Code audit: ourphp background reproduce any file to read
ourphp
OurPHP proud to send business electricity supplier website system based on PHP + MYSQL perfect development, business electricity supplier + + + phone + APP micro-channel to get a platform to support the N-language station, the site of choice for foreign trade.
Official website: http://www.ourphp.net
demo: http://demo.ourphp.net
Code audit
The problem is in the \ client \ manage \ ourphp_filebox.php.
FIG next edit ($ fename) function, it can be seen from the annotation, it is displayed that reads a file and modification.
Wherein the received parameter fename no filter on the parameters and folder stitching, the inquiry into the document.
Where to see the edit function calls, find the line at the 1438 call, which fename parameters passed by reference post directly.
The code is located in row switch 1383, the annotations may be played method known selective action, parameter op.
Vulnerability reproduction
So we can construct exploits path visit, I was using phpstudy local built environment, vulnerability path is as follows:
http://127.0.0.1/client/manage/ourphp_filebox.php?%20op=edit&fename=../config/ourphp_config.php&folder=D:/phpStudy/WWW/templates/
This will get the sensitive information we want.