); // not filtered
// Ignore...
Include_once ('./modules/'. $ pay_code. '. pay. php ');
And index. mod. php.
Function Repay (){
$ Pay_code = (isset ($ _ POST ['pay'])? $ _ POST ['pae']: $ _ GET ['pae']); // not filtered.
// Also ignore...
Include_once ('./modules/'. $ pay_code. '. pay. php ');
. Pay. php only has three online payment files.
All the things after GPC are on the cloud, only the extra-long characters are truncated.