日本免费全黄少妇一区二区三区-高清无码一区二区三区四区-欧美中文字幕日韩在线观看-国产福利诱惑在线网站-国产中文字幕一区在线-亚洲欧美精品日韩一区-久久国产精品国产精品国产-国产精久久久久久一区二区三区-欧美亚洲国产精品久久久久

  1. 首頁 > 云知道 > >

discuz附件文件下載路徑獲得以及多后綴RAR執(zhí)行任意指令漏洞

云知道

Discuz! - "popular web forum applications in China".
Due to input validation flaw, malicious attackers can cause the Discuz program to run arbitrary commands with the privilege of the HTTPD process.
Credit:
The information has been provided by SSR Team.
【discuz附件文件下載路徑獲得以及多后綴RAR執(zhí)行任意指令漏洞】Details
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior
Discuz! doesn"t properly check multiple extensions of uploaded files, allowing malicious attackers to upload a file with multiple extensions such as attach.php.php.php.php.rar to a web server.
This can be exploited to run arbitrary commands with the privilege of the HTTPD process, which is typically run as the nobody user.
Workaround:
Exclude the RAR extension from the extension list for attached files on an administration page and wait the release of official patch.
Disclosure Timeline:
* 24.07.05 - Vulnerability found
* 25.07.05 - Vendor notified
* 12.08.05 - Official release
這是在http://www.securiteam.com/unixfocus/5WP0F1FGKG.html 站點上看到的漏洞公告
自己馬上在本地進行了測試 , 事實證明可以執(zhí)行任意指令 , 用
存為cmd.php再打包成p11.php.php.php.php.php.php.php.php.php.php.php.php.rar
上傳到數(shù)據(jù)庫 , 更名為p11.php.php.php.php.php.php.php.php.php.php.php.php_6nOXtmZPWv90.rar
可看出文件名已經(jīng)修改 , 可是自己是看不到后面這個文件名的 , 也就沒有路徑自己 。
抓包 , 嗅探都找不到文件路徑 , 然后自己進后臺 , 附件管理 , 可查看文件名 , 用lanker 馬客戶端
連接可執(zhí)行命令 , 難點是如何的到上傳文件路徑 , 昨晚努力了很久 , 都無法獲得路徑
以前也來EST , 就是經(jīng)常潛水 , 現(xiàn)在好不容易有問題可以提出 , 本人菜鳥一個 , 在此求助幫忙
Vulnerable Systems:
* Discuz! version 4.0.0 rc4 and prior , 漏洞非常之廣 , 反盜鏈技術discuz又好
真的不是象我這樣的菜鳥能搞定漏洞利用的 , 依然在研究代碼中```

    推薦閱讀