2007年9月24日星期一

[Tips]pw6的一个url转跳[BUG?]

by Superhei
2007-09-25
http://www.ph4nt0m.org

Text Mode


\hack.php的Codz:

require_once('global.php');
$H_name = GetGP('H_name'); //想当于$_GET[H_name]
if(ereg("^http",$H_name)!==false){
    ObHeader(
"$H_name"); //如果是http就通过ObHeader转跳
elseif(!$db_hackdb[$H_name|| !is_dir(R_P."hack/$H_name"|| !file_exists(R_P."hack/$H_name/index.php")){
//如果可以过上面这个判断就可以用下面的define定义H_P了,可惜!$db_hackdb[$H_name]这个过不去 :(
    Showmsg("hack_error");
}
define('H_P',R_P."hack/$H_name/");


我们看看ObHeader()在global.php里:

function ObHeader($URL){
    
global $db_obstart,$db_bbsurl,$db_htmifopen;
    
if($db_htmifopen && strtolower(substr($URL,0,4))!='http'){
        
$URL="$db_bbsurl/$URL";
    }
    
ob_end_clean();
    
if($db_obstart){//可惜phpwind不让全局变量了[见我上个blog],要不就可以进header()
    
        
header("Location: $URL");exit;
    } 
else{
        
ob_start();
        
echo "<meta http-equiv='refresh' content='0;url=$URL'>";exit;//这里访问了我们的url
    }
}


POC:
http://www.phpwind.net/hack.php?H_name=http://www.google.com

2 条评论:

kajdo 说...

Hi mate ... how did you get the codehighlighting working in blogger.com??

k a j d o 0 8 1 5 @ g m a i l . c o m

* Ph4nt0m Security Team * 说...

no, we just use some html to highlight the code.

blogger don't have a code highlight feature.