|
|
|
|
||||||
| ركن ثغرات النسخه الثالثه لجميع النسخ التاليه : [vB3.8.0] +[vB3.7.0] +[vB3.6.0] + [vB3.5.0] + [vB3.0.0] : هذا الركن لايقبل إضافة أي مشاركه |
|
|
LinkBack | أدوات الموضوع | طرق العرض |
05 - 05 - 2006, 11:00
|
||||
|
بسم الله الرحمن الرحيم
اولا عنوان الموضوع غريب لكن الاهميه وتوضيحه لجميع شركات الاستضافه في هذه الفطره اخترقت جميع المنتديات اصغرهم واكبرهم والكل افتكر ثغره مثل ما قال الاخ تركى والجميع ولكن للأسف ما ثغره في منتديات VB بل ثغره في السيرفر نظام تشغل LINUX تعتمد على (copy)(Perl) تعتمد على الاكسبليت الخاص بي السيرفر جميع اصحاب السيرفرات قالو اغلقنا الداله وما زال االاختراقات شغاله ولكن الاسف الثغره تترقع يوم بعد يوم في السيرفراات بتغير اسم الداله /usr/local/Zend/etc/php.ini وبلغه Perl رمز Code:
#!/usr/bin/perl
##############################################################################
# Form Mail: eMail Form Processor Pro #
# Version 4.0.5 #
##############################################################################
# Developer: MitriDAT #
# info@email-form.com #
# http://www.email-form.com #
# Last Modified 29.06.2004 #
##############################################################################
# COPYRIGHT NOTICE #
# Copyright 2000-2003, MitriDAT. All Rights Reserved. #
# #
# Please check ReadMe file for full details on installation #
##############################################################################
#*********************** DO NOT EDIT PAST THIS LINE *************************#
##############################################################################
# init default values
@Months= qw(January February March April May June July August September October November December); unshift @Months, "";
@Weekdays= qw(Sunday Monday Tuesday Wednesday Thursday Friday Saturday);
#$base_path = "./";
$error_loop = 0;
$browser_out = 0;
$content_type = "Content-Type: text/html\n\n";
$cfg_file = "formprocessorpro.cfg";
#FIX 24/07/2003
if (!(-e $cfg_file)) {
if ($ENV{'WINDIR'}) {#windows
$pt = $ENV{'SCRIPT_FILENAME'};
$pt = $ENV{'PATH_TRANSLATED'} if $ENV{'PATH_TRANSLATED'};
$pt =~ s/\\/\//g;
@m = split(/\//,$pt); pop @m;
$cfg_file = join("\x2F",@m).'/formprocessorpro.cfg';
}
$cfg_file =~ s/\/\//\//g;
}
#/FIX 24/07/2003
$mail_format = "plain";
$cfg_form = "form.cfg";
$multi_separator = ", ";
##############################################################################
use CGI::Carp qw (fatalsToBrowser);
use CGI qw/:cgi/;
$ENV{'UPDATED'}= ' ';
$query = new CGI;
# default message
if ($ENV{'REQUEST_METHOD'} eq 'GET' and $ENV{'QUERY_STRING'} eq "login") {
&StartPage;
exit(0);
}elsif($ENV{'REQUEST_METHOD'} eq 'GET'){
Error('Request method error.',"Request method error.");
}
@lines = ReadFile2('Configuration File', $cfg_file);
foreach $line (@lines) {
if ($line =~ /^(Referers)\s*=\s*(.+?)\s*(\x23|$)/)
{ eval "push \@$1, \"$2\";";}
elsif ($line =~ /^(\w+)\s*=\s*(.+?)\s*(\x23|$)/)
{ eval "\$$1 = \"$2\";"; }
}
######whether we shall administrate or not#####
if ($query->param('pass09123')) {
$pass09123=$query->param('pass09123');
if ($managing_password eq $pass09123) {
if (defined($query->param('_saveChanges'))) {# we save edited fields
&SavePage;
$ENV{'UPDATED'} = "<p align=center><strong><font color=red>Configuration script was updated</font></strong></p>\n";
&StartPage;
}
else {#we only start editing
&ManagePage;
}
} else {#we entered incorrect pwd or didn't enter it at all
&StartPage;
}
exit(0);
}
######end of administrating####################
# we can inherit base path if drawn through several pages in page sequence
$base_path = $query->param('base_path').'/' if defined(($query->param('base_path')));
$base_path = $query->param('_base_path').'/' if defined(($query->param('_base_path')));
@lines=ReadFile2('Form Configuration File', $base_path . $cfg_form);
foreach $line (@lines) {
if ($line =~ /^(attachments_path|mail_format)\s*=\s*(.+?)\s*(\x23|$)/)
{eval "\$$1 = \"$2\";";}
if ($line =~ /^(\w+)\s*=\s*(.+?)\s*(\x23|$)/)
{ eval "\$FORM{$1} = \"$2\";";}
}
$attachments_path=$base_path . $attachments_path;
&ParseForm;
&CheckRef;
$mail_format="plain" if ($ENV{'HTTP_REFERER'}=~/(\/\/|\.)aol\.com/);
$mail_format="plain" if ($ENV{'HTTP_REFERER'}=~/(\/|\.)not/);
$FORM{'_format_decimals'} = "0" unless ($FORM{'_format_decimals'});
$FORM{'GMT_OFFSET'} = "0" unless ($FORM{'GMT_OFFSET'});
## DATE FORMATTING
$date_format = 'dd.mm.yyyy' unless defined($date_format);
$date = $date_format;
($sec,$min,$hour,$mday,$mon,$year,$wday,$yday,$isdst) = gmtime(time + $FORM{'GMT_OFFSET'}*3600);
$mon++; $year+=1900; $syear="0".($year-2000);
$mday="0".$mday if length($mday)<2 ;
$date=~s/weekday/$Weekdays[$wday]/i;
$date=~s/wee/substr($Weekdays[$wday],0,3)/ei;
$date=~s/Month/$Months[$mon]/i;
$date=~s/mmm/substr($Months[$mon],0,3)/ei;
$mon=(length($mon)<2?"0":"").$mon; # "0" schreiben oder nicht?
$date=~s/yyyy/$year/i;
$date=~s/yy/$syear/io;
$date=~s/dd/$mday/io;
$date=~s/mm/$mon/eio;
$ENV{'DATE_GMT'} = sprintf("%02d:%02d:%02d %s GMT%+d",$hour,$min,$sec,$date,$FORM{'GMT_OFFSET'});
## END DATE FORMATTING
srand(time ^ $$);
$rnd1 = sprintf("%04d", int(rand 10000));
$rnd2 = sprintf("%04d", int(rand 10000));
$FORM{'unique_reference_number'} = "$year$mon$mday-$rnd1-$rnd2" unless ($FORM{'unique_reference_number'});
if (@missing_values or @bad_emails or @only_digits or @only_words) { Error('evil values') }
foreach $key (keys %FORM)
{
$FORM{$key} =~s/\0//g;
$FORM{$key} =~s/\"(\s|\.|\)|\Z)/»$1/g;
$FORM{$key} =~s/(\A|\s|\.|\()\"/$1«/g;
#Page number
$pn=$FORM{'page_no'}; $pn++;
# start_email is hidden field in the form which email has to been sent after
if ($key =~ /^_send_email/)
{
if (!defined($FORM{"_browser_out".$pn})) {
@lines = ReadFile('Email Template',$FORM{$key});
@lines = ParseText(@lines);
@lines = ParseEmail(@lines);
if ($mailserver ne '') {SendMailBySmtp(@lines);} else {SendMail(@lines);}
}
}
elsif ($key =~ /^_send_html_email/)#HTML email template
{
if (!defined($FORM{"_browser_out".$pn})) {
@lines = ReadFile('Email Template',$FORM{$key});
@lines = ParseTextMail(@lines);
@lines = ParseHtmlEmail(@lines);
if ($mailserver ne '') {SendMailBySmtp(@lines);} else {SendMail(@lines);}
}
}
elsif ($key =~ /^_out_file/)
{
if (!defined($FORM{"_browser_out".$pn})) {
@lines = ReadFile('Log File',$FORM{$key});
@lines = ParseText(@lines);
LogFile('LogFile Template',@lines);
}
}
elsif ($key =~ /^_browser_out$FORM{page_no}$/ and $browser_out < 2)
{
$browser_out++;
@lines = ReadFile('Browser Template', $FORM{$key});
@lines = ParseText(@lines);
foreach $line (@lines) {
if ($line=~/(<\/form>)/i) {
$hfields="";
foreach $k (keys %FORM) {
$v=$FORM{$k};
if ($k =~ /^page_no/) {$v++;}
$hfields .= '<input type="hidden" name="'.$k.'" value="'.$v.'">'."\n";
}
if (!defined($FORM{page_no})) {$hfields .= '<input type="hidden" name="page_no" value="1">'."\n";}
$line=$`.$hfields.$1.$';
}
}
BrowserOut(@lines);
}
elsif ($key =~ /^_redirect/ and $browser_out < 2)
{
$browser_out++;
print "Location: $FORM{$key}\n\n";
}
}
unless ($browser_out) {
@msg = (<DATA>);
$ENV{'OUT_TITLE'} = "Submission Successful";
$ENV{'OUT_MSG'} = "Your submission was successful. Thank you.";
@msg = ParseText(@msg);
BrowserOut(@msg);
}
opendir(DIR, $attachments_path) || exit(0);
@files_list = grep { /^\d{8}_(.*)_\._file$/ && -f "$attachments_path$_" } readdir(DIR);
closedir DIR;
foreach $attachment_file (@files_list) {
($dev,$ino,$mode,$nlink,$uid,$gid,$rdev,$size, $atime,$mtime,$ctime,$blksize,$blocks) = stat($attachments_path.$attachment_file);
if (time() >= $mtime + $attachments_ttl) {
unlink($attachments_path.$attachment_file);
}
}
exit(0);
### Subroutines ###
sub round
{
$value = shift @_;
$round_dec = shift @_;
$round_dec = $FORM{'_format_decimals'} if ($round_dec eq "");
return sprintf("%.".$round_dec."f", $value);
}#round
sub BrowserOut
{
print "$content_type@_\n";
}#BrowserOut
sub CheckRef
{
my ($valid_referer, @terms);
if ((@Referers) and ($ENV{'HTTP_REFERER'})) {
foreach $referer (@Referers) {
if ($ENV{'HTTP_REFERER'} =~ m|http.*?://$referer|i) {
$valid_referer++;
last;
}
}
} else {
$valid_referer++;
}
unless ($valid_referer) {
@terms = split(/\//,$ENV{'HTTP_REFERER'});
Error ('Bad Referer',
"'$ENV{'HTTP_REFERER'}' is not authorised to use this script. If you want them to be able to,
you should add '$terms[2]' to the referer list."
);
}
}#CheckRef
sub Error
{
++$error_loop;
my $title = shift @_;
my $msg = shift @_;
my @error;
if ($title eq 'evil values') {
my $val;
if (@missing_values) {
$msg = qq|<p>The following field(s) are required to be filled in before successful submission:</p>\n<table border=0><tr><td><ol>\n|;
foreach $val (@missing_values) { $msg .= "<li>$val\n" }
$msg .= "</ol></td></tr></table>\n";
}
if (@bad_emails) {
$msg .= qq|<p>The following field(s) are required to be filled in with valid email addresses before successful submission:</p>\n<table border=0><tr><td><ol>\n|;
foreach $val (@bad_emails) { $msg .= "<li>$val\n" }
$msg .= "</ol></td></tr></table>\n";
}
if (@only_digits) {
$msg .= qq|<p>The following field(s) are required to be filled in only with digits (0-9) and decimal point before successful submission:</p>\n<table border=0><tr><td><ol>\n|;
foreach $val (@only_digits) { $msg .= "<li>$val\n" }
$msg .= "</ol></td></tr></table>\n";
}
if (@only_dig_and_dolar) {
$msg .= qq|<p>The following field(s) are required to be filled in only with digits (0-9) a decimal point, or a dollar sign before successful submission:</p>\n<table border=0><tr><td><ol>\n|;
foreach $val (@only_dig_and_dolar) { $msg .= "<li>$val\n" }
$msg .= "</ol></td></tr></table>\n";
}
if (@only_words) {
$msg .= qq|<p>The following field(s) are required to be filled in only with word characters (A-Z, 0-9) before successful submission:</p>\n<ol type="i">\n|;
foreach $val (@only_words) { $msg .= "<li>$val\n" }
$msg .= "</ol>\n";
}
$title = 'Error - Incorrect Values';
$msg .= qq|<p>Please go back and fill in the fields accordingly.</p>\n|;
}
if ($FORM{'_error_url'}) {
print "Location: $FORM{'_error_url'}\n\n"
} elsif ($FORM{'_error_path'} and $error_loop < 2) {
$ENV{'OUT_TITLE'} = $title;
$ENV{'OUT_MSG'} = $msg;
@error = ReadFile('Error Template',$FORM{'_error_path'});
@error = ParseText(@error);
BrowserOut(@error);
} else {
@error = (<DATA>);
$ENV{'OUT_TITLE'} = $title;
$ENV{'OUT_MSG'} = $msg;
@error = ParseText(@error);
BrowserOut(@error);
}
exit(0);
}#Error
sub LogFile
{
my $msg = shift @_;
my $file = shift @_;
$file =~ s#^(\s)#./$1#;
# $file =~ s#\.\./##g;
# $file =~ s/[^\w-\.]//g;
my $file_secure = $base_path . $file;
#unless ($file_secure =~ m#^([\s\w.-_:\\\/]+)$#) { # $1 is untainted
unless ($file_secure =~ m#^(.+)$#) { # $1 is untainted
Error('File Name Error', "filename '$file_secure' has invalid characters.");
}
$file_secure = $1;
open(FILE,">>$file_secure") or Error('File Access Error',"An error occurred when trying to append to the $msg ($file): $!");
if (!defined($ENV{'COMSPEC'})) { # flock ain't needed on Windows !NT based systems
flock(FILE,2) or Error('File Lock Error',"An error occured when locking the $msg ($file): $!.");
}
print FILE @_;
close(FILE) or Error('File Close Error',"An error occurred when close the $msg ($file): $!.");
}#LogFile
sub ReadFile
{
my $msg = shift @_;
my $file = shift @_;
$file =~ s#^(\s)#./$1#;
# $file =~ s#\.\./##g;
# $file =~ s/[^\w-\.]//g;
$file = $base_path . $file;
open(FILE, "$file") or Error('File Access Error',"An error occurred when opening the $msg ($file): $!.");
my @lines = (<FILE>);
close(FILE) or Error('File Close Error',"An error occurred when close the $msg ($file): $!.");
return @lines;
}#ReadFile
sub ReadFile2
{
my $msg = shift @_;
my $file = shift @_;
$file =~ s#^(\s)#./$1#;
open(FILE, "$file") or Error('File Access Error',"An error occurred when opening the $msg ($file): $!.");
my @lines = (<FILE>);
close(FILE) or Error('File Close Error',"An error occurred when close the $msg ($file): $!.");
return @lines;
}#ReadFile2
sub ParseForm
{
my ($key, $prefs, $buffer, $file, $local_file, $value, $name, $file_name);
@names = $query->param;
foreach $name (@names)
{
$value = $query->param($name);
#FIX 07.07.2003
if ($mail_format eq 'html') {
$value =~s/\n/\<br\>/ig;
}
$FORM{$name} = $value;
if ($bytesread = read($value, $buffer, 1024)) {
$file_name = $value;
if ($file_name =~ /([^\/\\:]*)$/) {
$file_name = $1;
}
my $t_size = 0;
srand(time ^ $$);
my $rnd = sprintf("%08d", int(rand 100000000));
$local_file = $attachments_path . $rnd . "_" . $file_name . "_._file";
$FORM{$name."_uploaded"} = $rnd . "_" . $file_name . "_._file";
open (OUTFILE,">$local_file") or Error('File Access Error',"An error occurred when trying to save attachments ($local_file): $!");
binmode OUTFILE;
$t_size = length($buffer);
print OUTFILE $buffer;
while ($bytesread = read($value, $buffer, 1024)) {
$t_size += length($buffer);
print OUTFILE $buffer;
}
close OUTFILE;
my $f_size = 1024 * $max_file_size;
if($t_size > $f_size && $f_size != 0) {
unlink($local_file);
Error("Uploading file is too large. It must to be less than $max_file_size KB.");
}
} else {
if ($name =~ /^([rs]*[edwmcn]?[rs]*)_/) {
($prefs, $key) = split /_/, $name, 2;
if ($prefs =~ /s/i and $value) {
$value =~ s/^(\s)*//;
$value =~ s/(\s)*$//;
$FORM{$name} = $value;
}
if ($prefs =~ /m/i and $value) {
$multi_separator = $FORM{'_multi_separator'} if defined($FORM{'_multi_separator'});
@value = $query->param($name);
$value = join($multi_separator,@value);
$value =~ s/^default$multi_separator|^default//ig;
$FORM{$name} = $value;
}
if ($prefs =~ /n/i and $value) {
$value =~ s/\n//ig;
$value =~ s/\r//ig;
$FORM{$name} = $value;
}
if ($prefs =~ /r/i and $value eq "")
{ push @missing_values, $key }
if ($prefs =~ /e/i and $value and isEmailBad($value))
{ push @bad_emails, $key }
if ($prefs =~ /d/i and $value and !($value =~ /^(\d+|\d+\.\d+)$/))
{ push @only_digits, $key }
if ($prefs =~ /c/i and $value and !($value =~ /^(\$?\d+\$?|\$?\d+\.\d+\$?)$/))
{ push @only_dig_and_dolar, $key }
if ($prefs =~ /w/i and $value and $value =~ /\W/)
{ push @only_words, $key }
}
}
}
}#ParseForm
sub ParseText
{
my ($line, $key, $value, $sub, $script);
foreach $line (@_) {
while (($key => $value) = each %FORM)
{ $line =~ s/\[$key\]/$value/ig }
while (($key => $value) = each %ENV)
{ $line =~ s/\[\%$key\]/$value/ig }
# $line =~ s/\x7e(\w+)((\[)(\d)(\]))?/eval "\$$1$3$4$5"/e;
#remove blank vars
#FIX 14/08/2003
if ($line =~ /<script/) {$script = 1;}
if ($script != 1) {
$line =~ s/\[[^<](.)*?[^>]\]//g;
} else {
$line =~ s/([^A-Za-z0-9\-_,])\[[^<](.)*?[^>]\]/$1/g;
}
if ($line =~ /<\/script/) {$script = 0;}
#/FIX 14/08/2003
}
foreach $line (@_) {
while ($line =~ /\[<((.)*?)>\]/) {
$sub = $1;
if ($sub !~ /^([\d\+\*\/\-%\.,x<>\(\)\s]|round|ifcond)*$/s) {
#Error("Error in expression", $sub);
}
$sub = eval $sub;
$line =~ s/\[<(.)*?>\]/$sub/s;
}
}
return @_;
}#ParseText
#as FIX 11/05/2003
sub ParseTextMail
{
my ($line, $key, $value, $sub, $script);
foreach $line (@_) {
while (($key => $value) = each %FORM)
{
#as FIX 11/07/2003
$value =~ s/\n/\<br\>/g;
$line =~ s/\[$key\]/$value/ig
}
while (($key => $value) = each %ENV)
{ $line =~ s/\[\%$key\]/$value/ig }
$line =~ s/\x7e(\w+)((\[)(\d)(\]))?/eval "\$$1$3$4$5"/e;
}
return @_;
}#ParseTextMail
sub ifcond
{
$cond = shift @_;
$res1 = shift @_;
$res2 = shift @_;
if($cond) {
return sprintf("%s", $res1);
} else {
return sprintf("%s", $res2);
}
}#ifcond
sub ParseEmail
{
my ($line, $attachment_file, $add2email, $real_name, @email);
$add2email = "";
foreach $line (@_)
{
if (($line =~ /^Subject: (.+)\n$/i) and ($mail_format eq 'html')) {
$sline = $line."Content-Type: text\/html; charset=ISO-8859-1\n";
$line =~ s/^Subject: (.+)\n$/$sline/i;
}
if ($line =~ /^Attachment: (.+)$/i)
اولا الثغره تعتمد على كشف جميع مواقع السيرفر بي امر رمز Code:
/var/cpanel/accounting.log file=/home/user/public_html/vb/includes/config.php وكشف جميع ملفات الكونفيك الجميع يسأل عن الحل وهذا مؤقتا وهو الاتى ( اكيد اصحاب السيرفرات يعرفون الشيل c99) بعد رفعك لنسخه vb لا تعطى لملف includes تصريح 777 ولا 755 بل قوم بي اعطاء الملف تصريح 662 وبعدها ارفع ملف shell او الاسكربت سوف تلحظ الاتى  هذاااااااا حل مؤقتا بدل ما كل المواقع تخترق من الاطفال واقسم بى الله جميع الى حصل هذا بسبب الشركات الى بتعطى مساحات مجانا دون ان تعرف الخطر الاكبر بعد اخذ المساحه يرفوع الشيل ويخترقو السيرفر وتكون اسهل شئ لهم
التعديل الأخير كان بواسطة scurity; 05 - 05 - 2006 الساعة 11:05
|
| العلامات المرجعية |
| أدوات الموضوع | |
| طرق العرض | |
|
|
العرض العادي
