您没有来错地!为了更好的发展,黑基网已于9月19日正式更名为【安基网】,域名更换为www.safebase.cn,请卸载旧的APP并安装新的APP,给您带来不便,敬请理解!谢谢

黑基Web安全攻防班
安基网 首页 IT技术 安全攻防 查看内容

discuz附件文件下载路径获得以及多后缀RAR执行任意指令漏洞

2005-8-23 13:29| 投稿: security

摘要: Discuz! - "popular web forum applications in China". Due to input validation flaw, malicious attack...
Discuz! - "popular web forum applications in China". Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process. Credit:The information has been provided by SSR Team. Details Vulnerable Systems:* Discuz! version 4.0.0 rc4 and prior Discuz! doesn't properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server. This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user. Workaround:Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch. Disclosure Timeline:* 24.07.05 - Vulnerability found* 25.07.05 - Vendor notified* 12.08.05 - Official release 这是在http://www.securiteam.com/unixfocus/5WP0F1FGKG.html 站点上看到的漏洞公告自己马上在本地进行了测试,事实证明可以执行任意指令,用存为cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar上传到数据库,更名为p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar可看出文件名已经修改,可是自己是看不到后面这个文件名的,也就没有路径自己。抓包,嗅探都找不到文件路径,然后自己进后台,附件管理,可查看文件名,用lanker 马客户端连接可执行命令,难点是如何的到上传文件路径,昨晚努力了很久,都无法获得路径以前也来EST,就是经常潜水,现在好不容易有问题可以提出,本人菜鸟一个,在此求助帮忙Vulnerable Systems:* Discuz! version 4.0.0 rc4 and prior,漏洞非常之广,反盗链技术discuz又好真的不是象我这样的菜鸟能搞定漏洞利用的,依然在研究代码中

小编推荐:欲学习电脑技术、系统维护、网络管理、编程开发和安全攻防等高端IT技术,请 点击这里 注册黑基账号,公开课频道价值万元IT培训教程免费学,让您少走弯路、事半功倍,好工作升职加薪!



免责声明:本文由投稿者转载自互联网,版权归原作者所有,文中所述不代表本站观点,若有侵权或转载等不当之处请联系我们处理,让我们一起为维护良好的互联网秩序而努力!联系方式见网站首页右下角。


鲜花

握手

雷人

路过

鸡蛋

相关阅读

最新评论

最新

返回顶部