标题: Mybb All Versions Remote Command Execution 作者 : Nafsh 日期: 3 Oct 2012 主页: http://Sec-Lab.Tap-Co.Net 联系方式: Nafsh.Hack@Gmail测试数据 ######################################################### 源码 下载 : http://HdhCmsTestmybb测试数据/download/latest 文件: /inc/3rdparty/diff/Diff/Engine/shell.php Bug 部分 源码 : $fp = fopen($to_file, 'w'); fwrite($fp, implode("\n", $to_lines)); fclose($fp); $diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file); unlink($from_file); unlink($to_file); 证明: $_GET + shell_exec() = Command Execution 缺陷描述: An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise. 缺陷示例代码: 1: exec("./crypto -mode " . $_GET["mode"]); proof of concept : /index.php?mode=1;sleep 10; 补丁: HdhCmsTest2cto测试数据 Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible. 1: $modes = array("r", "w", "a"); if(!in_array($_GET["mode"], $modes)) exit ; r D3m0 : http://HdhCmsTestminuteworkers测试数据/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE http://HdhCmsTestartistsuniverse.org/forum/inc/3rdparty/diff/Diff/Engine/shell.php?Find It In Source=RCE ######################################################### We are : K0242 | Nafsh | Ehram.shahmohamadi
查看更多关于MyBB所有版本远程命令执行 - 网站安全 - 自学php的详细内容...