WooYun.org

没有什么技术含量，非常简单的任意文件下载漏洞，源文件解码后如下所示:(感谢在http://zone.wooyun.org/content/239这里给予回复的每位同学)
<?php
include( "init.inc.php" );
get_referer( false );
if ( empty( $_GET['filename'] ) || empty( $_GET['title'] ) || empty( $_GET['dir'] ) )
{
error_display( t_( "缺少檔案下載參數" ) );
}
$file_name = $_GET['filename'];
$file_download = uploadpath( )."/".$_GET['dir']."/".$file_name;
$file_extension = get_file_extension( $file_name );
if ( strpos( $_SERVER['HTTP_USER_AGENT'], "MSIE" ) )
{
$file_save = utf8tobig5( $_GET['title'] ).".".$file_extension;
}
else
{
$file_save = $_GET['title'].".".$file_extension;
}
$file_save = ereg_replace( "[\\/:*?\"<>|]", "_", $file_save );
if ( $file_extension == "php" )
{
exit( "<strong>Cannot be used for ".$file_extension." files!</strong>" );
}
$mimeType = get_file_mimetype( $file_name );
if ( strpos( $_SERVER['HTTP_USER_AGENT'], "MSIE 5" ) || strpos( $_SERVER['HTTP_USER_AGENT'], "Opera 7" ) )
{
$mimeType = "application/x-download";
}
ob_end_clean( );
header( "Pragma: public" );
header( "Expires: 0" );
header( "Cache-Control: must-revalidate, post-check=0, pre-check=0" );
header( "Cache-Control: public" );
header( "Content-Description: File Transfer" );
header( "Content-Type: ".$mimeType );
header( "Content-Disposition: attachment; filename=".$file_save );
header( "Content-Transfer-Encoding: binary" );
header( "Content-Length: ".filesize( $file_download ) );
@readfile( @$file_download );
?>
黑名单防止下载php文件简单绕过，即可下载任意文件，百度一下发现很多学校，使用python简单整理一下百度搜索结果,去重，大约有100多个域名，继续用python，下载每个域名的配置文件：

继续python提取配置文件中数据库用户名和密码:

简单看一下有些是root账号:

就写到这吧