### 简要描述:
RT
### 详细说明:
后台一处命令执行漏洞,可添加系统账户。
漏洞位于admin/tag.inc.php
```
case 'preview':
$db->halt = 0;
$destoon_task = '';
if($tag_css) $tag_css = stripslashes($tag_css);
if($tag_html_s) $tag_html_s = stripslashes($tag_html_s);
if($tag_html_e) $tag_html_e = stripslashes($tag_html_e);
if($tag_code) $tag_code = stripslashes($tag_code);
if($tag_js) $tag_js = stripslashes($tag_js);
$code_eval = $code_call = $code_html = '';
if($tag_css) $code_eval .= '<style type="text/css">'."\n".''.$tag_css.''."\n".'</style>'."\n";
if($tag_html_s) $code_eval .= $tag_html_s."\n";
$code_call = $code_eval;
$code_call .= $tag_code."\n";
$tag_code = str_replace('<!--{', '', $tag_code);
$tag_code = str_replace('}-->', '', $tag_code);
if(strpos($tag_code, '",') !== false) {
$tag_code = str_replace(', '.$tag_expires.')', ', -1)', $tag_code);
} else {
$tag_code = str_replace('")', '", -1)', $tag_code);
}
$tag_code .= ';';
ob_start();
eval($tag_code);//eval直接执行1
$contents = ob_get_contents();
ob_clean();
$code_eval .= $contents."\n";
if($tag_html_e) {
$code_eval .= $tag_html_e;
$code_call .= $tag_html_e;
}
$t = str_replace('",', '&debug=1",', $tag_code);
ob_start();
eval($t);//eval直接执行2
$td = ob_get_contents();
ob_clean();
```
eval函数直接执行参数tag_code和t
### 漏洞证明:
1.net user命令:
[<img src="https://images.seebug.org/upload/201407/052134188dac70cc4020c386f17862ccac011db4.jpg" alt="d1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/052134188dac70cc4020c386f17862ccac011db4.jpg)
2.netstat -ano命令:
[<img src="https://images.seebug.org/upload/201407/0521351363cc2dbfc7f22f281b109e4435e5c18c.jpg" alt="d2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0521351363cc2dbfc7f22f281b109e4435e5c18c.jpg)
可以当shell用了。
京公网安备 11010502034610号
暂无评论