Fengcms SQL injection & 读取任意文件漏洞

### 简要描述： Fengcms SQL injection & 读任意文件 & XSS。 ### 详细说明： ``` Searchcontrol 中。 if(!empty($_POST)){ if(URL_TYPE==1){ echo '<meta http-equiv="refresh" content="0;url='.(($_POST['project'])?'?controller=search&project='.$_POST['project'].'&tags='.$_POST['tags']:'/tags/'.$_POST['tags'].'.html').'">'; }else{ echo '<meta http-equiv="refresh" content="0;url=?controller=search'.(($_POST['project'])?'&project='.$_POST['project'].'&tags='.$_POST['tags']:'&tags='.$_POST['tags']).'.html">'; } }else{ 直接输出了 $_POST[‘tags’] 可以反射xss了。 ``` ``` 在downcontrol 中 $_GET['file']=base64_decode($_GET['file']); if(file_exists(ROOT_PATH.$_GET['file'])){ header("Content-Type: application/force-download"); header("Content-Disposition: attachment; filename=".basename($_GET['file'])); readfile(ROOT_PATH.$_GET['file']); }else{ echo '<script type="text/javascript">alert("您要下载的文件不存在！");history.back();</script>'; } } } ``` ### 漏洞证明： [<img src="https://images.seebug.org/upload/201403/311638331cc9b004c65fe3f9092eee38ab2b69e8.jpg" alt="17JZ(@BTSGTK99S9{Y2{6BV.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/311638331cc9b004c65fe3f9092eee38ab2b69e8.jpg) [<img src="https://images.seebug.org/upload/201403/3116384595c41b06fd86074aa6c8a621612f233e.jpg" alt="72N59%`D`UVF5D0Q`PH0%~W.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/3116384595c41b06fd86074aa6c8a621612f233e.jpg) [<img src="https://images.seebug.org/upload/201403/31163920cc3dcb53d5d21929044b6f37ac0a4dc6.jpg" alt="PG)3H%)ETC9(2_E3]1[N8G4.jpg" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201403/31163920cc3dcb53d5d21929044b6f37ac0a4dc6.jpg)