Ear Music CMS代码审计

原创

于 2021-09-25 12:59:47 发布 · 977 阅读

1 ·

CC 4.0 BY-SA版权

文章标签：

#php #任意文件下载漏洞

Ear Music CMS任意文件下载漏洞

用注册的用户上传一首歌，并且用管理员账号通过审核，查看歌曲点击下载lrc歌词，抓包：

GET /earmus/template/default/source/down.php?type=lrc&id=1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://127.0.0.1/earmus/index.php/music/1/
Connection: close

跟踪用到的down.php文件：

<?php
include '../../../source/system/db.class.php';
$type = SafeRequest("type","get");
$id = SafeRequest("id","get");
if($type == 'lrc'){
   
   
        $file = geturl(getfield('music', 'in_lyric', 'in_id', $id), 'lyric');//$file变量来自此处，跟踪一下处理函数
}else{
   
   
        $file = geturl(getfield('video', 'in_play', 'in_id', $id));
}
$headers = get_headers($file, 1);
if(array_key_exists('Content-Length', $headers)){
   
   
        $filesize = $headers['Content-Length']