عرض مشاركة واحدة
احصائياتى

الردود
0

المشاهدات
1651
هيلبرنت
.:: رفيق درب ::.
  • هيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant futureهيلبرنت has a brilliant future

  • هيلبرنت غير متواجد حالياً

المشاركات
11,551

+التقييم
321

تاريخ التسجيل
Jul 2015

الاقامة
فى الدنيا

نظام التشغيل
windows 8

رقم العضوية
18
10-11-2015, 01:27 AM
المشاركة 1
10-11-2015, 01:27 AM
المشاركة 1
افتراضي الدرس الخامس من دروس سد ثغرات المنتدى وهى ترقيع لملفات class_core.phclass_core.php و functions.phpp
كنا فى السابق شرحنا الاتى

1- الدرس الاول من دروس سد ثغرات المنتدى وهى ثغره التحويل والاهداءات

2- الدرس الثانى من دروس سد ثغرات المنتدى وهى ثغره spacer_open و spacer_close الخاصة باختراق الاستايل

3- الدرس الثالث من دروس سد ثغرات المنتدى وهى ثغره فلود التسجيل لمنع السبام

4- الدرس الرابع من دروس سد ثغرات المنتدى وهى ثغره Yahoo YUI

موعدنا اليوم لشرح ترقيع الثغرة الموجودة في 3.8.7


1 - قم بفتح ملف class_core.php
وابحث بداخله عن :


كود:
// #############################################################################
/**
* Removes the full path from being disclosed on any errors
*
* @param    integer    Error number
* @param    string    PHP error text string
* @param    strig    File that contained the error
* @param    integer    Line in the file that contained the error
*/
function vb_error_handler($errno, $errstr, $errfile, $errline)
{
    global $vbulletin;

    switch ($errno)
    {
        case E_WARNING:
        case E_USER_WARNING:
            /* Don't log warnings due to to the false bug reports about valid warnings that we suppress, but still appear in the log
            require_once(DIR . '/includes/functions_log_error.php');
            $message = "Warning: $errstr in $errfile on line $errline";
            log_vbulletin_error($message, 'php');
            */

            if (!error_reporting() OR !ini_get('display_errors'))
            {
                return;
            }
            $errfile = str_replace(DIR, '[path]', $errfile);
            $errstr = str_replace(DIR, '[path]', $errstr);
            echo "<br /><strong>Warning</strong>: $errstr in <strong>$errfile</strong> on line <strong>$errline</strong><br />";
        break;

        case E_USER_ERROR:
            require_once(DIR . '/includes/functions_log_error.php');
            $message = "Fatal error: $errstr in $errfile on line $errline";
            log_vbulletin_error($message, 'php');

            if (!headers_sent())
            {
                if (SAPI_NAME == 'cgi' OR SAPI_NAME == 'cgi-fcgi')
                {
                    header('Status: 500 Internal Server Error');
                }
                else
                {
                    header('HTTP/1.1 500 Internal Server Error');
                }
            }

            if (error_reporting() OR ini_get('display_errors'))
            {
                $errfile = str_replace(DIR, '[path]', $errfile);
                $errstr = str_replace(DIR, '[path]', $errstr);
                echo "<br /><strong>Fatal error:</strong> $errstr in <strong>$errfile</strong> on line <strong>$errline</strong><br />";
                if (function_exists('debug_print_backtrace') AND ($vbulletin->userinfo['usergroupid'] == 6 OR ($vbulletin->userinfo['permissions']['adminpermissions'] & $vbulletin->bf_ugp_adminpermissions)))
                {
                    // This is needed so IE doesn't show the pretty error messages
                    echo str_repeat(' ', 512);
                    debug_print_backtrace();
                }
            }
            exit;
        break;
    }
}


استبدله بـ :


كود:
// #############################################################################
/**
* Unicode-safe version of htmlspecialchars()
*
* @param    string    Text to be made html-safe
*
* @return    string
*/
function htmlspecialchars_uni($text, $entities = true)
{
    return str_replace(
        // replace special html characters
        array('<', '>', '"'),
        array('&lt;', '&gt;', '&quot;'),
        preg_replace(
            // translates all non-unicode entities
            '/&(?!' . ($entities ? '#[0-9]+|shy' : '(#[0-9]+|[a-z]+)') . ';)/si',
            '&amp;',
            $text
        )
    );
}


2 - قم بفتح الملف functions.php وابحث بداخله عن :

كود:
   if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
    {
        exec_header_redirect($vbulletin->url);
    }

    $title = $vbulletin->options['bbtitle'];

    $pagetitle = $title;
    $errormessage = $message;

    $url = unhtmlspecialchars($vbulletin->url);
    $url = str_replace(chr(0), '', $url);
    $url = create_full_url($url);
    $url = str_replace($str_find, $str_replace, $url);
    $js_url = addslashes_js($url, '"'); // " has been replaced by &quot;

    $url = preg_replace(
        array('/&#0*59;?/', '/&#x0*3B;?/i', '#;#'),
        '%3B',
        $url
    );
    $url = preg_replace('#&amp%3B#i', '&amp;', $url);

    define('NOPMPOPUP', 1); // No footer here

    require_once(DIR . '/includes/functions_misc.php');
    $postvars = construct_hidden_var_fields(verify_client_string($vbulletin->GPC['postvars']));
    $formfile =& $url;

    ($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;

    eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
    exit;
}



استبدله بـ :

كود:
if ($vbulletin->url)
    {
        $foundurl = false;
        if ($urlinfo = @parse_url($vbulletin->url))
        {
            if (!$urlinfo['scheme'])
            {    // url is made full in exec_header_redirect which stops a url from being redirected to, say "www.php.net" (no http://)
                $foundurl = true;
            }
            else
            {
                $whitelist = array();
                if ($vbulletin->options['redirect_whitelist'])
                {
                    $whitelist = explode("\n", trim($vbulletin->options['redirect_whitelist']));
                }
                // Add $bburl to the whitelist
                $bburlinfo = @parse_url($vbulletin->options['bburl']);
                $bburl = "{$bburlinfo['scheme']}://{$bburlinfo['host']}";
                array_unshift($whitelist, $bburl);

                // if the "realurl" of this request does not equal $bburl, add it as well..
                $realurl = VB_URL_SCHEME . '://' . VB_URL_HOST;
                if (strtolower($bburl) != strtolower($realurl))
                {
                    array_unshift($whitelist, $realurl);
                }

                $vburl = strtolower($vbulletin->url);
                foreach ($whitelist AS $url)
                {
                    $url = trim($url);
                    if ($vburl == strtolower($url) OR strpos($vburl, strtolower($url) . '/', 0) === 0)
                    {
                        $foundurl = true;
                        break;
                    }
                }
            }
        }
        
        if (!$foundurl)
        {
            eval(standard_error(fetch_error('invalid_redirect_url_x', $vbulletin->url)));
        }
    }

    if ($vbulletin->options['useheaderredirect'] AND !$forceredirect AND !headers_sent() AND !$vbulletin->GPC['postvars'])
    {
        exec_header_redirect($vbulletin->url);
    }

    $title = $vbulletin->options['bbtitle'];

    $pagetitle = $title;
    $errormessage = $message;

    $url = unhtmlspecialchars($vbulletin->url);
    $url = str_replace(chr(0), '', $url);
    $url = create_full_url($url);
    $url = str_replace($str_find, $str_replace, $url);
    $js_url = addslashes_js($url, '"'); // " has been replaced by &quot;

    $url = preg_replace(
        array('/&#0*59;?/', '/&#x0*3B;?/i', '#;#'),
        '%3B',
        $url
    );
    $url = preg_replace('#&amp%3B#i', '&amp;', $url);

    define('NOPMPOPUP', 1); // No footer here

    require_once(DIR . '/includes/functions_misc.php');
    $postvars = construct_hidden_var_fields(verify_client_string($vbulletin->GPC['postvars']));
    $formfile =& $url;

    ($hook = vBulletinHook::fetch_hook('redirect_generic')) ? eval($hook) : false;

    eval('print_output("' . fetch_template('STANDARD_REDIRECT') . '");');
    exit;
}