Dedecms local file inclusion and physical path leakage 0day

After dinner, take a look at the code for digestion. Recently, many dede holes have been discussed in the Php0day group, so I quickly got down and used editplus to search for several keywords and found some problems. (Editplus is also used to write code, which is small and convenient for many years)
The two files with vulnerabilities are:
Include/payment/alipay. php
Include/payment/yeepay. php
Vulnerabilities occur in the respond method. It is estimated that the two files are written by temporary workers.

Include/payment/alipay. php1. ...... 2 function respond () 3 {4 if (! Empty ($ _ POST) 5 {6 foreach ($ _ POST as $ key = & gt; $ data) 7 {8 $ _ GET [$ key] = $ data; 9} 10} 11/* introduce the configuration file */12 require_once DEDEDATA. '/payment /'. $ _ GET ['code']. '. php ';......

Around 133 rows, $ _ GET ['code'] is not judged or filtered.
Include/payment/yeepay. php

1 ...... 2 function respond () 3 {4 5/* introduce the configuration file */6 require_once DEDEDATA. '/payment /'. $ _ REQUEST ['code']. '. php '; 7 8 $ p1_MerId = trim ($ payment ['yp _ account']); 9 $ merchantKey = trim ($ payment ['yp _ key']);

......
About 145 rows, $ _ REQUEST ['code'] is not judged or filtered.
These two methods are called in the plus/carbuyaction. php file.
Plus/carbuyaction. php

1......2} else if ($dopost == 'return') { 3    $write_list = array('alipay', 'bank', 'cod', 'yeepay');4    if (in_array($code, $write_list)) 5    {6        require_once DEDEINC.'/payment/'.$code.'.php'; 7        $pay = new $code;8        $msg=$pay->respond(); 9        ShowMsg($msg, "javascript:;", 0, 3000);10        exit();  11    } else {12        exit('Error:File Type Can\'t Recognized!'); 13    }14} 15......

There are around 334 rows. When $ dopost is equal to return, the process starts. Familiar with dedecms, we all know that we use a mechanism similar to register_globals in include/common. inc. php.
Therefore, $ _ GET ['code'] or $ _ REQUEST ['code'] becomes $ code, and $ code is judged, the value must be within the $ write_list array so that the subsequent process can call the respond method to trigger the vulnerability. In this case, it seems that $ _ GET ['code'] cannot be controlled as any value.
Return to include/common. inc. php to see its mechanism.

1......2foreach(Array('_GET','_POST','_COOKIE') as $_request) 3{4    foreach($$_request as $_k => $_v) 5    {6        if($_k == 'nvarname') ${$_k} = $_v; 7        else ${$_k} = _RunMagicQuotes($_v);8    } 9}10......

In around 79 rows, we can see that the value is from the three global variables $ _ GET, $ _ POST, and $ _ COOKIE. Hey, be careful. In terms of this priority mechanism, he first obtains get, then post, and then cookie, that is, the final $ code will be based on the value of $ _ COOKIE ['code, what we need to control is $ _ GET ['code'] or $ _ REQUEST ['code']. Only the value of $ code must be within the $ write_list array. Exp: http://www.unhonker.com/plus/carbuyaction.php? Dopost = return & code = .. /.. the Exp above/tags contains the tags under the root directory. if the PHP file contains other suffixes, You need to construct the truncation by yourself. You need to add a cookie whose code is equal to alipay or yeepay during the exp test. Violent path:
Because the bank and cod files do not have the respond method, if the code is equal to the bank or cod, the paths will be exposed incorrectly. Note: do not perform the test illegally. The consequences are irrelevant to you.
 
Vulnerability Discovery Date: