المساعد الشخصي الرقمي

مشاهدة النسخة كاملة : الدرس الخامس من دروس سد ثغرات المنتدى وهى ترقيع لملفات class_core.phclass_core.php و functions.phpp


هيلبرنت
10-11-2015, 01:27 AM
كنا فى السابق شرحنا الاتى

1- الدرس الاول من دروس سد ثغرات المنتدى وهى ثغره التحويل والاهداءات (http://www.helpernt.com/vb/t1738/)

2- الدرس الثانى من دروس سد ثغرات المنتدى وهى ثغره spacer_open و spacer_close الخاصة باختراق الاستايل (http://www.helpernt.com/vb/t1739)

3- الدرس الثالث من دروس سد ثغرات المنتدى وهى ثغره فلود التسجيل لمنع السبام (http://www.helpernt.com/vb/t1740)

4- الدرس الرابع من دروس سد ثغرات المنتدى وهى ثغره Yahoo YUI (http://www.helpernt.com/vb/t1741)

موعدنا اليوم لشرح ترقيع الثغرة الموجودة في 3.8.7


1 - قم بفتح ملف class_core.php
وابحث بداخله عن :


// ################################################## ###########################
/**
* Removes the full path from being disclosed on any errors
*
* @param integer Error number
* @param string PHP error text string
* @param strig File that contained the error
* @param integer Line in the file that contained the error
*/
function vb_error_handler($errno, $errstr, $errfile, $errline)
{
global $vbulletin;

switch ($errno)
{
case E_WARNING:
case E_USER_WARNING:
/* Don't log warnings due to to the false bug reports about valid warnings that we suppress, but still appear in the log
require_once(DIR . '/includes/functions_log_error.php');
$message = "Warning: $errstr in $errfile on line $errline";
log_vbulletin_error($message, 'php');
*/

if (!error_reporting() OR !ini_get('display_errors'))
{
return;
}
$errfile = str_replace(DIR, '[path]', $errfile);
$errstr = str_replace(DIR, '[path]', $errstr);
echo "<br /><strong>Warning</strong>: $errstr in <strong>$errfile</strong> on line <strong>$errline</strong><br />";
break;

case E_USER_ERROR:
require_once(DIR . '/includes/functions_log_error.php');
$message = "Fatal error: $errstr in $errfile on line $errline";
log_vbulletin_error($message, 'php');

if (!headers_sent())
{
if (SAPI_NAME == 'cgi' OR SAPI_NAME == 'cgi-fcgi')
{
header('Status: 500 Internal Server Error');
}
else
{
header('HTTP/1.1 500 Internal Server Error');
}
}

if (error_reporting() OR ini_get('display_errors'))
{
$errfile = str_replace(DIR, '[path]', $errfile);
$errstr = str_replace(DIR, '[path]', $errstr);
echo "<br /><strong>Fatal error:</strong> $errstr in <strong>$errfile</strong> on line <strong>$errline</strong><br />";
if (function_exists('debug_print_backtrace') AND ($vbulletin->userinfo['usergroupid'] == 6 OR ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions)))
{
// This is needed so IE doesn't show the pretty error messages
echo str_repeat(' ', 512);
debug_print_backtrace();
}
}
exit;
break;
}
}


استبدله بـ :


// ################################################## ###########################
/**
* Unicode-safe version of htmlspecialchars()
*
* @param string Text to be made html-safe
*
* @return string
*/
function htmlspecialchars_uni($text, $entities = true)
{
return str_replace(
// replace special html characters
array('<', '>', '"'),
array('&lt;', '&gt;', '&quot;'),
preg_replace(
// translates all non-unicode entities
'/&(?!' . ($entities ? '#[0-9]+|shy' : '(#[0-9]+|[a-z]+)') . ';)/si',
'&amp;',
$text
)
);
}


2 - قم بفتح الملف functions.php وابحث بداخله عن :

if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
{
exec_header_redirect($vbulletin->url);
}

$title = $vbulletin->options['bbtitle'];

$pagetitle = $title;
$errormessage = $message;

$url = unhtmlspecialchars($vbulletin->url);
$url = str_replace(chr(0), '', $url);
$url = create_full_url($url);
$url = str_replace($str_find, $str_replace, $url);
$js_url = addslashes_js($url, '"'); // " has been replaced by &quot;

$url = preg_replace(
array('/&#0*59;?/', '/&#x0*3B;?/i', '#;#'),
'%3B',
$url
);
$url = preg_replace('#&amp%3B#i', '&amp;', $url);

define('NOPMPOPUP', 1); // No footer here

require_once(DIR . '/includes/functions_misc.php');
$postvars = construct_hidden_var_fields(verify_client_string($ vbulletin->GPC['postvars']));
$formfile =& $url;

($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;

eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
exit;
}



استبدله بـ :

if ($vbulletin->url)
{
$foundurl = false;
if ($urlinfo = @parse_url($vbulletin->url))
{
if (!$urlinfo['scheme'])
{ // url is made full in exec_header_redirect which stops a url from being redirected to, say "www.php.net" (no http://)
$foundurl = true;
}
else
{
$whitelist = array();
if ($vbulletin->options['redirect_whitelist'])
{
$whitelist = explode("\n", trim($vbulletin->options['redirect_whitelist']));
}
// Add $bburl to the whitelist
$bburlinfo = @parse_url($vbulletin->options['bburl']);
$bburl = "{$bburlinfo['scheme']}://{$bburlinfo['host']}";
array_unshift($whitelist, $bburl);

// if the "realurl" of this request does not equal $bburl, add it as well..
$realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
if (strtolower($bburl) != strtolower($realurl))
{
array_unshift($whitelist, $realurl);
}

$vburl = strtolower($vbulletin->url);
foreach ($whitelist AS $url)
{
$url = trim($url);
if ($vburl == strtolower($url) OR strpos($vburl, strtolower($url) . '/', 0) === 0)
{
$foundurl = true;
break;
}
}
}
}

if (!$foundurl)
{
eval(standard_error(fetch_error('invalid_redirect_ url_x', $vbulletin->url)));
}
}

if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
{
exec_header_redirect($vbulletin->url);
}

$title = $vbulletin->options['bbtitle'];

$pagetitle = $title;
$errormessage = $message;

$url = unhtmlspecialchars($vbulletin->url);
$url = str_replace(chr(0), '', $url);
$url = create_full_url($url);
$url = str_replace($str_find, $str_replace, $url);
$js_url = addslashes_js($url, '"'); // " has been replaced by &quot;

$url = preg_replace(
array('/&#0*59;?/', '/&#x0*3B;?/i', '#;#'),
'%3B',
$url
);
$url = preg_replace('#&amp%3B#i', '&amp;', $url);

define('NOPMPOPUP', 1); // No footer here

require_once(DIR . '/includes/functions_misc.php');
$postvars = construct_hidden_var_fields(verify_client_string($ vbulletin->GPC['postvars']));
$formfile =& $url;

($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;

eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
exit;
}