Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

an LFI loophole in post_edit.php #38

Closed
jayus0821 opened this issue Dec 23, 2020 · 0 comments
Closed

an LFI loophole in post_edit.php #38

jayus0821 opened this issue Dec 23, 2020 · 0 comments

Comments

@jayus0821
Copy link

In addition to page_edit.php, there is also an LFI loophole in post_edit.php
page_edit.php
line 109:
$index_file = '../mc-files/pages/index/'.$page_state.'.php';
require $index_file;

line 99:
$data = array(
'file' => $page_file,
'path' => $page_path,
'state' => $page_state,
'title' => $page_title,
'date' => $page_date,
'time' => $page_time,
'can_comment' => $page_can_comment,
);

$index_file = '../mc-files/pages/index/'.$page_state.'.php';

require $index_file;

$mc_pages[$page_path] = $data;

ksort($mc_pages);   

file_put_contents($index_file,
  "<?php\n\$mc_pages=".var_export($mc_pages, true)."\n?>"
);

$data['content'] = $page_content;

file_put_contents($file_path, serialize($data));#$file_path = '../mc-files/pages/data/'.$_GET['file'].'.dat';

$succeed = true;

In the page editor, serialize and encode the incoming title, content, etc., and store them in xxxxxx.dat
So we can insert php statements in the dat file, so that the file contains the structure rce
Note that this file contains the suffix .php
When the conditions are met:
php <5.3.4
magic_quotes_gpc=Off
At this time, we can use %00 truncation to bypass
image

@bg5sbk bg5sbk closed this as completed in f8fc729 Jul 19, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant