Day-to-day group buying (several vulnerabilities and fixes)

Author: Mind

 
Affected Versions: daily Group Buying System
 
Http://www.tttuangou.net/
 
Vulnerability Type: File Inclusion
 
Vulnerability description:
 
First, local inclusion
 
Ajax. php
 
Require_once MOD_PATH. $ this-> SetEvent ($ config ['default _ module']). '. mod. php ';
 
// Check SetEvent again.
 
Function SetEvent ()
 
{
 
$ Modss = array ('check' => 1, 'getseller '=> 1, 'member' => 1 );
 
$ Mod = (isset ($ _ POST ['mod'])? $ _ POST ['mod']: $ _ GET ['mod']);
 
If (! Isset ($ modss) {// The programmer is confused. It is estimated that the boss has not paid the salary.
 
Include (INCLUDE_PATH. 'error _ 4. php ');
 
Exit;
 
}
 
$ _ POST ['mod'] = $ _ GET ['mod'] = $ mod;
 
Return $ mod;
 
}
 
How can I end with mod. php?
The following are upload vulnerabilities:
View the modules \ admin \ tttuangou. mod. php // background file!
 
Class ModuleObject extends MasterObject {
 
Var $ city;
 
Function ModuleObject ($ config ){
 
$ This-> MasterObject ($ config); Load: logic ('product ');
 
$ This-> ProductLogic = new ProductLogic ();
 
Load: logic ('pay ');
 
$ This-> PayLogic = new PayLogic ();
 
Load: logic ('me ');
 
$ This-> MeLogic = new MeLogic ();
 
Load: logic ('order ');
 
$ This-> OrderLogic = new OrderLogic ();
 
$ This-> config = $ config;
 
$ This-> ID = (int) ($ this-> Post ['id']? $ This-> Post ['id']: $ this-> Get ['id']);
 
$ This-> Execute ();
 
}
 
// Fortunately, all the above user-defined functions have been defined.
 
Function Execute (){
 
Switch ($ this-> Code ){
 
Case 'varshow ':
 
$ This-> Varshow ();
 
Break;
 
Case 'varedit ':
 
// Ignore a bunch of things
 
Case 'dositelogo ':
 
$ This-> doSiteLogoManager ();
 
// Check doSiteLogoManager again.
 
Function doSiteLogoManager ()
 
{
 
// Ignore some useless items here
 
$ _ FILES ['uploads'] ['name'] = $ FILES_O ['uploads'] ['name'] [$ I];
 
// Continue to ignore
 
$ Default_type = array ('jpg ', 'pic', 'png ', 'jpeg', 'bmp ', 'gif'); $ imgary = explode ('. ', $ _ FILES ['uploads'] ['name']);
 
If (! In_array (strtolower ($ imgary [count ($ imgary)-1]), $ default_type )){
 
$ This-> Messager ('the format of images that cannot be uploaded! ');
 
}
 
// The suffix is limited here
 
$ Full_path = urldecode ($ this-> Get ['path']);
 
$ Fp_ary = explode ('/', $ full_path );
 
$ File = $ fp_ary [count ($ fp_ary)-1];
 
$ Dir = '';
 
For ($ I = 0; $ I <count ($ fp_ary)-1; $ I ++)
 
{
If ($ fp_ary [$ I]! = '.')
 
{
 
$ Dir. = $ fp_ary [$ I]. '/';
 
}
 
}
 
$ Dir = './'. $ dir; // o (character _ blank) o Haha tragedy path custom name can be uploaded directly JPG
 
Require_once LIB_PATH. 'upload. han. php ';
 
$ Upload_handler = new UploadHandler ($ _ FILES, $ dir, 'uploads', true );
 
At the same time, two useless include vulnerabilities are also found.
Modules \ me. mod. php
 
Function Readdmoney (){
 
$ Pay_code = (isset ($ _ POST ['pay'])? $ _ POST ['pae']: $ _ GET ['pae']); // not filtered
// Ignore...
 
Include_once ('./modules/'. $ pay_code. '. pay. php ');
 
And index. mod. php.
 
 
 
Function Repay (){
 
$ Pay_code = (isset ($ _ POST ['pay'])? $ _ POST ['pae']: $ _ GET ['pae']); // not filtered.
 
// Also ignore...
 
Include_once ('./modules/'. $ pay_code. '. pay. php ');
 
. Pay. php only has three online payment files.
All the things after GPC are on the cloud, only the extra-long characters are truncated.