Small series recently found that the latest release of the Dream of the CMS, due to the negligence of the administrator easily exist remote include vulnerabilities, can Getshell
When the administrator has finished installing it, the index.php under its installation folder will be turned into index.php.bak and can be parsed
The problem of the existence of variable coverage under/install/index.php
Here we can see that rmurl can be controlled, $updateHost This parameter is controllable, the file is opened, and the contents are written.
/data/admin/config_ipdate.php is the source of this argument.
• The use of variable coverage makes $ypdatehost content controllable, resulting in $rmurl content pointing to resources that do not exist; $install _demo_name=. /data/admin/config_update.php the variable to this file, and writes empty content to the file through write ($p, $sql _content).
The Discovery program is now installed
We use install_demo_name this parameter to open this file, but do not give updatehost this parameter assignment, resulting in the acquisition failure
The file was emptied while getting failed
We write a pony on the local server.
The controllable parameters are executed remotely to our machine and a new file is generated shell.php
Shellcode is written
Getshell