by:xhming

       data/modules/albums/pages_admin/albums_getimage.php

....................................

    $image = $_GET['image'];
if (!ereg("thumb", $image)) {
if (preg_match("#([.*])([/])([A-Za-z0-9.]{0,11})#", $image, $matches)) {
if ($image != $matches[0]) {
unset($image);
die("A hacking attempt has been detected. For security reasons, we're blocking any code execution.");
   }
}
}
elseif (ereg("thumb", $image)) {
if (preg_match("#([.*])([/])thumb([/])([A-Za-z0-9.]{0,11})#", $image, $matches)) {                             //正则匹配有问题!!!
if ($image != $matches[0]) {
unset($image);
die("A hacking attempt has been detected. For security reasons, we're blocking any code execution.");
   }
}
}

if (file_exists("../../../../data/settings/modules/albums/$image")) {
//generate the image, make sure it doesn't end up in the visitors buffer
header("Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0");
header("Expires: Thu, 19 Nov 1981 08:52:00 GMT");
header("Pragma: no-cache");
header("Content-Type: image/jpeg");
echo readfile("../../../../data/settings/modules/albums/$image");                                   //触发漏洞
                  很明显if (preg_match("#([.*])([/])thumb([/])([A-Za-z0-9.]{0,11})#", $image, $matches))这个正则试有问题,只要我们$image变量有thumb字符就可以绕过它的检测!

   本地测试如图: