Arbitrary/Remote Code Execution in CMS-ul baietilor de la softhost.ro |

Most Commented

Loading....

Apocalipsa dupa Nemessis in (166 Visits)
Ce servicii de mail folositi? in (86 Visits)
This is the end in (85 Visits)
Hackersblog.org is now blog.rstcenter.com in (58 Visits)
Raportare vulnerabilitati in (58 Visits)
News in (55 Visits)
La multi ani România, la multi ani românilor in (55 Visits)
Un nou membru in (54 Visits)
De reţinut in (54 Visits)
So... lol in (51 Visits)
Mi s-a furat id-ul de messenger/adresa e-mail. Ce sa fac? in (778 Visits)
SMS scam (1) in (97 Visits)
Hi5.com coders read this in (94 Visits)
Dezinformare sau proasta informare? in (78 Visits)
Si tentativele de phishing pot fi amuzante in (76 Visits)
Phishing Bancpost in (74 Visits)
Phishing Raiffeisen cu atasament html in (71 Visits)
[Utilitare] Suna gratis de pe internet sau de pe iPhone in (228 Visits)
Ce nu se invata la scoala - Tipuri si tehnici spam/Hi5 (4) in (188 Visits)
Ce nu se invata la scoala - (D)DOS (5) in (164 Visits)
Cum sa iti protejezi adresa e-mail si datele confidentiale din aceasta in (162 Visits)
Despre CSRF, hi5.com, cum sa trisezi la concursuri s.a.m.d. in (154 Visits)
Virusi in clipuri video [how to] in (148 Visits)
Ce nu se invata la scoala - Tipuri si tehnici spam (1) in (130 Visits)
Ce nu se invata la scoala - Tipuri si tehnici spam/mail (2) in (127 Visits)
Ca musca in... in (87 Visits)
Internet vs. privacy (1) in (60 Visits)
Simpatie.ro, matrimoniale3x.ro, apetisant.ro, deliciu.ro , etc Sql injection in (735 Visits)
usa.kaspersky.com hacked ... full database acces , sql injection in (544 Visits)
RedTube.com ... The Free Sex Video Community in (185 Visits)
Yahoo! epic fail - permanent xss unleashed in (155 Visits)
In atentia BitDefender.com, SQL Injection in (149 Visits)
Telegraph.co.uk hacked, sql injection in (138 Visits)
No comment - o2.co.uk (forum) in (136 Visits)
Facebook hacked - sql injection in (131 Visits)
eJobs.ro si peste 1.300.000 de conturi cu date personale in (130 Visits)
F-Secure.com - SQL Injection + Cross Site Scripting in (124 Visits)
Hacker Uses XSS and Google Street View Data to Determine Physical Location in (97 Visits)
Wannabe Hackers [1] - Cum sa hack-uiesti RapidShare-ul in (94 Visits)
Wannabe Hackers [2] - cum sa faci un virus by sppy_hacker in (71 Visits)
Digital Photocopiers Loaded With Secrets in (63 Visits)
[Video] The History Of Hacking in (47 Visits)
Christopher "moot" Poole: The case for anonymity online in (45 Visits)
OWASP Phishing demo in (34 Visits)
Owasp5005 Part1 - New zero-day browser exploits - ClickJacking in (33 Visits)
Email Security - Why You Should Encrypt Your Email - Part One in (32 Visits)
Hope 2603 – Kevin Mitnick - Life a Computer Hacker – Revealed in (31 Visits)
Se poate sparge parola de Yahoo? in (753 Visits)
Forumul Andreei Balan spart in (309 Visits)
phpBB.ro hacked in (291 Visits)
Camera de supraveghere a universitatii Alexandru Ioan Cuza din Iasi in (153 Visits)
Experiment social in (145 Visits)
Experiment social II - andimoisescu.ro in (136 Visits)
Doua cu Netbridge si una cu Hi5 in (115 Visits)
Cand dorinta de afirmare depaseste granitele bunului simt - PaxNwo un leecher ordinar in (110 Visits)
Site-ul Inspectoratului General al Politiei Romane (igpr.ro) a fost spart in (108 Visits)
Ce nu se invata la scoala – Vendetta (6) in (107 Visits)

Top Users

Archives

Loading....

Arbitrary/Remote Code Execution in CMS-ul baietilor de la softhost.ro

Posted by Shocker in English News

Posted on December 10th, 2008

Nu credeam ca o sa mai gasesc asa ceva in scripturile “moderne” (desi recunosc ca imi doream asta), dar se pare ca m-am inselat. Cum ziceam, am gasit o vulnerabilitate foarte grava intr-un CMS care pare sa fie facut de cei de la softhost.ro , CMS folosit de multe site-uri (pe care, evident, tot ei le-au facut)
(“softhost.ro este o companie romaneasca ce dezvolta aplicatii software web-based si care ofera solutii de gazduire profesionale.”)

Cateva site-uri care folosesc in momentul de fata CMS-ul vulnerabil:

http://www.avocatnet.ro/

http://www.taxeimpozite.ro/

http://www.legalromania.com/

http://www.contractdemunca.ro/

http://www.infosrl.ro/

http://www.modeldecontract.ro/

http://www.lifeforlife.ro/

In ce consta vulnerabilitatea mai exact? Se poate executa cod PHP arbitrar. Proof of concept:
La accesarea link-ului: http://www.infosrl.ro/societate-comerciala/articol/id_71 totul e ok, se deschide articolul cu ID-ul 71:

La http://www.infosrl.ro/societate-comerciala/articol/id_71' deja apar php errors de prin softHostWS.php, zicand ceva de eval(). … hm… ceva nu e in ordine … CHIAR E EVAL(ceva . USER INPUT . altceva)?! Din pacate, da.

Sa vedem, reusim sa bagam o bucata de cod PHP incat sa formam un request valid? Sa incercam sa deschidem articolul cu ID-ul 713:
http://www.infosrl.ro/societate-comerciala/articol/id_71'.chr(51).'
chr(51) returneaza caracterul 3, concatenat cu restul string-ului formeaza 713, iar articolul rezultat e chiar articolul 713.

( se vede clar ca amandoua link-uri duc la acelasi articol => q.e.d. )

Sa vedem putin cum arata si softHostWS.php:

Da, chiar era eval(blabla). Si da, asta e phpshell pe hostul site-ului vulnerabil, obtinut, evident, dupa descoperirea&exploatarea vulnerabilitatii.

February 3, 2009 -- Compromiterea serverului portal.edu.ro prin LFI

One Response to “Arbitrary/Remote Code Execution in CMS-ul baietilor de la softhost.ro”

zer0 Says:
December 14th, 2008 at 5:04 pm
Frumos … offcomment: Cum se cheama tema de la windowsul tau ?

Subscribe to our Feed

N/A Subscribers (Feedburner)

Entries RSS

Comments RSS

Related Posts

One Response to “Arbitrary/Remote Code Execution in CMS-ul baietilor de la softhost.ro”

Leave a Reply