phpcms 2008 下载漏洞
漏洞文件download.phprequire dirname(__FILE__).'/include/common.inc.php';
$a_k = phpcms_auth($a_k, 'DECODE', AUTH_KEY); //注意!!
if(empty($a_k)) showmessage($LANG<'illegal_parameters'>);
parse_str($a_k);
if(isset($i)) $downid = intval($i);
if(!isset($m)) showmessage($LANG<'illegal_parameters'>);
if(empty($f)) showmessage('地址失效');
if(!$i || $m<0) showmessage($LANG<'illegal_parameters'>);
if(!isset($t)) showmessage($LANG<'illegal_parameters'>);
if(!isset($ip)) showmessage($LANG<'illegal_parameters'>);
$starttime = intval($t);
$fileurl = trim($f);
if(!$downid || empty($fileurl) || !preg_match("/<0-9>{10}/", $starttime) || !preg_match("/<0-9>{1,3}\.<0-9>{1,3}\.<0-9>{1,3}
\.<0-9>{1,3}/", $ip) || $ip != IP) showmessage($LANG<'illegal_parameters'>);
$endtime = TIME - $starttime;
if($endtime > 3600) showmessage('地址失效');
if($m) $fileurl = trim($s).trim($fileurl);
if(strpos($fileurl, '://'))//远程文件
{
header("Location: $fileurl");
}
else//本地文件
{
if($d == 0)
{
header("Location: ".SITE_URL.$fileurl);
}
else
{
$fileurl = file_exists($fileurl) ? stripslashes($fileurl) : PHPCMS_ROOT.$fileurl;//此处可能为物理路径
$filename = basename($fileurl);
if(preg_match("/^(<\s\S>*?)(<\x81-\xfe><\x40-\xfe>)(<\s\S>*?)/", $fileurl))//处理中文文件
{
$filename = str_replace(array("%5C", "%2F", "%3A"), array("\\", "/", ":"), urlencode($fileurl));
$filename = urldecode(basename($filename));
}
file_down($fileurl, $filename);
}
}
?>
function file_down($filepath, $filename = '')
{
if(!$filename) $filename = basename($filepath);
if(is_ie()) $filename = rawurlencode($filename); $filetype = fileext($filename);
$filesize = sprintf("%u", filesize($filepath));
if(ob_get_length() !== false) @ob_end_clean();
header('Pragma: public');
header('Last-Modified: '.gmdate('D, d M Y H:i:s') . ' GMT');
header('Cache-Control: no-store, no-cache, must-revalidate');
header('Cache-Control: pre-check=0, post-check=0, max-age=0');
header('Content-Transfer-Encoding: binary');
header('Content-Encoding: none');
header('Content-type: '.$filetype);
header('Content-Disposition: attachment; filename="'.$filename.'"');
header('Content-length: '.$filesize);
readfile($filepath);
exit;
此贴转载
其实$i,$m,$f,$ip等都是地址栏的参数没有过滤(在down.php中可以看到)由parse_str($a_k)解释后得到的,又由于$a_k是经phpcms_auth
($a_k, 'DECODE', AUTH_KEY)解密后才能得到参数,但我本地测试构造$a_k变量的加密值不成功就换了个方法,把$a_k构造成不存在的参数然后
下面的$i,$m,$f,$ip我就直接从地址栏中添加!
页:
[1]