漏洞介绍
class_exists()函数,会判断用户传过来的控制器是否存在,默认情况下,如果程序中存在__autoload函数,那么在使用class_exists()函数时,就会自动调用__autoload函数,
代码如下
?php
function __autoload($className) {
include $className;
}
$controllerName = _GET['c'];
G
ET[
′
c
′
];data = $_GET['d'];
if (class_exists($controllerName)) {
$controller = new controllerName(controllerName(data['t'], $data['v']);
$controller->render();
} else {
echo 'There is no page with this name';
}
class HomeController {
private $template;
private $variables;
public function __construct($template, $variables) {
$this->template = $template;
$this->variables = $variables;
}
public function render() {
if ($this->variables['new']) {
echo 'controller rendering new response';
} else {
echo 'controller rendering old response';
}
}
}
?>
···
传入c的值,为../../../../etc/passwd,存在__autoload函数,函数中,刚好包含了变量,造成文件包含
