### 简要描述: 很明显的本地包含 ### 详细说明: 文件:install.php // If we've been passed a default language, use it $install_lang = isset($_REQUEST['install_lang']) ? pun_trim($_REQUEST['install_lang']) : 'English'; // If such a language pack doesn't exist, or isn't up-to-date enough to translate this page, default to English if (!file_exists(PUN_ROOT.'lang/'.$install_lang.'/install.php')) $install_lang = 'English'; require PUN_ROOT.'lang/'.$install_lang.'/install.php'; if (file_exists(PUN_ROOT.'config.php')) { // Check to see whether FluxBB is already installed include PUN_ROOT.'config.php'; // If we have the 1.3-legacy constant defined, define the proper 1.4 constant so we don't get an incorrect "need to install" message if (defined('FORUM')) define('PUN', FORUM); // If PUN is defined, config.php is probably valid and thus the software is installed if (defined('PUN')) exit($lang_install['Already installed']); 很明显$install_lang存在本地文件包含漏洞,且安装完后该文件不会主动删除 函数pun_trim: function pun_trim($str, $charlist =...
### 简要描述: 很明显的本地包含 ### 详细说明: 文件:install.php // If we've been passed a default language, use it $install_lang = isset($_REQUEST['install_lang']) ? pun_trim($_REQUEST['install_lang']) : 'English'; // If such a language pack doesn't exist, or isn't up-to-date enough to translate this page, default to English if (!file_exists(PUN_ROOT.'lang/'.$install_lang.'/install.php')) $install_lang = 'English'; require PUN_ROOT.'lang/'.$install_lang.'/install.php'; if (file_exists(PUN_ROOT.'config.php')) { // Check to see whether FluxBB is already installed include PUN_ROOT.'config.php'; // If we have the 1.3-legacy constant defined, define the proper 1.4 constant so we don't get an incorrect "need to install" message if (defined('FORUM')) define('PUN', FORUM); // If PUN is defined, config.php is probably valid and thus the software is installed if (defined('PUN')) exit($lang_install['Already installed']); 很明显$install_lang存在本地文件包含漏洞,且安装完后该文件不会主动删除 函数pun_trim: function pun_trim($str, $charlist = false) { return is_string($str) ? utf8_trim($str, $charlist) : ''; } 跟进utf8_trim: function utf8_trim( $str, $charlist=false) { if($charlist === false) return trim($str); return utf8_ltrim(utf8_rtrim($str, $charlist), $charlist); } 最终pun_trim($_REQUEST['install_lang'])变成: trim($_REQUEST['install_lang']) 所以对于漏洞利用没啥影响 ### 漏洞证明: [<img src="https://images.seebug.org/upload/201309/270052332d473be9798f75d4b12221f94a042bec.jpg" alt="1.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201309/270052332d473be9798f75d4b12221f94a042bec.jpg)
