In addition to page_edit.php, there is also an LFI loophole in post_edit.php
page_edit.php
line 109:
$index_file = '../mc-files/pages/index/'.$page_state.'.php';
require $index_file;
In the page editor, serialize and encode the incoming title, content, etc., and store them in xxxxxx.dat
So we can insert php statements in the dat file, so that the file contains the structure rce
Note that this file contains the suffix .php
When the conditions are met:
php <5.3.4
magic_quotes_gpc=Off
At this time, we can use %00 truncation to bypass
The text was updated successfully, but these errors were encountered:
In addition to page_edit.php, there is also an LFI loophole in post_edit.php
page_edit.php
line 109:
$index_file = '../mc-files/pages/index/'.$page_state.'.php';
require $index_file;
line 99:
$data = array(
'file' => $page_file,
'path' => $page_path,
'state' => $page_state,
'title' => $page_title,
'date' => $page_date,
'time' => $page_time,
'can_comment' => $page_can_comment,
);
In the page editor, serialize and encode the incoming title, content, etc., and store them in xxxxxx.dat

So we can insert php statements in the dat file, so that the file contains the structure rce
Note that this file contains the suffix .php
When the conditions are met:
php <5.3.4
magic_quotes_gpc=Off
At this time, we can use %00 truncation to bypass
The text was updated successfully, but these errors were encountered: