Sablog-X v2.x 任意变量覆盖漏洞

author: 80vul-B
team:http://www.80vul.com
 

Author: My5t3ry
Official site: http://www.qingtiandy.cn/
vulnerable: /look/template/wmv.asp

Vulnerable:
    Discuz! 7.1
    Discuz! 7.2
    Phpwind 7.5

只要我们控制了 $sid 和$sess_data的话。那么SHELL就能写进去了。

I. VULNERABILITY
-------------------------
Invision Power Board <= 3.0.4 Local PHP File Inclusion and SQL Injection
Invision Power Board <= 2.3.6 SQL Injection

#Trace: 谁能突破这个waf还望指点一下。
A remote command execution vulnerability exists in the dotDefender(3.8-5) Site Management.

#Trace: 授权用户的拿webshell的方法.受影响版本<=2.8.5,受服务器环境影响.

Invision Power Services IP.Board is a widely used forum available for download or as part of a fully managed hosted community package. IP.Board version 3.0.2 has been found to contain vulnerabilities in its search engine and lost password recovery engine that allows remote attackers to utilize Blind SQL injection. Thus a remote unauthenticated attacker is able to manipulate the database and fetch sensitive information, for example; admin credentials.

Discuz账号发放插件注入0day

#Trace: 用来恶作剧倒是很不错。

发现者：bloodsword、bink，转载请无视
影响版本：<=4.0 sp7，前面的版本没去看，估计也能日。
利用条件，开启了文件上传功能，iis6环境。
...

#Trace: JSP源代码泄露0day

phpMyAdmin Code Injection RCE Scanner & Exploit
 

All the documentation you need is in the script comments. I recommend you to go through it, before you actually run the script.

After reading the public advisory and patched code, and playing around for a while, I managed to have a working PoC bash script. The script will allow you to remotely run shell commands and PHP code against vulnerable targets. Although in principle the vulnerability sounds quite simple, it actually took me a while to go from advisory to working attack code.

I’m providing the script with the hope that it will help pentesters and security researchers. Please only test the script against your own systems, or systems you have been given permission to pentest! Don’t be evil, it’s not worth it.