标题: Mybb All Versions Remote Command Execution
作者 : Nafsh
日期: 3 Oct 2012
主页:
联系方式: Nafsh.Hack@Gmail.com
#########################################################
源码下载 :
 
文件:  /inc/3rdparty/diff/Diff/Engine/shell.php
 
Bug 部分源码:  
        $fp = fopen($to_file, 'w');
        fwrite($fp, implode("\n", $to_lines));
        fclose($fp);
        $diff = shell_exec($this->_diffCommand . ' ' . $from_file . ' ' . $to_file);
        unlink($from_file);
        unlink($to_file);
证明:
 
$_GET  +  shell_exec()  =  Command Execution
 
缺陷描述:
 
An attacker might execute arbitrary system commands with this vulnerability. User tainted data is used when creating the command that will be executed on the underlying operating system. This vulnerability can lead to full server compromise.
 
缺陷示例代码:
1: exec("./crypto -mode "  .  $_GET["mode"]);
 
proof of concept :
 
/index.php?mode=1;sleep 10;
 
补丁:
 
Limit the code to a very strict character subset or build a whitelist of allowed commands. Do not try to filter for evil commands. Try to avoid the usage of system command executing functions if possible.
 
1: $modes  =  array("r",  "w",  "a");  if(!in_array($_GET["mode"],  $modes)) exit ; 
r

D3m0 : 
 
?Find It In Source=RCE
 
?Find It In Source=RCE
#########################################################
We are : K0242 | Nafsh | Ehram.shahmohamadi