 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| discuz附件文件下载路径获得以及多后缀RAR执行任意指令漏洞 | |||||
作者:未知 文章来源:邪恶八进制信息安全团队 点击数: 更新时间:2005-8-21  |
|||||
|
Discuz! - "popular web forum applications in China". Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process. Credit: The information has been provided by SSR Team. Details Vulnerable Systems: * Discuz! version 4.0.0 rc4 and prior Discuz! doesn’t properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server. This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Workaround: Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch. Disclosure Timeline: * 24.07.05 - Vulnerability found * 25.07.05 - Vendor notified * 12.08.05 - Official release 这是在http://www.securiteam.com/unixfocus/5WP0F1FGKG.html 站点上看到的漏洞公告 自己马上在本地进行了测试,事实证明可以执行任意指令,用 存为cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar 上传到数据库,更名为p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar 可看出文件名已经修改,可是自己是看不到后面这个文件名的,也就没有路径自己。 抓包,嗅探都找不到文件路径,然后自己进后台,附件管理,可查看文件名,用lanker 马客户端 连接可执行命令,难点是如何的到上传文件路径,昨晚努力了很久,都无法获得路径 以前也来EST,就是经常潜水,现在好不容易有问题可以提出,本人菜鸟一个,在此求助帮忙 Vulnerable Systems: * Discuz! version 4.0.0 rc4 and prior,漏洞非常之广,反盗链技术discuz又好 真的不是象我这样的菜鸟能搞定漏洞利用的,依然在研究代码中 |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
