错误提示是参数: null, 可被注入: null
{
"assertList": [
{
"express": "equal",
"source": "200",
"val": "200",
"var": "HTTPCODE"
},
{
"express": "regexmatch",
"source": "...Index of...",
"val": "directory\\slisting\\sfor|index\\sof",
"var": "TITLE"
}
],
"inputIndex": 0,
"lockKey": "${URLPATH}_index_uploads",
"message": "目录浏览",
"otherProperty": {},
"pluginName": "",
"postBody": "",
"requestHeaders": {
"Accept": "*/*",
"Connection": "keep-alive",
"Content-Type": "text/html",
"Host": "www.xxx.com",
"Referer": "http://www.xxx.com",
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;Alibaba.Security.Heimdall.786105)"
},
"ruleItemName": "infoleak_index_uploads",
"ruleName": "sts"
}
POC重现:http://www.xxx.com/uploads/
{
"assertList": [
{
"express": "equal",
"source": "200",
"val": "200",
"var": "HTTPCODE"
},
{
"express": "regexmatch",
"source": "...Index of...",
"val": "directory\\slisting\\sfor|index\\sof",
"var": "TITLE"
}
],
"inputIndex": 0,
"lockKey": "${URLPATH}_index_uploads",
"message": "目录浏览",
"otherProperty": {},
"pluginName": "",
"postBody": "",
"requestHeaders": {
"Accept": "*/*",
"Connection": "keep-alive",
"Content-Type": "text/html",
"Host": "www.xxx.com",
"Referer": "http://www.xxx.com",
"User-Agent": "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;Alibaba.Security.Heimdall.786105)"
},
"ruleItemName": "infoleak_index_uploads",
"ruleName": "sts"
}
POC重现:http://www.xxx.com/uploads/
1.做好程序异常处理,防止非法数据传入,引起程序崩溃.
2.关闭错误输出,防止调试信息泄漏.但是我已经屏蔽了PHPexpose_php=off 但是还是提示这种错误。我是使用的thinkphp框架,上传大小和上传的格式都有限制。