### 简要描述: RT ### 详细说明: 后台一处命令执行漏洞,可添加系统账户。 漏洞位于admin/tag.inc.php ``` case 'preview': $db->halt = 0; $destoon_task = ''; if($tag_css) $tag_css = stripslashes($tag_css); if($tag_html_s) $tag_html_s = stripslashes($tag_html_s); if($tag_html_e) $tag_html_e = stripslashes($tag_html_e); if($tag_code) $tag_code = stripslashes($tag_code); if($tag_js) $tag_js = stripslashes($tag_js); $code_eval = $code_call = $code_html = ''; if($tag_css) $code_eval .= '<style type="text/css">'."\n".''.$tag_css.''."\n".'</style>'."\n"; if($tag_html_s) $code_eval .= $tag_html_s."\n"; $code_call = $code_eval; $code_call .= $tag_code."\n"; $tag_code = str_replace('<!--{', '', $tag_code); $tag_code = str_replace('}-->', '', $tag_code); if(strpos($tag_code, '",') !== false) { $tag_code = str_replace(', '.$tag_expires.')', ', -1)', $tag_code); } else { $tag_code = str_replace('")', '", -1)', $tag_code); } $tag_code .= ';'; ob_start(); eval($tag_code);//eval直接执行1 $contents = ob_get_contents(); ob_clean();...
### 简要描述: RT ### 详细说明: 后台一处命令执行漏洞,可添加系统账户。 漏洞位于admin/tag.inc.php ``` case 'preview': $db->halt = 0; $destoon_task = ''; if($tag_css) $tag_css = stripslashes($tag_css); if($tag_html_s) $tag_html_s = stripslashes($tag_html_s); if($tag_html_e) $tag_html_e = stripslashes($tag_html_e); if($tag_code) $tag_code = stripslashes($tag_code); if($tag_js) $tag_js = stripslashes($tag_js); $code_eval = $code_call = $code_html = ''; if($tag_css) $code_eval .= '<style type="text/css">'."\n".''.$tag_css.''."\n".'</style>'."\n"; if($tag_html_s) $code_eval .= $tag_html_s."\n"; $code_call = $code_eval; $code_call .= $tag_code."\n"; $tag_code = str_replace('<!--{', '', $tag_code); $tag_code = str_replace('}-->', '', $tag_code); if(strpos($tag_code, '",') !== false) { $tag_code = str_replace(', '.$tag_expires.')', ', -1)', $tag_code); } else { $tag_code = str_replace('")', '", -1)', $tag_code); } $tag_code .= ';'; ob_start(); eval($tag_code);//eval直接执行1 $contents = ob_get_contents(); ob_clean(); $code_eval .= $contents."\n"; if($tag_html_e) { $code_eval .= $tag_html_e; $code_call .= $tag_html_e; } $t = str_replace('",', '&debug=1",', $tag_code); ob_start(); eval($t);//eval直接执行2 $td = ob_get_contents(); ob_clean(); ``` eval函数直接执行参数tag_code和t ### 漏洞证明: 1.net user命令: [<img src="https://images.seebug.org/upload/201407/052134188dac70cc4020c386f17862ccac011db4.jpg" alt="d1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/052134188dac70cc4020c386f17862ccac011db4.jpg) 2.netstat -ano命令: [<img src="https://images.seebug.org/upload/201407/0521351363cc2dbfc7f22f281b109e4435e5c18c.jpg" alt="d2.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201407/0521351363cc2dbfc7f22f281b109e4435e5c18c.jpg) 可以当shell用了。