http://www.xxx.com/webmail/client/mail/index.php?module=test&action=info
phpinfo()信息泄露
其中源码如下:WorldClient/html/client/mail/module/info.php
[php]
if ( !defined( "PRELOAD_OK" ) )
{
exit( "error" );
}
require_once( LIB_PATH."Mailbox.php" );
require_once( LIB_PATH."Widget.php" );
$Mailbox = Mailbox::getinstance( );
$Widget = Widget::getinstance( );
$Domain = Domain::getinstance( );
$email = get_session( "email" );
$user_id = get_session( "user_id" );
$domain_id = get_session( "domain_id" );
phpinfo( );
?>[/php]
Exp: http://mail.0day5.com/webmail/client/mail/index.php?module=test&action=info
2、信息泄露(phpinfo)
在根目录当中有info.php该文件….
地址为:http://mail.0day5.com/webmail/info.php
3、网站物理路径信息泄露
http://mail.0day5.com/webmail/customer/autoresp.php
http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-packdown
4、任意文件上传getshell
http://mail.0day5.com/webmail/client/mail/index.php?module=operate&action=attach-upload
WorldClient/html/client/mail/module/o_attach.php中
[php]
if ( ACTION == "attach-upload" )
{
if ( $_FILES )
{
$file_name = $_FILES['Filedata']['name'];
$file_type = $_FILES['Filedata']['type'];
$file_size = $_FILES['Filedata']['size'];
$file_source = $_FILES['Filedata']['tmp_name'];
$file_suffix = getfilenamesuffix( $file_name ); //取后缀名
$path_target = getusercachepath( );
do
{
$file_id = makerandomname( );
$file_target = $path_target.$file_id.".".$file_suffix;
} while ( file_exists( $file_target ) );
if ( !move_uploaded_file( $file_source, $file_target ) ) //未进行任何判断,直接写入了。。。。
{
dump_json( array(
"status" => 0,
"message" => el( "写入文件出错,请与管理员联系!", "" )
) );
}
$_SESSION[SESSION_ID]['attach_cache'][] = array(
"id" => $file_id,
"name" => $file_name,
"type" => "1",
"path" => $file_target,
"size" => $file_size
);
dump_json( array(
"status" => "1",
"filename" => $file_name,
"filesize" => $file_size,
"file_id" => $file_id
) );
}
[/php]
在上传之后,他会返回地址,如
"file_id" => $file_id 其中就将上传之后的文件名给回显出来了。。
Exp 如下:
[php]
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论