Web安全实践（9）攻击apache

　2008-11-12 13:33:17　来源：WEB开发网　　　

核心提示： "MG2是在国外非常流行的一个PHP+HTML的图片管理程序，由于商业版被破解，Web安全实践（9）攻击apache(3)，程序流传甚广，在google搜索关键字为"owered by MG2 v0.5.1"最新版本存在着文件写入漏洞

"MG2是在国外非常流行的一个PHP+HTML的图片管理程序，由于商业版被破解，程序流传甚广，

在google搜索关键字为"owered by MG2 v0.5.1"

最新版本存在着文件写入漏洞，可配和Apache漏洞直接得shell

includes/mg2_functions.php中addcomment()函数如下 function addcomment() { $_REQUEST['filename'] = $this->charfix($_REQUEST['filename']); $_REQUEST['input'] = $this->charfix($_REQUEST['input']); $_REQUEST['email'] = $this->charfix($_REQUEST['email']); $_REQUEST['name'] = $this->charfix($_REQUEST['name']); $_REQUEST['input'] = strip_tags($_REQUEST['input'], ""); $_REQUEST['input'] = str_replace("n","",$_REQUEST['input']); $_REQUEST['input'] = str_replace("r","",$_REQUEST['input']); if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") { $this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment"); $comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0); $comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0); $comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0); if (count($comment_exists) == 0) { $this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']); $this->writecomments($_REQUEST['filename'] . ".comment"); ........