Disasm
27.08.2011, 01:09
Добрый день уважаемые господа.
Вот уж не думал, что возникнут такие трудности с сайтом 2001 года рождения...
Имеем сайт (кому интересно ссылку в лику), из вкусностей на сайте: скрипт голосования vote.pl (листинг исходника ниже), скрипт поиска PHPru_Search v.2.6, форум phpBB2 с отключенными форумами.
Задача: получить листинг директорий.
Господа, может у кого есть информация по уязвимостям скрипта vote.pl (листинг исходника ниже) или PHPru_Search v.2.6 - все скрипты древние как г*вно мамонта, но по моему абсолютно чистые.
Или может имеются какие-нибудь соображения по поводу phpBB2 с отключенными(!) форумами?
Листинг vote.pl (на сайте правда стоит верся 2.1.1 но исходник удалось найти только версии 2.1):
Code:
#!/usr/local/bin/perl
#############################################
############## VOTE.PL V2.1 ###############
#############################################
#(c) 13. March, 1999 A. Schnyder, Switzerland
# aschnyde@stud.phys.ethz.ch
#get the latest version of 'vote.pl' at: http://www.datacomm.ch/atair/perlscript/
#ATTENTION: 'vote.pl' needs Perl5 or higher!
require 5.000;
print "Content-type: text/html\n";
### CHANGE THE PATHNAME OF $config HERE:
$config="config.txt";
### CHANGE THE PATHNAME OF $config ABOVE.
### Declaring four subprograms.
sub printError {
$errtmp=$_[0];
print "\n\n"; #Separating header from content
print "\n";
print "
PerlScript: $errtmp\n";
exit;
}
sub ipcheck {
$thisip=$_[0];
if (!(-e $ipfile)) {if (!open(handle14, ">$ipfile")) {printError("ERROR writing $ipfile.");}close handle14;}
if (!open(handle15, "$ipfile")) {printError("ERROR reading $ipfile.");}
while() {
if (/$thisip/) {
if (!open(handle16, "$alr_voted_file")) {printError("ERROR reading $alr_voted_file.");}
print "\n\n"; #Separating header from content
while(){
print;
}
close handle16;
exit;
}
$lasttmp=$_;
}
close handle15;
if (!open(handle15, ">>$ipfile")) {printError("ERROR appending $ipfile.");}
if (length($lasttmp)>80) {print handle15 "\n";}
print handle15 "$thisip ";
close handle15;
}
sub cookie_check {
$ctmp='';
@daytmp=('Sunday','Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday','Saturday');
@monthtmp=('Jan','Feb','Mar','Apr','May','Jun','Ju l','Aug','Sep','Oct','Nov','Dec');
if ($cookie_string=~/votepl_$Query{name}=voted/) {
if (!open(handle16, "$alr_voted_file")) {printError("ERROR reading $alr_voted_file.");}
print "\n\n"; #Separating header from content
while(){
print;
}
close handle16;
exit;
}
else {
$_=$serverPath;
if (!/.*http:\/\//i) {printError("Error. $serverpath must contain the characters \'http://\'");}
$_=$';
if (/www/i) {$_=$';}
/\/.*/;
$domain=$`;
$_=$&;
while (/\/.*\//){
$ctmp.=$&;
$_=$';
}
$datetmp = time+24*3600*$key_settings{expiration};
$expiration = $daytmp[(gmtime($datetmp))[6]];
$expiration = $expiration .+ ', ' .+ (gmtime($datetmp))[3] .+ '-' .+ $monthtmp[(gmtime($datetmp))[4]] ;
$ytmp=(gmtime($datetmp))[5]+1900;
$expiration = $expiration .+ '-' .+ $ytmp .+ ' 00:00:00 GMT';
print "Set-cookie: votepl_$Query{name}=voted;expires=$expiration;doma in=$domain;path=$ctmp\n\n";
}
}
sub creating_logfile {
print "Creating a new $logfile...\n";
if (!open(handle3, ">$logfile")) {printError("ERROR writing $logfile.");}
print handle3 "Total votes:" .+ "0" .+ "\n";
$tmp_value=1;
$tmp_name=97;
while () {
if (/form+/) {if (!seek(handle,-30,1)) {printError("ERROR seeking $logfile.");} last;}
$tmp1= 'name=\"' .+ chr($tmp_name) .+ '\"';
$tmp2= 'value=\"' .+ $tmp_value .+ '\"';
if (/$tmp1/i && /$tmp2/i) {
print handle3 "0 ";
$tmp_value++
}
$tmp1= 'name=\"' .+ chr($tmp_name+1) .+ '\"';
if (/$tmp1/i && /value=\"1\"/i) {
if ($tmp_value==1) {printError("ERROR first groupname must be \"a\"\n");}
print handle3 "\n0 ";
$tmp_value=2;
$tmp_name++;
}
}
print handle3 "\n";
close handle3;
}
### Mainsequence of vote.pl.
###Initializing some variables
$tmp=0;
$set_trig=0;
$i=0;
@tot=();
###Getting http-DATA.
@QueryArray=();
@QueryKey=();
%Query=();
$QueryString=$ENV{'QUERY_STRING'};
$client_addr=$ENV{'REMOTE_ADDR'};
$cookie_string=$ENV{'HTTP_COOKIE'};
@QueryArray=split '&',$QueryString;
foreach(@QueryArray){
($key, $val) = split ('=',$_);
$Query{$key} = $val;
}
@QueryKey=keys(%Query);
if ($Query{action}=~/view/i){$view_flag=true;}
else {$view_flag=false;}
### Getting all settings from $config
### Number of settings for each voting:10
$ns=10;
@settings=();
@settemp=();
if (!open(filehandle1,$config)) {printError("ERROR reading $config\n");}
while () {
push(@settings,$_);
}
close (filehandle1);
if ($#settings) {
if (/form.*action.*$serverPath/i) {$tmp=1;last;}
print;
}
if (!$tmp) {printError("ERROR $htmlfile does not contain the specified serverpath: $serverPath.\n");}
}
##Openging $logfile and storing all data in $votes
@votes=();
if (!(-e $logfile)) {print "
PerlScript: ERROR $logfile does not exist.\n"; creating_logfile();}
if (!open(handle2,$logfile)) {printError("ERROR reading $logfile\n");}
$_=;
if (/Total votes:/){
$total=$';
$total=~ s/\n//g;}
else {
printError("ERROR reading 'Total votes' in $logfile.\n");}
@zwsp=();
while(){
push(@zwsp,$_);
}
$i=0;
foreach $logtmp (@zwsp) {
@tmp=();
@tmp=split ' ',$logtmp;
$j=0;
@votes[$i]=();
foreach $t (@tmp) {
$votes[$i][$j] =$t;
$tot[$i]+=$t;
$j++;
}
$i++;
}
close handle2;
if ($i>26) {printError("ERROR too many groups!\n");}
if ($view_flag eq "true") {goto REPLACE};
$total++;
##Treating $QueryString
foreach $curr_key (@QueryKey) {
if ((lc($curr_key) eq 'name')|| (lc($curr_key) eq 'action')) {next;}
$curr_val=$Query{$curr_key};
if ((ord($curr_key)96+$i) || ($curr_key =~ /../)) {
printError("ERROR reading querystring. Wrong groupname: $curr_key. (If you changed your voting-form, you also have to modify or
delete the logfile. For details please read the README.)");}
if (($curr_val !~ /\d/) || ($curr_val == 0) || ($curr_val =~ /..../) || ($votes[ord($curr_key)-97][$curr_val-1] eq '')) {
printError("ERROR reading querystring. Wrong name of groupelement: $curr_val. (If you changed your voting-form, you also have to modify
or delete the logfile. For details please read the README.)");}
$votes[ord($curr_key)-97][$curr_val-1]++;
$tot[ord($curr_key)-97]++;
}
##Writing $logfile
if (!open(handle3, ">$logfile")) {printError("ERROR writing $logfile\n");}
print handle3 "Total votes:" .+ $total .+ "\n";
for($k=0;$k) {
while(m/\$.{2,5}\;/g) {
if (substr($&,1,1) eq '%') {
$group_tmp=substr($&,2,1);
$val_tmp=substr($&,3,length($&)-4);
$ttmp=ord($group_tmp)-97;
if ($votes[$ttmp][$val_tmp-1] ne ''){
if ($tot[$ttmp] != 0){
$pctmp=int($votes[$ttmp][$val_tmp-1]/$tot[$ttmp]*1000+0.5)/10;}
else{
$pctmp=0;}
$match_tmp='\\'.+ $&;
s/$match_tmp/$pctmp/;
}
}
elsif (substr($&,1,length($&)-2) eq 'tot'){
s/\$tot;/$total/;
}
else {
$group_tmp=substr($&,1,1);
$val_tmp=substr($&,2,length($&)-3);
$ttmp=ord($group_tmp)-97;
if ($votes[$ttmp][$val_tmp-1] ne ''){
$match_tmp='\\'.+ $&;
s/$match_tmp/$votes[$ttmp][$val_tmp-1]/;
}
}
}
print;
}
close handle4;
##Writing the rest of $htmlfile to the screen.
if ($replace=~ /true/i){
while () {
get;
last if /form+/;
}
while () {
print;
}
close handle;
}
exit;
Вот уж не думал, что возникнут такие трудности с сайтом 2001 года рождения...
Имеем сайт (кому интересно ссылку в лику), из вкусностей на сайте: скрипт голосования vote.pl (листинг исходника ниже), скрипт поиска PHPru_Search v.2.6, форум phpBB2 с отключенными форумами.
Задача: получить листинг директорий.
Господа, может у кого есть информация по уязвимостям скрипта vote.pl (листинг исходника ниже) или PHPru_Search v.2.6 - все скрипты древние как г*вно мамонта, но по моему абсолютно чистые.
Или может имеются какие-нибудь соображения по поводу phpBB2 с отключенными(!) форумами?
Листинг vote.pl (на сайте правда стоит верся 2.1.1 но исходник удалось найти только версии 2.1):
Code:
#!/usr/local/bin/perl
#############################################
############## VOTE.PL V2.1 ###############
#############################################
#(c) 13. March, 1999 A. Schnyder, Switzerland
# aschnyde@stud.phys.ethz.ch
#get the latest version of 'vote.pl' at: http://www.datacomm.ch/atair/perlscript/
#ATTENTION: 'vote.pl' needs Perl5 or higher!
require 5.000;
print "Content-type: text/html\n";
### CHANGE THE PATHNAME OF $config HERE:
$config="config.txt";
### CHANGE THE PATHNAME OF $config ABOVE.
### Declaring four subprograms.
sub printError {
$errtmp=$_[0];
print "\n\n"; #Separating header from content
print "\n";
print "
PerlScript: $errtmp\n";
exit;
}
sub ipcheck {
$thisip=$_[0];
if (!(-e $ipfile)) {if (!open(handle14, ">$ipfile")) {printError("ERROR writing $ipfile.");}close handle14;}
if (!open(handle15, "$ipfile")) {printError("ERROR reading $ipfile.");}
while() {
if (/$thisip/) {
if (!open(handle16, "$alr_voted_file")) {printError("ERROR reading $alr_voted_file.");}
print "\n\n"; #Separating header from content
while(){
print;
}
close handle16;
exit;
}
$lasttmp=$_;
}
close handle15;
if (!open(handle15, ">>$ipfile")) {printError("ERROR appending $ipfile.");}
if (length($lasttmp)>80) {print handle15 "\n";}
print handle15 "$thisip ";
close handle15;
}
sub cookie_check {
$ctmp='';
@daytmp=('Sunday','Monday', 'Tuesday', 'Wednesday', 'Thursday', 'Friday','Saturday');
@monthtmp=('Jan','Feb','Mar','Apr','May','Jun','Ju l','Aug','Sep','Oct','Nov','Dec');
if ($cookie_string=~/votepl_$Query{name}=voted/) {
if (!open(handle16, "$alr_voted_file")) {printError("ERROR reading $alr_voted_file.");}
print "\n\n"; #Separating header from content
while(){
print;
}
close handle16;
exit;
}
else {
$_=$serverPath;
if (!/.*http:\/\//i) {printError("Error. $serverpath must contain the characters \'http://\'");}
$_=$';
if (/www/i) {$_=$';}
/\/.*/;
$domain=$`;
$_=$&;
while (/\/.*\//){
$ctmp.=$&;
$_=$';
}
$datetmp = time+24*3600*$key_settings{expiration};
$expiration = $daytmp[(gmtime($datetmp))[6]];
$expiration = $expiration .+ ', ' .+ (gmtime($datetmp))[3] .+ '-' .+ $monthtmp[(gmtime($datetmp))[4]] ;
$ytmp=(gmtime($datetmp))[5]+1900;
$expiration = $expiration .+ '-' .+ $ytmp .+ ' 00:00:00 GMT';
print "Set-cookie: votepl_$Query{name}=voted;expires=$expiration;doma in=$domain;path=$ctmp\n\n";
}
}
sub creating_logfile {
print "Creating a new $logfile...\n";
if (!open(handle3, ">$logfile")) {printError("ERROR writing $logfile.");}
print handle3 "Total votes:" .+ "0" .+ "\n";
$tmp_value=1;
$tmp_name=97;
while () {
if (/form+/) {if (!seek(handle,-30,1)) {printError("ERROR seeking $logfile.");} last;}
$tmp1= 'name=\"' .+ chr($tmp_name) .+ '\"';
$tmp2= 'value=\"' .+ $tmp_value .+ '\"';
if (/$tmp1/i && /$tmp2/i) {
print handle3 "0 ";
$tmp_value++
}
$tmp1= 'name=\"' .+ chr($tmp_name+1) .+ '\"';
if (/$tmp1/i && /value=\"1\"/i) {
if ($tmp_value==1) {printError("ERROR first groupname must be \"a\"\n");}
print handle3 "\n0 ";
$tmp_value=2;
$tmp_name++;
}
}
print handle3 "\n";
close handle3;
}
### Mainsequence of vote.pl.
###Initializing some variables
$tmp=0;
$set_trig=0;
$i=0;
@tot=();
###Getting http-DATA.
@QueryArray=();
@QueryKey=();
%Query=();
$QueryString=$ENV{'QUERY_STRING'};
$client_addr=$ENV{'REMOTE_ADDR'};
$cookie_string=$ENV{'HTTP_COOKIE'};
@QueryArray=split '&',$QueryString;
foreach(@QueryArray){
($key, $val) = split ('=',$_);
$Query{$key} = $val;
}
@QueryKey=keys(%Query);
if ($Query{action}=~/view/i){$view_flag=true;}
else {$view_flag=false;}
### Getting all settings from $config
### Number of settings for each voting:10
$ns=10;
@settings=();
@settemp=();
if (!open(filehandle1,$config)) {printError("ERROR reading $config\n");}
while () {
push(@settings,$_);
}
close (filehandle1);
if ($#settings) {
if (/form.*action.*$serverPath/i) {$tmp=1;last;}
print;
}
if (!$tmp) {printError("ERROR $htmlfile does not contain the specified serverpath: $serverPath.\n");}
}
##Openging $logfile and storing all data in $votes
@votes=();
if (!(-e $logfile)) {print "
PerlScript: ERROR $logfile does not exist.\n"; creating_logfile();}
if (!open(handle2,$logfile)) {printError("ERROR reading $logfile\n");}
$_=;
if (/Total votes:/){
$total=$';
$total=~ s/\n//g;}
else {
printError("ERROR reading 'Total votes' in $logfile.\n");}
@zwsp=();
while(){
push(@zwsp,$_);
}
$i=0;
foreach $logtmp (@zwsp) {
@tmp=();
@tmp=split ' ',$logtmp;
$j=0;
@votes[$i]=();
foreach $t (@tmp) {
$votes[$i][$j] =$t;
$tot[$i]+=$t;
$j++;
}
$i++;
}
close handle2;
if ($i>26) {printError("ERROR too many groups!\n");}
if ($view_flag eq "true") {goto REPLACE};
$total++;
##Treating $QueryString
foreach $curr_key (@QueryKey) {
if ((lc($curr_key) eq 'name')|| (lc($curr_key) eq 'action')) {next;}
$curr_val=$Query{$curr_key};
if ((ord($curr_key)96+$i) || ($curr_key =~ /../)) {
printError("ERROR reading querystring. Wrong groupname: $curr_key. (If you changed your voting-form, you also have to modify or
delete the logfile. For details please read the README.)");}
if (($curr_val !~ /\d/) || ($curr_val == 0) || ($curr_val =~ /..../) || ($votes[ord($curr_key)-97][$curr_val-1] eq '')) {
printError("ERROR reading querystring. Wrong name of groupelement: $curr_val. (If you changed your voting-form, you also have to modify
or delete the logfile. For details please read the README.)");}
$votes[ord($curr_key)-97][$curr_val-1]++;
$tot[ord($curr_key)-97]++;
}
##Writing $logfile
if (!open(handle3, ">$logfile")) {printError("ERROR writing $logfile\n");}
print handle3 "Total votes:" .+ $total .+ "\n";
for($k=0;$k) {
while(m/\$.{2,5}\;/g) {
if (substr($&,1,1) eq '%') {
$group_tmp=substr($&,2,1);
$val_tmp=substr($&,3,length($&)-4);
$ttmp=ord($group_tmp)-97;
if ($votes[$ttmp][$val_tmp-1] ne ''){
if ($tot[$ttmp] != 0){
$pctmp=int($votes[$ttmp][$val_tmp-1]/$tot[$ttmp]*1000+0.5)/10;}
else{
$pctmp=0;}
$match_tmp='\\'.+ $&;
s/$match_tmp/$pctmp/;
}
}
elsif (substr($&,1,length($&)-2) eq 'tot'){
s/\$tot;/$total/;
}
else {
$group_tmp=substr($&,1,1);
$val_tmp=substr($&,2,length($&)-3);
$ttmp=ord($group_tmp)-97;
if ($votes[$ttmp][$val_tmp-1] ne ''){
$match_tmp='\\'.+ $&;
s/$match_tmp/$votes[$ttmp][$val_tmp-1]/;
}
}
}
print;
}
close handle4;
##Writing the rest of $htmlfile to the screen.
if ($replace=~ /true/i){
while () {
get;
last if /form+/;
}
while () {
print;
}
close handle;
}
exit;